If Google Cares About Cookie Consent, So Should You
Over the weekend, Google made a subtle—but significant—modification to its online search service in the EU: Nearly two years after Europe's deadline for EU member states to adopt national cookie consent laws, Google rolled out a cookie consent banner on its EU search sites.
This development alone would be significant. But taken together with Facebook's recent announcement it will deploy the AdChoices icon—another implied consent solution for targeted adverts—on ads served through its FBX exchange, the implications become huge for the following reasons.
- CPOs will find selling cookie consent adoption much easier now.
Selling the need to implement cookie consent to the business has always been a challenge. The thinking among marketing, analytics and web operations teams has always been that cookie consent is expensive to implement, time consuming to maintain and disruptive to the user experience and data collection practices. Other than the occasional penned letter by regulators, there's been no "real" enforcement to date and, with patchy market adoption of cookie consent, many businesses have performed a simple cost/benefit analysis and chosen inaction over compliance. But when two of the Internet's most heavily scrutinised businesses actively engage with cookie consent, they clearly think it's an issue worth caring about—and that means it's an issue YOU need to care about too. The "Google does it" argument is a powerful tool to persuade the business it needs to rethink its strategy and adopt a cookie consent solution.
- Regulatory enforcement just got easier.
Rightly or wrongly, a perceived challenge for regulators wanting to enforce noncompliance has been that, before taking measures against the general publisher and advertiser population, they need first to address the behaviours of the major Internet players. While never overtly acknowledged, the underlying concern has been that any business pursued for not adopting a cookie banner would cry, "What about them?"—immediately presenting regulators with a challenge: Do they continue to pursue that business and risk public criticism for overlooking the bigger fish, or do they pursue the bigger fish and risk getting drawn into expensive, resource-draining legal battles with them? The result to date has been regulatory stalemate, but these developments could unlock this perceived barrier. While it's not the case that they will result in a sudden flurry of enforcement activity overnight, they are one of many factors that could start to tip the scales towards some form of meaningful enforcement in future.
- Implied consent IS the accepted market standard.
When the cookie consent law was first proposed, there were huge concerns that we would be set upon by an avalanche of consent popup windows every time we logged online. Whizz forward a few years, and thankfully this hasn't happened, whatever regulatory preferences may exist for cookie opt-ins. Instead, over time, we've seen member states and—perhaps more importantly—the market grow more and more accepting of implied consent solutions. Adoption by major players like Facebook and Google lend significant credibility to implied consent, and smaller businesses will undoubtedly turn to the approaches used by these major players when seeking their own compliance inspiration. Implied consent has become the de facto market standard and seems set to remain that way for the foreseeable future. Businesses delaying compliance adoption due to concerns about the evolution of consent requirements in the EU now have the certainty they need to act.
Note from the Editor:
Two of Lee's Field Fisher Waterhouse (FFW) collegues will be speakers at next week's IAPP Europe Data Protection Intensive in London, UK. FFW Partner and Head of the Privacy and Information Law Group Eduardo Ustaran, CIPP/E, together with Ireland Data Protection Commissioner Billy Hawkes, will be part of the breakout session Profiling: Maximising the Value of Data at the Expense of Freedom? And FFW Partner Stewart Room, CIPP/E, will be a speaker in the breakout session How Scared Should You Really Be? The Truth about Enforcement Actions.
About the Author
Phil Lee is a partner in the Privacy and Information Law Group at Field Fisher Waterhouse LLP, and runs the Palo Alto office of Field Fisher Waterhouse (California) LLP. Lee has particular specialisms in behavioral profiling and cookie regulation, e-marketing and international data transfer strategies (including binding corporate rules). He has worked on numerous multi-jurisdictional data privacy projects across more than 80 countries.
Lee holds an M.A. in computer science from Cambridge University and a postgraduate diploma in intellectual property from Bristol University. He is a frequent contributor to FFW's Privacy and Information Law blog and is also a contributing author to the IAPP's European Privacy: Law and Practice for Data Protection Professionals and Wolter Kluwers' Global Privacy & Security Laws. Lee is a former committee member of the Society for Computer and Law's Privacy & Data Protection Group.
He can be contacted at email@example.com.