Over the weekend, Google made a subtle – but significant – modification to its online search service in the EU: nearly two years after Europe’s deadline for EU Member States to adopt national cookie consent laws, Google rolled out a cookie consent banner on its EU search sites.
This development alone would be significant. But taken together with Facebook’s recent announcement it will deploy the AdChoices icon (another implied consent solution for targeted adverts) on ads served through its FBX exchange, the implications become huge for the following reasons:
* CPOs will find selling cookie consent adoption much easier now. Selling the need to implement cookie consent to the business has always been a challenge. The thinking among marketing, analytics and web operations teams has always been that cookie consent is expensive to implement, time consuming to maintain, and disruptive to the user experience and data collection practices. Other than the occasional penned letter by regulators there’s been no “real” enforcement to date and, with patchy market adoption of cookie consent, many businesses have performed a simple cost / benefit analysis and chosen inaction over compliance. But when two of the Internet’s most heavily scrutinised businesses actively engage with cookie consent, they clearly think it’s an issue worth caring about – and that means it’s an issue YOU need to care about too. The “Google does it” argument is a powerful tool to persuade the business it needs to re-think its strategy and adopt a cookie consent solution.
* Regulatory enforcement just got easier. Rightly or wrongly, a perceived challenge for regulators wanting to enforce non-compliance has been that, before taking measures against the general publisher and advertiser population, they need first to address the behaviours of the major Internet players. While never overtly acknowledged, the underlying concern has been that any business pursued for not adopting a cookie banner would cry “What about them?”, immediately presenting regulators with a challenge: do they continue to pursue that business and risk public criticism for overlooking the bigger fish, or do they pursue the bigger fish and risk getting drawn into expensive, resource-draining legal battles with them? The result to date has been regulatory stalemate, but these developments could unlock this perceived barrier. While it’s not the case that they will result in a sudden flurry of enforcement activity overnight, they are one of many factors that could start to tip the scales towards some form of meaningful enforcement in future.
* Implied consent IS the accepted market standard. When the cookie consent law was first proposed, there were huge concerns that we would be set upon by an avalanche of consent pop-up windows every time we logged online. Whizz forward a few years, and thankfully this hasn’t happened, whatever regulatory preferences may exist for cookie opt-ins. Instead, over time, we’ve seen Member States and – perhaps more importantly – the market grow more and more accepting of implied consent solutions. Adoption by major players like Facebook and Google lend significant credibility to implied consent and smaller businesses will undoubtedly turn to the approaches used by these major players when seeking their own compliance inspiration. Implied consent has become the de facto market standard and seems set to remain that way for the foreseeable future. Businesses delaying compliance adoption due to concerns about the evolution of consent requirements in the EU now have the certainty they need to act.
This post first appeared in the IAPP’s Privacy Perspectives blog, available here.