Opinion

If Google Cares About Cookie Consent, So Should You

By Phil Lee, CIPP/E, CIPM

Over the weekend, Google made a subtle—but significant—modification to its online search service in the EU: Nearly two years after Europe's deadline for EU member states to adopt national cookie consent laws, Google rolled out a cookie consent banner on its EU search sites.

If you're a visitor from the U.S., you may have missed it; the banner shows only if you visit Google sites from within the EU. However, EU visitors will clearly see Google's consent banner placed at the bottom of its main search page and at the top of subsequent search results. As well as informing visitors that "By using our services, you agree to our use of cookies," the banner provides a "Learn more" link that visitors can click on to watch a video about Google's cookie use and to see disclosures about the cookies it serves.

This development alone would be significant. But taken together with Facebook's recent announcement it will deploy the AdChoices icon—another implied consent solution for targeted adverts—on ads served through its FBX exchange, the implications become huge for the following reasons.

  • CPOs will find selling cookie consent adoption much easier now.

Selling the need to implement cookie consent to the business has always been a challenge. The thinking among marketing, analytics and web operations teams has always been that cookie consent is expensive to implement, time consuming to maintain and disruptive to the user experience and data collection practices. Other than the occasional penned letter by regulators, there's been no "real" enforcement to date and, with patchy market adoption of cookie consent, many businesses have performed a simple cost/benefit analysis and chosen inaction over compliance. But when two of the Internet's most heavily scrutinised businesses actively engage with cookie consent, they clearly think it's an issue worth caring about—and that means it's an issue YOU need to care about too. The "Google does it" argument is a powerful tool to persuade the business it needs to rethink its strategy and adopt a cookie consent solution.

  • Regulatory enforcement just got easier.

Rightly or wrongly, a perceived challenge for regulators wanting to enforce noncompliance has been that, before taking measures against the general publisher and advertiser population, they need first to address the behaviours of the major Internet players. While never overtly acknowledged, the underlying concern has been that any business pursued for not adopting a cookie banner would cry, "What about them?"—immediately presenting regulators with a challenge: Do they continue to pursue that business and risk public criticism for overlooking the bigger fish, or do they pursue the bigger fish and risk getting drawn into expensive, resource-draining legal battles with them? The result to date has been regulatory stalemate, but these developments could unlock this perceived barrier. While it's not the case that they will result in a sudden flurry of enforcement activity overnight, they are one of many factors that could start to tip the scales towards some form of meaningful enforcement in future.

  • Implied consent IS the accepted market standard.

When the cookie consent law was first proposed, there were huge concerns that we would be set upon by an avalanche of consent popup windows every time we logged online. Whizz forward a few years, and thankfully this hasn't happened, whatever regulatory preferences may exist for cookie opt-ins. Instead, over time, we've seen member states and—perhaps more importantly—the market grow more and more accepting of implied consent solutions. Adoption by major players like Facebook and Google lend significant credibility to implied consent, and smaller businesses will undoubtedly turn to the approaches used by these major players when seeking their own compliance inspiration. Implied consent has become the de facto market standard and seems set to remain that way for the foreseeable future. Businesses delaying compliance adoption due to concerns about the evolution of consent requirements in the EU now have the certainty they need to act.

Note from the Editor:

Two of Lee's Field Fisher Waterhouse (FFW) collegues will be speakers at next week's IAPP Europe Data Protection Intensive in London, UK. FFW Partner and Head of the Privacy and Information Law Group Eduardo Ustaran, CIPP/E, together with Ireland Data Protection Commissioner Billy Hawkes, will be part of the breakout session Profiling: Maximising the Value of Data at the Expense of Freedom? And FFW Partner Stewart Room, CIPP/E, will be a speaker in the breakout session How Scared Should You Really Be? The Truth about Enforcement Actions

More from Phil Lee

About the Author

Phil Lee is a partner in the Privacy and Information Law Group at Field Fisher Waterhouse LLP, and runs the Palo Alto office of Field Fisher Waterhouse (California) LLP. Lee has particular specialisms in behavioral profiling and cookie regulation, e-marketing and international data transfer strategies (including binding corporate rules). He has worked on numerous multi-jurisdictional data privacy projects across more than 80 countries. 

Lee holds an M.A. in computer science from Cambridge University and a postgraduate diploma in intellectual property from Bristol University. He is a frequent contributor to FFW's Privacy and Information Law blog and is also a contributing author to the IAPP's European Privacy: Law and Practice for Data Protection Professionals and Wolter Kluwers' Global Privacy & Security Laws. Lee is a former committee member of the Society for Computer and Law's Privacy & Data Protection Group.

He can be contacted at phil.lee@ffw.com.

See all posts by Phil Lee

Comments

  • April 16, 2013
    Brock Rutter
    replied:

    After all that fuss about the “stupid cookie law” Google made it look so easy. I’m sure one could still get a laugh out of finding the old “EU stupid cookie law” video on YouTube.
    But did authorities anywhere other than the UK and Ireland ever announce that implied consent would be acceptable, or is Google trying to get out in front of this issue?

  • April 19, 2013
    Google is a bit more of implied consent
    replied:

    But not privacy by default yet. A few more months to come.

To post your comment, please enter the word you see in the image below:

To post your comment, please enter the word you see in the image below:

Get your free study guide now!
Get your free study guide now!