At Trilateral, we’ve been helping many Irish website operators bring their cookie processing into compliance with legal requirements ahead of the DPCs October 2020 deadline. Furthermore, the compliance deadline announced recently by CNIL demonstrates that cookie compliance is being examined by regulators across Europe. This article examines the common challenges faced by website operators in implementing compliant solutions and exploring opportunities to ensure ongoing compliance.
Competing goals between compliance and other business functions
There can be challenges between the goals of achieving compliance and other business goals such as those pursued by the marketing function, who rely on having information available to them to drive their decision-making in areas such as content strategy and campaign development. Marketing departments often express serious concerns about the new legal requirements since they may lose valuable data and insights. The good news is these concerns can be mitigated if the right solution is implemented.
While the Data Protection Commission’s Guidance notes that it is a requirement to seek the consent of individuals for processing such as analytics, the likelihood of users agreeing to this processing significantly increases if website operators:
- are transparent about it,
- choose analytics platforms that are privacy respecting, and
- do not share the data with third parties.
Communicating this fact to website users, and offering them a good user experience while doing so to express their preferences will result in enough users opting into such processing, meaning your marketing department can continue to make their own data-driven decisions.
Translating legal requirements into technical implementation
While web agencies are extremely competent at translating ideas into code, they are not legal or data protection experts. Furthermore, data protection functions within organisations often do not have enough technical expertise to assess software configurations. This bridge can be tricky to cross for both, when trying to realise the technical implementation of legal requirements such as compliant cookie processing.
Challenges such as determining exactly what type of processing comes into scope of the regulation, how to categorise that processing, how best to inform and give users control over it, all meet at this legal and technical intersection.
An organisation may have many websites and digital partners
An organisation may have more than one website in their portfolio and use multiple digital agencies to manage those web properties. This can pose a problem in addressing compliant cookie processing due to differences in how each web property is implemented, the differing tools chosen for providing consent management, and the fact that many external partners need to be engaged to address the compliance challenge. Communication is key in this scenario and developing a consistent policy for the organisation’s digital agency partners to follow is an important governance tool to ensure longer-term compliance when it comes to implementing compliant cookie processing.
We have seen many instances of Consent Management Platforms that present users with choices to make, but which do not result in those choices being respected. Validating that a user’s choices is being respected (i.e., what the Consent Management Platform is reporting as being configured, is actually reflecting that configuration in the processing that is occurring) is as important as providing them with the choice in the first place; otherwise, the consent being gained is not valid.
To address these common challenges, we recommend the following:
- Involve all relevant stakeholders that have an interest in the organisation’s website when addressing cookie compliance;
- Ensure that you have access to expertise that understands how the legal requirements need to be translated into technical implementation;
- Validate that a user’s choices are being respected, not solely relying on what the Consent Management Platform tool is reporting;
- Develop a consistent policy for the organisation’s digital agency partners to follow, to ensure effective governance over cookie processing going forward;
As we have observed with GDPR implementation, most organisations had not reached their compliance goals by the time the Regulation came into force, and many are still on that compliance journey. Likewise, with realising compliant cookie processing, a deadline set by the Irish DPC has come and gone, and there will be many that have yet to address this challenge. However, the potential legal ramifications are clear, and the DPC has signalled their intention to begin enforcement. Additionally, individuals are increasingly aware of when businesses they deal with are following best practice. This is without doubt an example where compliance can be turned into a competitive advantage.
Trilateral’s Data Governance and Cyber-Risk Team has extensive experience working with organisations and their digital partners to ensure that their cookie processing meets both legal requirements and best practice. We offer data governance services that can help your organisation develop policies and procedures for ongoing compliance. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support to facilitate compliant cookie processing. Our support services will help your business to protect individuals’ fundamental rights, building trust among your website users and ultimately, your customers. Please feel free to contact our advisors, who would be more than happy to help.