Reed Smith Client Alerts

The announcement on 14 January from Google that it will be phasing out third party cookies within the next two years signals the start of what looks set to be a highly significant year for the adtech industry and the companies that rely on it to promote their brands. Google’s plans include placing limits on third party cookies in its browsers from February 2020, as well as launching anti-fingerprinting measures (which it describes as “deceptive and intrusive techniques”) by the end of the year.

In the face of various regulatory investigations and increasing consumer expectations around privacy, it is clear that programmatic advertising, in particular, is facing a turning point. As a result, as with Google’s announcement, we are seeing browsers proposing changes in privacy settings (see also Microsoft) as well as the rise of new browsers such as Brave, which blocks ad and website tracking and provides for crypto payments to users and publishers for watching ads. Technologies and business models are changing and marketing and compliance teams have a lot to keep on top of! 

Authors: Elle Todd Keri S. Bruce Sarah L. Bruno

In this piece, our experts from both sides of the Atlantic discuss their thoughts on what to look out for in 2020:

Europe

 1. Crunch time for e-Privacy legislation (Privacy and Electronic Communications Regulations 2003 or PECR)Continued confusion on cookie rules

PECR is existing legislation, close to celebrating its eighteenth birthday, that covers various technology issues around data protection, including direct marketing by email, SMS, fax (a sign of its age!) and cookies. The EU had originally intended to update this legislation, replacing it with an EU-wide regulation, to coincide with the coming into force of GDPR on 25 May 2018. Roll forwards over 18 months, and there is still no agreement on the proposed text, with the most recent and advanced version being thrown out at the end of 2019 by a number of EU member states. It is currently back to the drawing board entirely, and some are even predicting that the legislation will be abandoned in 2020. Very frustrating, but many of the proposals were extremely unpopular.

Why is this important? Many companies had been holding off on certain changes to their technology and use of cookies, for advertising in particular, expecting this legislation to finalise what exactly was expected. It had almost become an excuse – ‘let’s wait and see’. However, the ongoing issues with the legislation mean waiting is not appropriate. Companies need to focus on existing law and emerging regulatory trends as explained below.

2. Continued confusion on cookie rules

Given the pain of PECR’s slow-moving developments, the void has been filled by various regulators publishing guidance around their expectations for cookie compliance. The European Data Protection Board also published guidance explaining the interplay between the existing PECR rules and GDPR. The problem is that the regulators (see the UK, French, German and Spanish regulatory approaches) have been saying different things, leaving companies panicking about updated cookie banners and consent mechanisms and struggling to implement solutions that are consistent with the varied approaches across Europe but don’t wipe out opportunities for deploying advertising and analytic cookies. No mean feat! We will see companies continue to wrestle with this issue in 2020 as more are forced to commit to a particular solution, cookie providers change their own terms around consent requirements (so the issue becomes not one of just regulatory enforcement but breach of contract) and more new guidance emerges from other regulators.

3. Enforcement on the rise

Fines and enforcement activity around adtech were pretty slim on the ground a year ago, but we are seeing a huge amount of attention in this area. 2019 saw fines imposed by the Belgian Data Protection Authority in December and the Spanish Data Protection Authority earlier in the year, on separate companies for failing to have appropriate cookie notices and consents. The big one, however, was the €50 million fine imposed by the French Data Protection Authority, CNIL, on Google. This fine focused on failures to have appropriate transparency, and information and consents around ad personalisation. The Irish Data Protection Authority has been reviewing complaints into other platforms and its findings are expected early this year. Privacy regulators in Europe have been keen to emphasise that the perceived delays in enforcement activity are more as a result of the complexity of the matters and the regulations than a lack of will on their part.

The UK Information Commissioner has not yet imposed fines in the adtech space but has been undertaking, and talking very publicly about, reports and investigations in this space, with a focus on real time bidding (RTB) specifically. An interim report was issued in June 2019, followed by an updated blog post in December 2019, which contained a stark warning:

“We are now considering our next steps and deciding how best to address our ongoing concerns. …To summarise, some of what is happening now appears to us to be unlawful, based upon the evidence we have seen to date. The future of RTB is both in the balance and in the hands of all the organisations involved. Over the coming weeks, we’ll be evaluating all of the options available to us and will be providing a further update in early 2020 on our position and on any action we’re taking.”

That update and any potential action are hotly awaited.

4. It’s not just about privacy

The adtech regulatory environment in Europe isn’t just concerned with privacy. The UK’s Competition and Markets Authority announced an investigation in the summer of last year into the adtech market to assess three broad potential sources of harm to consumers in connection with the market for digital advertising: the extent of platform providers’ market power, consumer control over data and competition in the space. Its consultation closes in February 2020 with a final report due in early July 2020.

5. New solutions and commercial considerations

The impact of regulatory and industry change means that brands and publishers need to be having in-depth conversations with the agencies they use and considering carefully the technologies they deploy and how they will react to known and unknown changes in the year ahead. The Google announcements show that big changes in the technology are afoot. If browsers start blocking third party cookies, teams need to be considering the impact on contracts and providers, as well as other tracking technologies or alternative solutions. The changes also mean companies need to stay very close to initiatives such as the Interactive Advertising Bureau’s (IAB) Transparency and Consent Framework v.2.