The “Cookie Pop-Up” Is Not The Real Issue Of GDPR | AdExchanger
Progress is not a straight line or a smooth path, as many in history have reminded us.
It seems to be the case for data and privacy regulations, too, as the spotlight was recently on the UK and its call for data reform it published in September, “Data: A New Direction.” Some interpreted the piece as a stance against the European Union’s General Data Protection Regulation (GDPR).
In June, the EU Commission announced that “adequacy” decisions for the UK have been approved — meaning that the EU deems UK GDPR provides an “essentially equivalent” level of data protection to that which exists within the EU.
But at the end of August 2021, UK’s Secretary of State for Digital, Culture, Media and Sport, Oliver Dowden, declared the UK’s intention of “reforming our own data laws so that they’re based on common sense, not box-ticking,” and labeling it as a “Brexit dividend” for individuals and businesses across the UK.
Days later, the UK Information Commissioner Elizabeth Denham shined a light on what this meant by asking her G7 counterparts to join forces to rethink cookie pop-ups, mentioning cookie “fatigue” among users.
The poster topic of the cookie pop-up
It is interesting that pop-up fatigue is brought forward as the issue (which affects other types of identifiers other than cookies), rather than the manifestation of a wider, unresolved contradiction. The conflict between real-time bidding (RTB) and GDPR is generated by the way consent is trickled down across hundreds of companies unknown to the user and how that data is shared across them through the digital advertising ecosystem. Which, among other things, makes impossible the standardization of consent for advertising.
The RTB-GDPR conflict, when talking about cookie fatigue, will have an even bigger negative impact in the future. In fact, both the UK data reform and the latest ePrivacy Regulation draft proposals suggest that no consent should be needed for non-privacy-intrusive cookies that improve internet experience (like retaining shopping cart history), or for cookies for the purpose of audience measurement (i.e., web analytics) and for security and functionality purposes. Which leaves us — and the pop-up — with the complexity of consent for advertising and personalization purposes.
The relationship between the UK ICO and RTB along the years
In February 2019, the UK ICO launched a review of real-time bidding (RTB). In their June 2019 report, they identified a range of issues, finding that “there is a significant lack of transparency due to the nature of the supply chain and the role different actors play.” They gave six months’ time to the industry to set their house in order, but their investigation stopped in May 2020 due to the pandemic. It resumed in January 2021.
Almost three years and billions of pop-ups later, RTB’s GDPR compliance still feels like the squaring of a circle without a sign of a final position for the UK ICO on the horizon.
Non-compliance of consent collection practices
Since GDPR came into force in May 2018, cookie and consent pop-ups have gone through several trends of non-compliance.
Researchers at MIT CSAIL, Denmark’s Aarhus University and University College London published a study in January 2020, finding that only 11.8% of the most popular Content Management Platforms (CMPs) used on the top 10,000 websites in the UK met the minimal requirements they set, which are based on GDPR. They then found that “removing the opt-out button from the first page increases consent by 22 to 23 percentage points; and providing more granular controls on the first page decreases consent by 8 to 20 percentage points.”
Even IAB Europe itself has acted on the widespread bad practices, cracking down on consent management platforms (CMP) and sending a clear message to their members.
But what has been the enforcement activity of the UK ICO in that area so far? Close to zero. In the meantime, users are more and more pop-up fatigued.
The real issue
The overall picture begs a question: Why hasn’t the UK ICO acted on their RTB investigation yet? Why the public cookie crusade now, as if RTB wasn’t part of the problem — and failing to even mention RTB issues?
Is it a strategy to avoid being the one to pull the plug on RTB, which would cause the collapse of many ad tech companies and contribute, in the eyes of the UK government, to the economic slowdown caused by Brexit and the COVID-19 pandemic? Is that the reason for the G7 proposal — a more or less explicit attempt to offload the blame on the EU and GDPR? It’s also important to remember that nothing would have prevented the UK government and the UK ICO to push in this direction, even before leaving the EU.
There is no silver bullet to solve the consent pop-up user experience issue. But a few actions that should take precedence before more radical moves: first, the enforcement of existing rules (an issue for the whole of the EU, too) and, once cleared up, the establishment of a proactive and collaborative relationship with the EU to preserve adequacy. As the Financial Times puts it: “In any case, for UK companies doing any kind of business in the EU, having a separate domestic regime to comply with seems onerous, not innovative.”
Doubling standards and requirements might not be a great idea. Collaborating on improving the existing regulations and how they translate into the user experience — and then enforcing it — would bring a much bigger benefit and, probably, an increased status.
For media owners and advertisers, it is mainly through trust and clarity that the consent topic can be simplified and streamlined, way before the very much needed discussion around the technical act of collecting it.