May 25, 2020 marked the two year anniversary of GDPR. Since that date, politicians, regulators, and courts have continued to interpret how this law applies to specific digital advertising use cases. In a recent IAB webinar, I discussed the success of the GDPR so far, the latest developments in consent collection, and considered whether we can make any predictions for the future.
On October 20th I spoke at an IAB webinar The Shifting Sands of EU Privacy Law, alongside Townsend Feehan (CEO, IAB Europe) and Daniel Sepulveda (Senior Vice President for Policy and Advocacy, MediaMath). We discussed the GDPR, its strengths and its downfalls, and commented on the latest developments in terms of consent. Catch the full replay here, or carry on reading for a summary of the main points discussed.
Why is the definition of consent still unclear at this stage in the EU?
First of all, why are we still talking about the definition of valid consent, over two years after the implementation of the GDPR?
The conundrum stems from the fact that there are two legal frameworks that coexist in Europe, the GDPR and the e-Privacy Directive. Both have their own definitions of and requirements for consent, and the two interpretations at times come into conflict, creating grey areas in the field of consent collection.
This is where the controversy stems from. As it currently stands, we have no replacement for the 2002 e-Privacy Directive, and, in the meantime, Data Protection Authorities (DPAs) are obliged to come up with solid frameworks themselves, in order for companies to handle cookie consent.
Has the GDPR been an overall success?
The fact that cookie consent is still unclear two years after the GDPR begs the question as to whether this legislation has been an overall success. Earlier this year, we saw the European Commission publish a report summarising the effectiveness of the GDPR. They concluded that “the GDPR has been an overall success, meeting many of the expectations and, even if the variables for future improvement have also been identified, overall being successful in the goals it set out to accomplish.”
GDPR: A solid legal basis for data privacy
In my opinion, I think that overall the GDPR has been a success, as it has opened up the debate on privacy, not only in Europe, but globally. It acts as a frame of reference for the privacy debate around personal data rights, benefiting European citizens and functioning as a solid legal basis.
Moreover, in the webinar, Daniel Sepulveda considered the GDPR a “political success”, as it has the support of the people. Townsend Feehan agreed on the benefits of the GDPR in raising both company and citizen awareness of personal data rights, and in moving towards DPA harmonisation.
GDPR: A practical failure?
However, we all agreed that there are a number of shortcomings, and the GDPR has not been adequately effective so far in its enforcement. There is still a lot of uncertainty weighing on the shoulders of large companies, and this is where improvement must be made.
In practical terms, the GDPR has not been hugely successful, as it has not made the changes to the market that were promised. For example, we were told it would hinder the market power of dominant platforms such as Google and Facebook, and it clearly has not.
One thing was made clear by all: we have a massive investment as an industry in making the GDPR work. Is your company involved in AdTech, or do you collect users’ personal data? We’d love to discuss how you could optimise consent collection whilst ensuring compliance.
2020 consent recommendations: what are the latest developments?
So, we’ve mentioned some of the benefits and shortcomings of the GDPR, now let’s take a look at some concrete examples of the 2020 developments in terms of consent collection. These examples highlight the complexities in implementing the GDPR, and the debates that continue around defining consent.
European Data Protection Board (EDPB) consent recommendations
In May, the first interesting event of 2020 happened in the world of consent. It came from the European Data Protection Board (EDPB), an organisation encompassing many European DPAs with the aim of establishing guidelines for GDPR interpretation.
Notably, these recommendations stated that “swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action”. They concluded that scrolling does not equate to a clear positive action on the part of the user, and that, when scrolling equals consent, it is too difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it, as GDPR regulation requires.
This really set a mark on the ground for tougher definitions of clear positive action, showing the complexities involved in defining what constitutes clear consent, and requiring many companies to change their consent collection infrastructure.
Planet 49 Judgement
Then, in late May, the European Justice Court issued a formal ruling, respecting both the GDPR and the e-Privacy Directive, which stated that “consent [...] is not validly constituted if the storage of information, or access to information already stored in the website user’s terminal equipment, is permitted by way of a pre-ticked checkbox which the user must deselect to refuse his or her consent.” This was another fundamental message sent to the market, again prioritising the importance of a clear positive action from the user to signify consent.
To find out more, check out our article How the Planet 49 ruling improves the Transparency & Consent Framework.
These examples highlight the intricacies involved in implementing GDPR legislation, and the grey areas that needed to be addressed.
The CNIL Cookie Wall debate
Finally, an example of the complexities involved in the collaboration between GDPR legislation and local DPA recommendations is clearly shown in the CNIL vs Conseil D’Etat Cookie Wall judgement. A cookie wall means that the user cannot access all content unless they have consented - the alternative to consent is to leave the website. This has been ruled out by the EDPB, and by basically every DPA, including the CNIL (the French DPA), who, in their 2020 recommendations, forbid the use of such cookie walls. The lines are more blurred when the alternative to consent is to pay (or to register to the website).
On this topic, the French Conseil D’Etat (the highest legislative body in France) established that the CNIL cannot decide what is compliant or not. It can only apply sanctions according to what is explicitly mentioned by the GDPR.
These are just three examples of changing cookie consent recommendations in 2020 alone, highlighting the difficulties in granularity as to what the law actually means, and the numerous intricacies involved the application of GDPR legislation.
In my opinion, there are still many uncertainties, and case law is still weak, so these kinds of debates will continue to occur. However, as time passes, the definition of consent collection is becoming clearer, and this is the positive signal we can take out of 2020 with respect to privacy in the EU.
How can Didomi help?
At Didomi we believe in the power of information: we are convinced that users who are well informed, make the right choices. This is why we create bespoke CMPs that inform users and allow for clear positive actions of consent, taking into consideration GDPR and DPC guidelines.
Debates around digital consent will continue, but the Didomi SDK is flexible and adaptable, and we take the steps necessary to ensure that companies can become compliant with legislation, whilst also continuing to optimise consent collection and build user trust.
Schedule a demo with us today to find out how we can help your business.