Cookies and consent at the IAPP

August 3, 2018 at 11:08AM
International Association of Privacy Professionals
Cookies and consent at the IAPP

Today, the IAPP launched a new cookie notice and cookie consent tool. The process of creating this notice and tool took several months and involved a cross-departmental team with members from marketing, privacy/legal, and (most significantly) IT. We thought it might be interesting to hear about the IAPP’s analysis and operational steps taken in creating its cookie notice and building the consent tool. Hopefully, there are takeaways for your organization.

Legal analysis

The European Union’s General Data Protection Regulation says nothing, directly, about “cookies” — small data files stored by a website on a user’s computer or mobile device. It does, however, say quite a bit about consent, including listing it as one of the lawful bases for data processing under Article 6; defining it in Article 4 as any “freely given, specific, informed and unambiguous indication of a data subject’s wishes”; and requiring in Article 7 that it be presented separate from other matters in “an intelligible and easily accessible form, using clear and plain language.”

It’s the ePrivacy Directive that addresses cookies directly, requiring in Article 5(3) that (under member state law) organizations obtain prior informed consent for storage or for access to information stored on a user’s terminal equipment (e.g. websites must ask users if they agree to accept cookies, web beacons, etc., before they are placed). “Strictly necessary” cookies and those used solely for carrying out communication transmission are exempt from the consent requirement.

Prior to the GDPR, valid “consent” under the ePrivacy Directive — as implemented in member states’ laws — was widely interpreted to be met with a visible pop-up notice announcing the use of cookies, followed by the user’s continued use of the site. Whether this was legally sufficient was never officially challenged, but, post-GDPR, it is no longer popular to assume implied consent from ongoing use of the website. Instead, given GDPR’s requirement of “specific, informed, and unambiguous indication” of consent, many organizations are requiring users to affirmatively interact with the cookie banner, if not use a consent tool, too.

The cookie consent recipe

We’re not afraid to admit that the first places we went for guidance were other organization’s websites. Indeed, we assume that privacy professionals may look to the IAPP’s example to model best practices.

FieldFisher law partner Phil Lee’s blog on “GDPR + e-Privacy = 🙁“ provides an excellent background of the law, policy, and practice of cookie consent, while also underscoring the uncertainty surrounding this issue post-GDPR and pre-ePrivacy Regulation. For that reason, we looked to the fieldfisher.com site for insights. We also looked to the U.K. Information Commissioner’s Office website, as well as to other leading data protection law firms’ and data protection authorities’ websites.

In general, there seems to be a three-part recipe for modern cookie consent:

  • Cookie notice: Separate from the privacy notice, this policy describes what cookies are used and why, how long they are stored, and how a user can manage them (if at all).
  • Cookie consent tool: This tool allows a site visitor to quickly turn off (or on) cookies, depending on their preferences. Its icon is often visible persistently on each web page.
  • Cookie banner: It pops up prominently and announces the site’s use of cookies, including links to the notice and the tool. This requires user interaction to disappear, ideally an indication of “I accept” rather than clicking an “x” to close.

Many cooks in the kitchen

Creating the three-part package is not the DPO’s job alone. Far from it. Like almost everything in privacy, following the cookie consent recipe requires participation from many people representing different departments and disciplines.

At the IAPP, we pulled together a team from marketing, privacy/legal, and IT. We had to fully understand, as a preliminary matter, which cookies are set by use of the iapp.org website (first party cookies) and which cookies (if any) are set by third parties when a user visits our site. We also needed a better understanding of how Google Analytics works and what aspects of the web traffic analysis process can be anonymized.

In particular, we wanted to ensure that data like IP addresses would not be stored in Google Analytics even after the user has accepted the placement of cookies. Fortunately, Google provides a mechanism for anonymizing IP addresses before any storage or processing take place. But this feature is not enabled by default and did require some configuration.

The IAPP — like many organizations — also uses marketing software that gathers data from website users to help the IAPP understand users’ interests in our content, products, and services. These tools were easy to identify.

But hidden in our association management system were cookies we don’t place and didn’t initially understand. Investigation of the “AddThis” cookie suite revealed that they are part of a fixed package that the IAPP cannot turn off independently, and that they interact with users’ social media content often at the user’s election. As we wrote the cookie notice and built the tool, therefore, we had to decide how to characterize these cookies (as social media plug-ins, some of which are exempted from consent, or as advertising cookies — which clearly aren’t exempted — that the user will have to affirmatively reject through a series of steps). We debated and elected the latter.

Our cookie notice went through multiple drafts as we worked to make complicated technical language more readily accessible, to eliminate extraneous or even erroneous information about the cookies’ personal data collection and storage, and to ultimately simplify the notice without sacrificing transparency.

We also had to select a cookie tool that fit our needs and settled on Cookie Control v8 by Civic. The tool is set to hold preferences for 90 days before asking the user to refresh them.

Final copy and display ultimately required marketing department input for brand consistency and website placement.

Biggest challenges

Finding and labeling all the cookies was one major challenge. So was pulling together multiple players and keeping the project on schedule. For this, we assigned a project manager from IT to continuously confirm that each player was advancing the project. Making the project an IT priority was also a challenge, but one resolved by leadership’s declaration that data protection — and our cookie notice in particular — are vitally important to the IAPP’s relationship with its members and its global brand. That helped elevate the cookie project over competing ones.

There were technical challenges as well. Configuring the tool to work correctly on our site required a measure of custom coding and plenty of testing. Although we opted to start with Civic’s Cookie Control package rather than build a tool from scratch, we couldn’t use any of its ready-made CMS plugins due to the complexities of our systems. Similarly, because we use Google Tag Manager as a single tool for setting both analytical and marketing cookies, there were additional configuration changes needed to allow users to pick and choose which types of cookies they would accept.

The final step before launch was achieving sign-off from the highest levels of management. This turned out not to be challenging because of the prior work by many parties and the deliberate, collaborative process.

What remains is to see how the tool affects our users’ experience and our marketing and analytics capabilities. Will it hinder our insights into our site users’ interests, thereby depleting our capacity to anticipate their needs? Will most users click “I agree” without clicking on the tool? Will anyone — other than privacy pros looking for a sample — actually read the cookie notice?

Let us know what you think by submitting comments below or reaching out to us directly.