BAPD expectations for cookie compliancy unattainable for most publishers
Thomas Ghys
The Belgian APD (“BAPD”) has published a first decision in a series of investigations on the use of cookies by Belgian publishers. The observations leading to the EUR 50,000 fine for the first publisher on the list are based on a legacy CMP implementation. No breaking news here. More insightful are the criteria against which observations were vetted.
To not bury the lead, BAPD sets expectations that most publishers engaged in Real-Time Bidding – large-scale automated auctions to buy and sell digital advertising inventory - will not be able to meet.
Only two legal bases: consent or an exemption of consent
Unlike the Dutch and French authorities, BAPD stays close to a strict interpretation of the ePrivacy Directive. All tracking requires consent except if it falls under narrowly defined categories:
- Carrying out the transmission of a communication over an electronic communications network.
- Providing a service explicitly requested by the subscriber or user.
Examples of the first purpose include load balancing or application performance monitoring. The second category involves adding items to a shopping basket, keeping users authenticated or changing language preferences.
Analytical tracking requires consent
While analytical tracking may be essential to the publisher, it is not for the user, and, hence, requires consent. BAPD acknowledges that the long overdue ePrivacy Regulation may relax this requirement but likely won’t budge until the EC greenlights that piece of legislation.
Leaving considerations on the importance of analytical tracking and the actual risks involved aside, these guidelines on consent are hard to stick to. For starters, the rules are not harmonized across EU countries. A French newspaper with a large audience in Belgium faces two different interpretations on analytical tracking without consent. Next, there is no uniform definition of strictly necessary and other tracking purposes (we discuss this further in our post on the APD domain scanning methodology).
Personal data descriptions for cookies
BAPD explicitly states that a cookie policy should include the following information about each individual cookie in line with GDPR art. 13 and 14:
- the personal data that are processed,
- the purposes of the processing; and
- the retention period.
The first requirement throws another curveball. Cookies often store pseudonymous identifiers that can only be interpreted server-side. It is unclear which scope of personal data should be mentioned in the cookie policy, let alone, how personal data categories can be explained easily.
Publisher always exerts some control on tracking
BAPD notes publishers always have a say about which vendor can track their domains (cfr. EUCJ of Wirtschaftsakademie). They must therefore be a controller in relation to another controller or a processor.
Putting this in practice presents two challenges. First, every service provider acting as controller needs to be mentioned individually in the vendor list of the CMP or cookie policy. Second, publishers monetizing ad inventory through real-time bidding have to regularly scan their domains to catalogue cookies from these service providers, as their presence and tech stack continuously evolves.
Opting out triggers cookie deletion
Another requirement that will leave technical stakeholders puzzled is the implicit requirement to delete cookies after opting out. Yes, there are ways to achieve this for first-party cookies. Yet third-party cookies simply don’t allow access by the publisher.
BAPD takes a very restrictive view of what it considers a ‘lifespan that should not exceed the time required to achieve the intended purpose’. Let’s say a user opts in to content profiling, opts out three months later and then opts in again after another month. When the user is opted out, the cookie will never be read and remains stale. Deleting the identifier stored in a cookie may actually be a disadvantage for some user as the profiling starts from scratch. Next, users who want to reset profiling can always clear their browser storage.
Recommendations for publishers
In sum, this first decision in a series of related cases clarifies the rules of the game for cookies as seen by BAPD, but also sets a bar that is almost impossible to reach in practice.
I would leave publishers with five recommendations:
- Perform an internal assessment of essential tracking and document why they meet one of the consent exemption criteria.
- Consider cookieless methodologies for analytical tracking without consent.
- Categorize the processing role of each vendor performing online tracking and communicate controllers (e.g., SSPs, ad networks) through a vendor list.
- Explore arguments for keeping cookies – and other forms of browser storage – for a fixed retention period and explore technical workarounds with vendors when there are no compelling reasons to keep them.
- Wait for other decisions in this investigation to clarify the need to communicate personal data categories stored within cookies.