Tracking the slow demise of third-party cookies – A UK update.
1. What are ‘cookies’ and what is a ‘third-party’ cookie?
As has become well-known, a cookie is a very small text file which is placed onto a web user’s device by a website, via the user’s web browser, at the point at which the user visits that website using that device. In general, cookies are associated with allowing the website to uniquely identify a specific user (or more accurately, a specific device) across multiple visits made by that user (or device) to that site.
A ‘third-party’ cookie (TPC) is a cookie that is placed on a user’s device by a website (or ‘domain’) other than that which the user has navigated to in their browser. This occurs because many websites, when visited, load and display user-facing content or back-end web infrastructure (or both) from third-party domains.
2. How are cookies used in the digital advertising market?
Cookies, including TPCs, are important when it comes to allowing organisations to track the behaviour of individuals online, a capability which is central to the current digital advertising ecosystem.
Of particular importance in digital advertising is the capacity to track users across multiple websites. Known as ‘cross-site tracking’, this allows a picture to be built up of any given user’s browsing history across the web as a whole.
This has enabled an increase in the capacity of digital advertising companies to develop ‘profiles’ of individual users, factoring in their individual characteristics (such as age and gender), as well as their interest areas, online behaviour, engagement with different types of content, and more besides. The resultant data is invaluable to advertisers who are seeking to target their advertising to particular ‘audiences’.
3. The regulatory landscape
In the UK, the placement of cookies on user devices is governed by the Privacy and Electronic Communications Regulations 2003, which were enacted to implement the 2002 EU Directive on Privacy and Electronic Communications (the ePrivacy Directive). These stipulate that a person cannot ‘store or gain access to information stored’ in a user’s ‘terminal equipment’ (i.e. a user device) without first having provided the user with ‘clear and comprehensive’ information about the purposes of doing so, and then having obtained the user’s consent.
The 2003 Regulations do not specify a precise definition of ‘consent’ – rather, the definition found in the UK GDPR is relied upon. This specifies that consent must be ‘freely given, specific, informed and unambiguous’, and must be given by means of ‘a statement or by a clear affirmative action’.
The UK GDPR itself governs the storage and processing of ‘personal data’. ‘Personal data’ is given a wide definition and encompasses ‘any information relating to an identified or identifiable natural person’. As pointed out in the UK GDPR guidance promulgated by the Information Commissioner’s Office (ICO), cookie identifiers can constitute personal data. In general, the data gathered by means of placing cookies on user devices will, on many occasions, constitute personal data, because it is possible to identify the user either directly or indirectly from that data.
4. The trend away from TPCs
Recently, there have been clear signs that the era of ubiquitous reliance on TPCs in the digital advertising industry is coming to an end.
In January 2020, Google announced its intention to remove support for TPCs in its web browser, Chrome, as well as in its open-source browser architecture Chromium (which underpins Chrome itself, as well as a number of other web browsers including Microsoft Edge), within two years (recent reports suggest this will be phased out now in 2023). Similar moves have been made by other browser developers. In March 2020, an update to Apple’s Safari browser was released which introduced by-default blocking of TPCs. Mozilla’s Firefox browser received an update with similar functionality in September of 2019. Taken as a whole, this represents the vast majority of the browser market both on desktop and mobile.
Underlying these developments is a general increase in regulatory focus on the digital advertising industry. At the time that Google announced the forthcoming deprecation of TPCs on Chrome, the ICO was conducting a review into the use of user data in digital advertising, and in particular within the so-called ‘programmatic’ or ‘real-time bidding’ section of the digital ad market – which involves highly automated and extremely fast-paced bidding for advertising space on websites, with this automated decision-making informed and, to a great extent, driven by the aggregation and analysis of user data, including data gathered by means of cookies.
One key concern for the ICO was that digital advertising companies were purporting to rely on the GDPR’s ‘consent’ processing basis when utilising user data in real-time ad bidding. Of particular note was whether the ‘consent’ basis can in fact be properly relied upon in the context of such a complex data environment, in which personal data is aggregated, processed, interpreted and transferred, at great speed, between many different intermediaries in the course of every ad transaction.
Similarly, the ICO has also expressed a view that, in the words of the Competition and Markets Authority’s digital advertising market study, published in July 2020, ‘it is unlikely that the legitimate interests of a data controller to process consumers’ data to serve personalised advertising would override the rights and freedoms of the consumer’ – which is to say that it is unlikely that the UK and EU GDPR ‘legitimate interests’ processing basis can provide a lawful basis for the justification of this sort of data processing as an alternative to consent.
In general, it appears to be the case that fundamental incompatibilities between, on the one hand, the requirements of GDPR and ePrivacy Directive (and the PECR in the UK), and on the other hand, the way in which TPCs presently operate in the digital advertising space, mean that TPCs are not a continued viable prospect for the industry as a whole to rely on in the long term. Proposed changes to the ePrivacy Directive in the form of a new EU ePrivacy Regulation look set to hasten this incompatibility.
5. Alternatives to TPCs?
Whilst a variety of potential alternatives have been proposed (notably Google’s Federated Learning of Cohorts (FLoC)) technology, it remains far from clear at this juncture what technology (if any) might ultimately supplant TPCs, and their role in ad personalisation. Indeed, many have argued that the ‘death’ of TPCs ought to lead to a wholesale shift away from the personalisation of ads based upon inferred user preferences and profiling (whether by TPCs, anonymised cohorts, or any other means) towards alternative models such as contextual advertising (whereby ads are tailored to match the publisher content they appear next to, rather than a data-derived profile of the user visiting the site).
With the ICO – having resumed at the start of this year its Covid-paused investigation into real time bidding – supporting the changes made to the industry and examining this area closely, it will be interesting to see where the industry lands in coming months and years. In particular, from a UK perspective, an added nuance will be the extent to which proposed changes of the draft EU ePrivacy Regulation are flowed down, without divergence, into UK law. AdTech remains therefore an area of much uncertainty and development.
Article provided by: Jonathan Kirsop and Douglas Henderson (Pinsent Masons, UK)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)