Focus across the European Union is shifting towards Cookies with particular attention being placed on third-party cookies. The shift began as early as 2019 when the Court of Justice of European Union declared its judgement in the Plante49 case. The court held that entities must seek express consent from users prior to placing any kind of cookies (i.e. first and third party cookies). Subsequently, Google in the year 2020 announced that it would be phasing out its use of third-party cookies on the popular web browser Google Chrome. Google’s announcement was triggered by competitors like Apple’s Safari and Mozilla’s Firefox browsers adopting similar approaches to phasing out the use of third-party cookies.
Subsequent to the above developments regulators all around the European Union issued their cookie guidance documents calling on entities to ensure deeper compliance with cookie laws. These guidance’s issued by regulators was substantiated by their willingness to award fines as high as 746 Million Euro as awarded in the Amazon case on 16th July 2021.
The above judgement was supplemented by the French Authority issuing additional guidance dedicated to third-party cookies alternatives and the corresponding compliance requirements. It is therefore apparent that public and private entities are looking for viable alternatives to third-party cookies. Additionally the intent to award fines and enforce the cookie law has been crystalized in the approach taken by the regulators. This article will therefore elaborate on what third-party cookies are, examine their respective compliance requirements and suggest steps to achieve a higher degree of compliance with requirements and relevant guidance.
Two significant kinds of cookies can be found on websites: first-party and third-party cookies. First-party cookies are placed on the website by the controlling entity itself. Such cookies may include collecting data for the proper functioning of the website or tracking users behaviour for advertising purposes.
Third-party cookies are placed by other entities on the controller’s website that the user visits. These cookies are managed by a third entity, separate from the entity controlling the website, and gather information allowing the third entity to ascertain the webpages visited on the website in question and collect data for advertising purposes. Typical means of including third-party cookies are the Facebook “Like” button and WhatsApp “Share” button on a popular e-commerce platform.
Third-party cookies enable the ability to track users as they browse various websites and can collect information such as age, location, or consumption patterns. Other methods used to track user behaviour are also in scope of the relevant regulations, such as browser fingerprinting, pixel tracking and technology embedded in mobile Apps that achieve the same purpose.
For several entities, the use of third-party cookies forms a core part of their marketing analytics and/or revenue generation mechanisms. Cookies and, more specifically, third-party cookies, often help entities better understand their users or generate revenue through advertisements. As stated earlier, with the end of third-party cookies in sight, it is essential to look for alternatives that are more compliant with existing guidance.
As gateways to web (i.e. web browsers) restrict third party cookies, the need to adopt an alternative approach to third-party cookies becomes apparent. The alternative to third-party cookies will assist website controllers confront the restrictions imposed by the web browsers and optimise their ability to collect valuable data in a judicious manner. Therefore, website controllers must consider expending on the following alternatives to third-party cookies:
- Device fingerprinting: This is a practice through which a user is distinguished by using the technical characteristics of the browser they are using. This information is detailed and includes data on the screen size and the operating system used.
- Single Sign-On: This practice requires the user to input a common email address across platforms such as a Gmail or Facebook email address. This enables the user’s activities to be connected to one account, allowing the group of entities to have a high-level vision of the user browsing patterns.
- Unique Identifiers: This is the practice of identifying users through their unique ID’s assigned to their devices. This practice is often combined with device fingerprinting to maximise its potential.
- Cohort Targeting: This is a popular alternative developed by Apple and Google individually. This practice groups users with similar interests and behaviours by a unique identifier shared by all users within the group. It ensures that the result in an aggregated form is valid for the entire group/ cohort without accessing individual personal data.
Statutory obligations for both first party and third party cookies remain constant. In addition, the guidance issued by the French Regulatory Authority clarifies that the same compliance obligations apply to the above third party cookie alternatives. Specifically, website controllers in the EU must consider the S.I. 336 E-Privacy Regulations S.I. 366/2011, and the General Data Protection Regulation (GDPR) 2018. Entities located in the United Kingdom must consider their obligations under Regulation 6 of the Privacy and Electronic Communications Regulations (PECR) 2003.
The E-privacy Regulation 5(3) stipulates that tracking technologies shall be adopted subject to:
- Receiving the user’s explicit consent before accepting cookies;
- Ensuring that consent is based on clear and comprehensive information with respect to the purpose of processing.
Users must also have a right, in essence, not be subjected to unnecessary tracking for the requested service. Further, users must be able to express their agreement or otherwise to such tracking through simple means.
Steps to implement:
Due to the evolving nature of cookies and tracking technologies, it is essential for stakeholders, i.e., website controllers, processors and developers, to maintain a heightened state of vigilance. This includes documenting and carrying out regular audits of privacy and cookie policies and their ensure implementation by adhering to the accountability and transparency obligations under the GDPR.
Trilateral’s Data Governance and Cyber Risk Team have data protection specialists with extensive expertise and experience in implementing and monitoring cookie compliance to meet legislative requirements. Trilateral Research has also created a dedicated cookie compliance guide to help increase cookie compliance. Please feel free to contact our advisors, who would be happy to speak with you about your compliance needs.