How can you obtain users’ consent for online advertising purposes in a legally compliant manner without jeopardising your business’s sales? This question is more important than ever for marketing executives in 2020. Barbara Nietzer, Legal Director EMEA at Criteo, and Florian Tannen, Partner at Baker & McKenzie, explain where the regulatory challenges lie and what companies need to be aware of. They spoke about their experiences at a virtual event, Digital Bash Law, at the end of October.
Any company that uses cookies on their website to target users with online advertising must obtain the users’ consent beforehand. This was confirmed by the German Federal Court of Justice (BGH) in the summer of this year. Companies are therefore now wondering what a banner notice should look like and what requirements need to be met. So there’s no getting around looking into this matter. “This is something that companies absolutely have to address,” says Florian Tannen. “There’s no need to be afraid of it. You simply need to rise to the challenge to help get the best results for your company.”
Companies under pressure
For companies, the first issue is “that the user must explicitly consent to the use of cookies and the party that obtains this consent must demonstrate that this has been done in a clear manner,” explains Barbara Nietzer. It is not only the authorities and legislators that insist on compliance but also the users themselves. Barbara Nietzer’s monitoring of the market has found that the majority of companies follow this approach and obtain users’ consent. “The situation already looks pretty good, especially where retailers are concerned. A lot of them are working with consent management platforms in order to be able to manage this and act in compliance with data protection laws.” Florian Tannen also considered this a positive development as there are now very few companies still following the old approach (i.e., not asking for an active consent at all but rather rely on deemed consent approaches). This is no longer sustainable either and can therefore “not be recommended from a legal point of view”.
Greater legal certainty
If a user does not accept the use of cookies before such are dropped, the options for targeting this user with online advertising are limited. It is therefore in companies’ interests to obtain users’ active consent. “In my experience, this concern that users will not give their consent is factually very rarely justified and can legally not serve as justification. Any company that gives this matter some thought, and then tests different options and tries them out will ultimately find a solution that works for the company and their users. This will then result in a reasonably high acceptance rate, and the level of legal certainty will be higher as well,” says Florian Tannen.
Cross-border challenges
A lot of companies are now trading internationally. They then find themselves confronted by extensive data protection challenges. “The plan of creating standardized EU rules through the GDPR has somewhat failed as more than 50 topics have been placed in the hands of the local legislators,” Florian Tannen highlights. However, Barbara Nietzer has also noticed that the data protection authorities are communicating more with one another. She says: “It appears that the national data protection authorities are in conversation with one another. I am seeing increasingly bigger overlaps. The authorities have clearly recognised that we are living in a European world.”
Brexit, which is currently taking place, brings its own challenges, as the GDPR will no longer formally apply in the UK. However, there have been preparations and the UK has largely transposed the requirements of the GDPR into national law. The objective likely is to support the sharing of data as far as possible and prepare for an adequacy decision. There is the option that the EU Commission assesses third countries with respect to their data protection legislation and – in case such is found to be adequate – the international data transfer to such adequate non-EU countries face less requirements.
Privacy Shield no longer applies
Earlier this year, the EU-U.S. Privacy Shield was invalidated by a judgment of the Court of Justice of the EU, also referred to as Schrems II. “With this decision, we have lost one of the data transfer vehicles that enabled to send personal data to recipients in the USA if they were certified under EU-U.S. Privacy Shield,” explains Florian Tannen. Companies that relied on this transfer mechanism will now have look for new mechanism such as the EU Standard Contractual Clauses to back such data transfers; while also additional requirements in connection with such other data transfer mechanisms need to be considered following Schrems II. “This is essential and cannot be avoided.” “So everyone was in a type of pause mode until the new recommendations of the European Data Protection Board,” explains Barbara Nietzer. The invalidation of the Privacy Shield is not an issue for Criteo as the company relies on standard contract clauses. “We would however be grateful for clear guidance.”
The approach to cookie walls
There is also a great deal of variation around the world in the attitudes of data protection authorities to cookie walls, which stop users from accessing a website if they do not accept the use of cookies. In Germany, the authorities view these rather negatively. In France, where Criteo’s headquarters is based, their use is conceivable under certain circumstances, as Barbara Nietzer observes. “This gives companies back some of their ability to act and their decision-making power.”
Targeting and data protection pose challenges for companies in terms of the legal aspects and are also fraught with pitfalls. As a general rule, however, the following applies: When it comes to the handling of data, the GDPR applies indiscriminately to all companies, from small businesses to large corporations. Compliance with data protection laws is mandatory and must be taken seriously by every company. There is also an increased enforcement taking place with respect to the appropriate use of cookie consent solutions.
