Are your websites and apps compliant? A look at UK cookie consent regulationJuly 1, 2020byYannig Roth
Indeed, a lot has changed in a year. The greatest impulse for this change was the General Data Protection Regulation (GDPR) coming into force. It leads to greater awareness concerning privacy, with the firm belief that being fairer, more transparent and accountable to your users will increase their trust and confidence in you – for the benefit of all. So what are the ICO recommendations, and how to make sure you are compliant?
The role of a CMP such as Didomi is to ensure compliance at all times, and to provide you with customised support in order to retain your users and strengthen your relationship with them. Here’s what you need to know about cookies, legal recommendations, and the role of CMPs.
What are cookies, why and when is consent needed?
A cookie is a text file in which you can store information such as IDs and passwords, navigation history, or card numbers for payments. There are two types of cookies, first-party cookies set by the host domain, and third-party cookies set by other domains and partners. And there are three main categories of cookies: analytics, content personalisation, and targeted ads.
The ICO stresses that you must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent before collecting information – cookies or other tracking technologies such as pixel trackers, fingerprints, SDKs, Local Storage Objects, “Like” buttons and other social sharing tools. In fact, consent must be collected for any storage of information on a user’s device or equipment. The only exceptions are communication cookies and strictly necessary cookies.
So, what is ‘consent’ you may ask? It is the Privacy and Electronic Communications Regulations (PECR) that sets the cookie laws, but many of its key concepts such as the standard of consent come from the GDPR. And according to the GDPR, “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. In addition, “it shall be as easy to withdraw as to give consent” (Art.7.3).
In the light of these recommendations, browsers are becoming increasingly restrictive. Between July 2019 and January 2020, Firefox announced the Enhanced Tracking Protection by default, Apple announced the ITP2.2 Safari version, and Chrome announced cookie and tracking technologies restrictions, promising no more third-party cookies in Chrome by 2022. In this context, it is imperative for all programmatic advertisers to update and comply.
These are the main ICO guidelines for compliance
The updated ICO guidance is based on the basic information rights principles of fairness, transparency and accountability. Here are the main guidelines:
- Explicit consent: it is no longer possible to rely on implied consent, you need a clear and specific statement of consent.
- Positive opt-in for consent: don’t use pre-ticked boxes or any other method of default consent.
- Clear choice of settings: be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough. Banners must allow users to reject non-necessary cookies and similar technologies, to change their cookie preferences at any time, and to withdraw consent as easily as they gave it.
- Keep consent requests separate from other terms and conditions.
- Avoid making consent to processing a precondition of a service.
- Keep evidence of consent: who, when, how, and what you told people.
- Name any third-party controllers who will rely on the consent.
- Formal enforcement actions may be taken against non-compliant companies.
Will the guidelines still be the same after Brexit?
Now that the UK has a Withdrawal Agreement with the EU, there will be a transition period until the end of 2020 to allow time to negotiate. During the transition period the GDPR will continue to apply in the UK and you won’t need to take any immediate action.
As the GDPR is an EU Regulation, in principle, it will no longer apply to the UK from the end of the transition period. However, if you operate inside the UK, you will need to comply with UK data protection law, and the government intends to incorporate the GDPR into UK data protection law from the end of the transition period – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR. Besides, the EU version of the GDPR may also still apply directly to you if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe.
You can visit the ICO website page dedicated to the topic of data protection and Brexit, and we’ll keep you posted as soon as we know more.
How can Didomi help you become cookie-compliant?
Publishers may worry that compliance will lead to a loss of revenue, and both publishers and brands will be fearful of a drastic drop in consent. Indeed, there will probably be repercussions on consent rates (small or considerable, depending on your partners and the measures you put in place). All parties will be impacted, and everyone must prepare for a certain amount of change.
📺 WEBINAR REPLAY ▶️
Why would #cookie #consent rates drop ?
Why does our CEO @Didomi_privacy say that high user opt-in rates may be a thing of the past ?
The answer is in the full video 👇 https://t.co/fhneQCiYkV#adtech #monetization #adexchange pic.twitter.com/RUOeKkeLur
— Didomi (@Didomi_io) April 8, 2020
But, don’t worry: this is why Didomi is here to help you. Through the use of specific tools such as A/B testing and bespoke CMPs, Didomi will make sure you know exactly what’s happening on your website, allowing you to optimise on consent collection and build trust with your consumers.
A/B testing, or finding the best “look and feel” for your banner to connect with your customers will be essential. But there will be one fundamental change that is positive, and that is that giving more choice, control and freedom to users is a great opportunity for you to build brand confidence. By building better communication channels, you build trust, and that may be used to your advantage, benefiting all parties.
The best way to be compliant and make the most out of GDPR and PECR regulations, is to implement a CMP which is both compliant and performant, such as Didomi’s. It will provide you with the right legal and technological tools, and become the first point of contact with your customers.
At Didomi, we begin by performing an audit of your website, including an analysis of application and website compliance, partner detection, identification of the cookies they drop and their lifespan. We will give you an accurate picture of what is happening on your website or application, and often our customers are surprised at what they discover (especially because of all the activity around third-party cookies).
The next step is to customise your CMP by choosing the right message and consent notice format to ensure that the UI/UX are aligned with your brand image (colours, font, language, etc.). Then the CMP is deployed and integrated with existing solutions within your tech stack (integration of the SDK into mobile web & apps, integration with your tag management solutions, blocking of ad-hoc cookies and specific tags, except for TMS and TCF).
Finally, we follow-up and optimise by performing regular audits to monitor cookie lifetime and new partners, closely following consent rates and performing A/B tests to improve opt-in rates.
Consent is now becoming a key indicator for companies. With a CMP, consent becomes an indication of user confidence in your business, which in turn leads to revenue. So put all the odds in your favour and choose Didomi!