|

European Commission proposal will kill third-party cookies

European Commission proposal will kill third-party cookies

The third-party cookie – the lifeblood of online advertising – may be about to die. PageFair’s Dr Johnny Ryan outlines the impacts this will have for media and advertising. Brace yourself.

A proposal this month from the European Commission to reform the ePrivacy Directive (ePD) requires mandatory privacy options and educates users to distinguish between first and third-parties in a way that will make third-party cookies extinct.

The Commission’s proposal also applies beyond cookies. The proposed reform of the ePD will further add to the disruption that Europe’s new regulatory regime for privacy – the GDPR – will wreak upon to the media and advertising landscape when it applies in May 2018.

There is a caveat: the proposal is subject to negotiation between the Commission, the European Parliament, and the Council of Ministers. Its text may change before it becomes a regulation across the European Union.

Mandatory and binding privacy settings

Web browsers (and similar software) will be required to prompt users with a menu of privacy options when they are installed for the first time. The menu options will range from an extreme ban on all cookies to acceptance of all cookies, and will include intermediate options such as “reject third-party cookies” or “only accept first-party cookies”.

This is mandatory – a user must select one option from the menu in order to continue with the installation. And unlike previous initiatives such as the Do Not Track standard, the Commission says that user’s privacy menu choice will be “binding on, and enforceable against, any third-parties”.

This does not apply only to newly installed software, but also to browsers already in operation before the new rules are introduced. (These must be updated to comply no later than 25 August 2018).

In other words, at a point in 2018 there will be no browser installed in Europe that does not have legally binding privacy settings that have been selected by a user.

Users will distinguish between first- and third-parties

The Commission had previously considered forcing web browsers vendors to reject all third-party cookies by default, and giving users the ability to opt in to third-party cookies if they wished.

The approach adopted in its final proposal appears less severe than this privacy-by-default approach, but will probably have the same consequence. The mandatory menu will educate users in a way that will cause a widespread rejection of third-party cookies.

There are several measures in the proposal that will cause users to distinguish between first- and third-party tracking.

First, web browsers will be required to present the privacy settings options to users in a manner that educates them about “the compilation of long-term records of individuals browsing histories and the use of such records to send targeted advertising”.

Few users could be expected to willingly opt in to this. The inclination to say no will be compounded by users’ dawning awareness of the data collected about them, the uses to which these data are put, and the extent to which these data are breached, that will result from transparency requirements in the General Data Protection Regulation.

Second, the Commission Proposal requires web browsers to present the higher privacy settings in a manner that does not dissuade users from selecting them.

Third, users who select lower privacy settings at first installation of a web browser will have controls to allow them to apply privacy controls on specific websites if they wish, so there could be a gradual fall off.

Finally, the proposal requires that users who have consented to their data being processed are reminded every six months that they can withdraw their consent any time.

Beyond cookies

The proposal encompasses tracking measures beyond cookies. The Commission regards peoples’ devices, and data flows to and from those devices, as part of the private sphere.

As a result users’ prior consent is required for tracking cookies, hidden identifiers, and “other similar unwanted tracking tools can that enter end-user’s terminal without their knowledge in order to gain access to information, to store hidden information and to trace the activities of the user or to instigate certain technical operations or tasks…”.

Remote collection of data in order to identify and track users, such as device fingerprinting, is explicitly included among the proposal’s prohibitions.

Where and how this applies, litigation and penalties

Once negotiated between the European Commission, the European Parliament, and the European Council, the overhaul of the ePrivacy Directive will be directly transposed into the national laws of every nation in the EU.

The EU is the world’s largest single market. It will impact much of the martech and adtech sector because businesses outside the EU that provide service to users in the EU will have to have a representative in the EU who will be addressable by supervisory authorities.

However, beyond the EU the ePD may have less impact than the GDPR. Its territorial scope covers communications within the EU and services to end-users in the EU irrespective of where the processing occurs in the world.

The range of fines for infringements is similar to the GDPR. For example, failure to comply with an order from a supervisory authority will be subject to a fine of up to 20 million or 4% of global turnover.

There is also reason to anticipate litigation. As with the GDPR, end users can both complain to regulator and seek redress in court against an infringement, and users have a right to receive compensation for damage.

Users can also take the regulator to court if unhappy with their action or inaction. Users can also mandate privacy organisations to lodge a complaint and to seek redress in court on their behalf (and Member States may decide that bodies can do so without users mandating it).

Any other party that is adversely affected by infringements can bring legal proceedings.

In short, the proposed ePD has teeth.

Timeline: what happens next?

– Negotiation between Commission, Parliament and Council for an unknown duration. The Commission proposes that negotiations will be rapid, and that the ePD will apply on the same date as the GDPR on 25 May 2018.

– Browsers installed prior to 25 May 2018 will have to require users to choose a privacy setting by 25 August 2018.

– By 1 January 2018 the Commission will establish a monitoring programme to review the effectiveness of the ePD.

– Three years after the application of the Regulation the Commission will evaluate its effectiveness.

Dr Johnny Ryan is head of ecosystem for PageFair. He is also member of the World Economic Forum’s expert network on media, entertainment and information. See his full bio here.

Media Jobs