back button


Looking back at our PrivSec panel: Respecting legislation and promoting data ethics

May 29, 2020byRomain Gauthier

The ePrivacy regulation is not yet in place, but cookies and other tracking mechanisms are under scrutiny by Data Protection Authorities (DPAs). It is imperative that organizations understand the implications of cookies and respect consent, paying particular attention to how they collect, store and deploy personal data through their web trackers. I was recently invited by the Data Protection World Forum (DPWF) to participate in a panel of experts to discuss the value publishers can derive from consent and privacy. I had the pleasure of speaking with Catherine Armitage (World Federation of Advertisers), Laurie-Anne Bourdain (Isabel Group) and Andrew Sharp (Securys Limited).

Let’s review the key points of our “Last Thursday in Privacy” debate organised by PrivSec on May 28, 2020, of which you can see a full recording below:

What is Consent?

What do we mean by consent? The GDPR is becoming the standard and all-encompassing reference for European countries, defining consent in Article 4(11) as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Our job as a CMP is to ensure all three levels of consent are properly accounted for:

  • consent collection: a choice for users to accept (or refuse) the use of cookies & trackers
  • consent storage: to keep a legal proof of consent and to better understand user behaviour thanks to analytics
  • consent distribution: making sure publishers transfer consent signals correctly to their vendors. CMPs correctly integrate with vendors by deploying standards to transfer these signals. 

This third point is the most difficult to implement. There are ways to systematically audit your website to understand the relationship between cookies and vendors. However, a large company may run an audit on day one, but if a team brings in a new marketing partner the next day, they will bring in ten new vendors, who, in turn, each bring in ten more. Consequently, the company will no longer be compliant on day two. 

Nonetheless, regular audits are useful, as they reveal who is dropping cookies, and at what rate. They are a great tool for implementing “privacy by design” and leaving a trail. 

Privacy legislation is getting harmonised across Europe

Each country has their own data protection authorities and guidelines, which makes it particularly difficult to be compliant everywhere, all the time. Should companies try to comply with each country’s legislation separately, or apply the strictest possible set of rules for everyone? 

I have followed ePrivacy regulation since the very beginning, with all its ups and downs and many surprises. The good news is that I see a consensus emerging around cookie consent in leading EU countries (with the exception of Spain – so far their DPA has defended scrolling as constituting valid consent, although this position seems to be evolving). I believe that, despite apparent fragmentation, there is more harmonisation, and it is easier for EU companies to interpret the law now than it was just six months ago. 

We look forward to the new e-Privacy regulation, but, in the meantime, our role as a CMP is to help clients comply with their local realities, and make things as simple as possible for them. 

Ethical consent management must be a priority 

Legislation aside, the panel all agreed that  ethical consent management is a number one priority. The real debate is not about compliance, but building trust – trust with consumers, and with all other members of the chain. Good consent management empowers the consumer, it tells them what is being done with their data and why, creates choice, and allows for a change of mind. 

It was noted that cookie banners remain complex, which leads to consumers experiencing “cookie fatigue”. The best practice would be to offer three options: “Accept all”, “Deny all”, “Configure”. But what we mainly see today is “Accept all” and “Configure”. This opacity is pushed by marketing teams who need consent for statistics and analytics, thus this becomes a business issue.

Should I offer the option to refuse on the first page?

How should I layer the information?

How in depth must this information be?

My response would be to prioritise easy user experience: if you can, why wouldn’t you? 

Publishers should think about how and when they display cookie consent. The tendency is to immediately collect consent for every cookie, even before the user lands on your website. As a professional, I don’t find this intuitive. As a user, it bothers me. So, from a technological standpoint, I’d like to see some progress here. But, consent is now effective, and that’s a massive plus for users and companies, as it brings more security to the whole system.

Brands should try to improve consent management experience 

Importantly, being ethical isn’t just about “doing the right thing”, it is also an opportunity to build trust with customers and develop brand experience.

The cookie banner is the first thing a user sees on your website, so you should think carefully about presentation and overall UX. It is not one size fits all, and this is why I don’t believe in putting cookie consent in a generic browser. I hope brands will combine UX and UI learnings with consent workflow, and I expect increasing innovation in the coming months, as consent will have to be asked for, alongside the ability to say “no”.

Brands will simply have to be more creative, and understand privacy as a powerful customer relationship tool, not just an element of compliance. Think of Apple. They are the most valuable brand in the world, and privacy is their number 1 selling point at the moment. This is not a coincidence. Privacy isn’t just a legal issue, it is a brand issue.

However, depending on who you are, cookies can have a big impact on your business. If you are an e-commerce merchant and your acquisition depends 50% on retargeting, then there is a clear link between dropping cookies and selling products. Likewise, if you are a media outlet, your monetisation almost entirely depends on personalised advertising, which carries around twice as much value as non-personalised advertising.

Didomi is here to accompany all types of brands and publishers, linking consent to brand preference.

Romain Gauthier, CEO

Related articles

July 1, 2020byYannig Roth

Are your websites and apps compliant? A look at Irish cookie consent regulation

Last April, the Irish Data Protection Commission (DPC) published updated guidance on cookies and other tracking technologies. The “Guidance” was issued with a report based on a cookie audit of 38 companies, and the results of the audit were not good. The survey found that 35 of the 38 companies were not in compliance on…

Read more






June 25, 2020byYannig Roth

We are launching our Consent Management Platform (CMP) on Unity

Our team has been working (very) hard to launch our well-known CMP on the cross-platform game engine Unity. The objective is to allow game publishers to better monetize their apps while complying with increasingly tough privacy regulations across the world, which require them to collect explicit user consent. To educate Unity’s community about data compliance,…

Read more




May 15, 2020byJawad Stouli

Get CCPA ready with the Didomi consent management platform (CMP)

The California Consumer Privacy Act (CCPA) was enacted to provide California consumers with greater transparency and control over their personal information. The CCPA was created in response to changing public perceptions. Users, rightfully, want to understand and have the option to exercise control over their own data. Therefore, companies in the ad tech ecosystem need…

Read more




May 5, 2020byYannig Roth

« Do I need to collect consent? » – Mythbusting marketing obligations in a GDPR and CCPA era

Any marketer even remotely interested in the legal landscape around 2016 heard all sorts of discourses about GDPR. The regulation would be the end of newsletters, of solicitations, of targeted advertising. Companies would face tremendous fines if they failed to become compliant within a year. Two years after GDPR came into effect, marketing still exists…

Read more






Preference Center

April 16, 2020byRomain Gauthier

My take on the CNIL’s new guidelines on cookies: 4 key ideas to remember

The new CNIL (France’s privacy watchdog) guidelines released in the summer of 2019 have turned the advertising industry upside down and are prompting us to rethink how we monetize information and innovate in programmatic. On June 28th, the CNIL (which means National Commission for Information Technology and Civil Liberties) published its action plan on advertising targeting, one…

Read more