We recently shared Notes from IAB Ireland on the DPC Report on Cookies and other tracking technologies. We are very pleased to now share the views of our member and guest blogger, Matthias Matthiessen, Senior Privacy Counsel, Quantcast on the recent guidance from the DPC.
The Data Protection Commission (DPC) is the latest European data protection authority to publish updated guidance on complying with the ePrivacy Directive. The upshot: Ireland’s approach is fair and sensible. Unlike guidance from other European regulators, the DPC’s guidance lays out legal requirements as they are without additions not supported in law.
To accompany its new guidance, the DPC also published a report summarising an audit of websites of Irish advertisers and publishers conducted at the end of last year. The report suggests that Irish businesses largely fall short of legal requirements. Not a good showing for publishers and advertisers considering the fact that the Irish ePrivacy Regulations are nearly a decade old, and the General Data Protection Regulation (GDPR), which has slightly changed how the Irish ePrivacy Regulations must be applied, has been adopted into law four years ago. While our industry is a heavy tanker that is slow to turn, businesses have had plenty of time now, and regulators’ expectation is that businesses finally implement compliant solutions if they have not already done so.
The DPC’s guidance and report should be understood as a heads up and a fair warning: Thanks to its guidance businesses now have a clear understanding of the DPC’s expectations. In addition, the DPC has gained important experience in conducting website audits that will allow it to effectively detect non-compliance that could lead to enforcement action in the future. The report will also serve as a benchmark for how well businesses have responded to its new guidance.
So what should you do?
- Provide your users with clear and concise information about your and your partners’ use of tags, cookies, device identifiers and other device storage and access, and personal data processing. Remember, in order for consent to be informed under the GDPR, users must — at a minimum — know about the who and why.
- Ask that users signify their consent through some sort of affirmative action that is unambiguous. You cannot assume or imply consent. If you are asking consent for more than one purpose, make sure users can signify their consent for each purpose separately. Make sure to keep a record of what users were told and what they did to consent.
- Give users a way to withdraw their consent just as easily as they were able to give it. Do not confuse this with refusing consent, which need not be as easy as to give it. You have to make it possible for users to reverse their decision, for example by having an easily accessible link or button on your website where the user would expect to find it.
- Make sure that tags, cookies, device identifiers for analytics, advertising and other purposes that require consent are not used before users have given their consent, nor after users have withdrawn their consent.
The best way to do the above is using a combination of a signals-based and tag-management approach to transparency and consent management. Both approaches have strengths and weaknesses that, in combination, will solve most issues.
- Implement a transparency and consent management platform that meets the requirements of the IAB Europe Transparency and Consent Framework v2.0. In doing so you can be sure to meet transparency requirements for yourself and partners who participate in the framework. You should only let partners whose purposes are not covered by the framework get away with not participating. The framework also allows users to give consent on a purpose-by-purpose basis, and creates signals that let participating vendors know whether or not and for which purposes they can use tags, cookies, device identifiers, etc.
- Implement a tag management system that prevents all tags, cookies, device identifiers for any of the purposes that aren’t exempted from the requirement to obtain consent unless the user has granted their consent. This will reasonably cover partners who are not participants of the Transparency and Consent Framework, and act as a fail safe for some situations in which partners are not able to act on the framework’s signals.
The DPC is making reasonable demands of businesses to meet requirements intended to protect people’s fundamental rights to privacy and data protection. Advertisers, publishers, and technology companies should in turn take reasonable steps to do so by relying on a decade of privacy pros’ experience in these matters, and on new standards and software designed to help them do the right thing.