The Key changes to website cookie consent in 2022 are:
There has been a recent trend where regulators are finding against various aspects of how website operators manage their domains. It is evident that a shift in how the online space functions are coming sooner rather than later as we see the method of consent gathering that 80% of EU websites being found non-compliant. As well as this, two regulators have deemed the use of Google Analytics unlawful, with others soon to follow suit. We have reviewed these findings and broken out the key points and actions you should consider.
The Transparency and Consent Framework (see more about TCF here) is an advertising industry framework to help publishers, agencies and advertisers to meet their transparency and consent requirement under GDPR. It is a framework issued to manage consent for 80% of EU websites. See the further reading section for some brief information on how TCF works. It was established by IAB Europe, the European-level association for the digital marketing and advertising ecosystem that develops standards, policy, and undertakes research in those fields.
Closely linked to TCF is the use of Google Analytics. After the Schrems II judgement in 2020, NOYB issued 101 complaints to several regulators on using cookies. These have culminated in decisions by the French and Austrian regulators where it was found that Google Analytics is unlawful.
Transparency and Consent Framework(TCF) The Belgian regulator has found that the TCF is not valid and has fined IAB Europe €250,000 for non-compliance with the GDPR. Notably, it found that IAB Europe had:
This essentially means that TCF is invalid even where website owners use it. |
Google Analytics The French and Austrian DPAs have concluded their investigations into the use of Google Analytics. They confirmed that the "unique identifier" used by Google Analytics to track the users of websites constitutes personal data. Google relies on standard contractual clauses (SCCs) with additional "supplementary" measures to transfer this data to the US. However, both DPAs concluded that Google would still be subject to US intelligence surveillance rendering these additional measures ineffective. This means that in France and Austria, the use of Google Analytics is non-compliant with the GDPR. |
These cases represent the new enforcement focus for many DPAs – "Cookie consent" and "third country data transfers". This focus will impact nearly every company that has an online presence. Essentially it means that the online world of business is poised to change.
TCF If you have a cookie consent process that relies on TCF, then it means that all of the consents you have gathered may be invalid, and you will have to delete all of that data. Whether you use a consent management process that relies on TCF or not, this case means that DPAs will evaluate organisations' use of cookies to ensure that they are transparent and adequately inform the data subject of how and where their data will be processed. Organisations should ensure that when using cookies that:
This reinforces an investigation that the DPC undertook on Cookies and other tracking technology in Ireland. |
Google Analytics By using Google Analytics, organisations potentially expose their customers to breaches of their human right to privacy. The DPC has not yet found this. However, the French and Austrians argue that "supplementary measures" are ineffective at protecting personal data due to far-reaching US surveillance laws. This renders the transfer of personal data to a company subject to FISA 702 or the CLOUD ACT incompatible with the GDPR, which means that anywhere you transfer data to an organisation subject to those items of legislation, you may be non-compliant with the GDPR. |
TCF The Belgian DPA has allowed IAB Europe to make changes to comply with the framework. If the Belgian DPA approves the amended framework, we can view it as a transnational Code of Conduct, and it would be possible to continue to use the framework. However, suppose the amended framework is rejected. In that case, the framework will be deemed illegal, and any consent data collected through it will need to be erased, and you would also have to find a new system for collecting and managing consent. While we await the results from the reassessment of the TCF, you should take steps to provide users with more detail about how their data will be used and shared within the framework:
|
Google Analytics The French and Austrian DPAs have recommended that users of Google Analytics should begin switching to alternative software that does not rely on transfers to third countries with inadequate protection of personal data (i.e. the US). These are not yet enforced in Ireland, but it is only a matter of time. If you currently use Google Analytics, you should:
|
TCF IAB Europe has been given six months to make the necessary amendments before reassessing its framework by the Belgian DPA. This means that the TCF can continue to be relied upon until the Belgian DPA concludes its assessment of the updated TCF, although steps should be taken to improve transparency. |
Google Analytics Google Analytics has not been given a transition period and has been ruled incompatible with GDPR. DPAs in other countries across Europe are currently investigating the use of Google Analytics and have shared their approval of the ruling and intended to have similar conclusions. While the decision is not yet enforced in Ireland, the fact that several regulators have come to the same conclusion indicates that the DPC will not be far behind. Begin preparations for changing how you monitor and conduct your online presence. |
The digital world is changing as regulators become more active in enforcing the human right to privacy. Many organisations may need to change how they do business online, including how they market and sell. At present, the impact on Irish firms has yet to be fully felt, but it is a sign of things to come, as seen with the recent (21/02/2022) announcement of a draft decision by the DPC to stop Meta sending EU data to the US. As for the proper use of cookies and transparency, there appear to be some inconsistencies; the Belgian authority saying there must be a "reject all" and the DPC in their cookie guidance saying a "manage preferences" is acceptable. We are of the opinion that the former will prevail, and each consent management platform must have a reject all on it, but also allow users to go back and manage their preferences.
Organisations need to begin looking for alternatives to third-party cookies and reimagining their online presence.
The is a brief document designed to give an understanding of how the Transparency and Consent Framework (TCF) operates. For more information, please talk to your website developer or see the IAB Europe's website.
Approximately 80% of websites in Europe rely on the TCF. To find out if a website does, you can search for the cookies mentioned above or get in touch with the website developer.
Artificial intelligence (AI) is rapidly becoming an integral part of business operations and daily life. Yet, many organisations struggle to fully grasp its potential, risks and limitations.
This article delves into the main components of the application form, highlighting the key areas that applicants must address to gain authorisation.
Providing an independent perspective to help boards identify improvements and reach their full potential.
Transforming organisations by aligning people, processes and technology
Tailored solutions for assurance and value creation in a changing world
Forvis Mazars supports you in achieving and maintaining data protection & privacy compliance.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.