Google: shifts responsibility away from Chrome and onto individual websites
At the end of March 2018, Google released an update on their preparations for GDPR, including an updated EU user consent policy. In an unexpected move, the new policy wording implies that the onus for gaining explicit cookie-opt in consent is on the publishers (you) rather than set at a browser level, or justified through legitimate interests.
- Existing user consent policy: https://www.google.com/about/company/user-consent-policy.html
- Post-GDPR user consent policy: https://www.google.com/about/company/consentstaging.html
Why is this so unexpected?
In our early 2018 whitepaper, “What does GDPR mean for your paid digital marketing?“ we theorised that the data processing involving using first and third-party cookies would be justified within GDPR by legitimate interests (i.e. the fact that cookies will enable users to have a better on-site experience, as well as receiving more relevant adverts, would imply their data is being processed in their best interests). This would mean website-owners and marketers would not have to gain explicit, opted-in consent to operate in essentially the same way we do currently.
However, the wording of Google’s new user consent policy, whilst arguably vague, implies that this won’t work, and that cookies must go down the consent route of justification:
"You must obtain end users’ legally valid consent to:
- the collection, sharing, and use of personal data for personalization of ads or other services. "
What does this mean?
We reached out to our Google Partner team for more detail, and were directed back towards cookiechoices.org - Google’s 2014 resource for publishers on understanding data regulations, which is expected to be updated in April.
One interesting comment confirmed our suspicions for cookie consent vs. legitimate interests:
"Do I need consent before the tags fire or can the consent come afterwards?
Our understanding is that the prevailing standard in Europe will require consent to be obtained before data is shared. Our initial enforcement phase, commencing August 2018, will focus on the presence of consent notices. We expect to begin testing for data flows in subsequent phases of enforcement."
Facebook: stricter requirements for Custom Audiences
A couple of days after Google’s announcement, Facebook followed suit - confirming more stringent consent obligations for advertisers looking to use Custom Audiences. We think this is likely in reaction to the ongoing Cambridge Analytica scandal, as announcements for safeguarding user data are made on an almost daily basis.
What does this mean?
All we know is that Facebook is building a ‘certification tool’ to ensure marketers have gained the consent of all data subjects loaded into the platform.
"For any Custom Audiences data imported into Facebook, Advertisers will be required to represent and warrant that proper user content has been obtained.”
This could be as little as a tickbox confirming the data has been lawfully processed or, at the other extreme, a data point for each and every subject containing the time and date of explicit opt in - we don’t know.
In our opinion this move isn’t nearly as unexpected as Google’s. The uploading of email addresses or similar identifiers is a far more intrusive marketing practice than dropping a first party cookie, so marketers have already been expected to rely on a consent rather than legitimate interests justification for this one.
GDPR takes effect from the 25th May 2018 onwards, yet there’s still a lot of uncertainty about what this means in practice for digital marketers. We’re keeping on top of industry updates as and when they’re announced.