2020 has seen a wealth of regulatory updates around cookies and AdTech. The technology landscape continues to change, and enhancements are being made to give consumers increased control over their data. Let’s take a look at the key updates that have shaped the industry this year:

The Latest Cookies and AdTech Guidance Across Europe & California

Spain: The Spanish DPA announced a U-turn on their view of implied consent for cookies. Following an EDPB announcement on consent, the Spanish DPA issued updated guidelines concerning lawful consent and the outright prohibition of cookie walls. These guidelines became effective for enforcement on 31 October 2020.

Ireland: In April 2020, the DPC shared updated guidance on the use of cookies and tracking technologies, this included a report indicating an increase in enforcement against non-compliant businesses after the grace-period, which ended October 5, 2020.

France: In October 2020, the CNIL shared new recommendations on the use of cookies and associated tracking technologies. Notably overturning their original prohibition on cookie walls, and highlighting that consent is necessary regardless of the nature of the data. In April 2021, the CNIL will begin enforcing against non-compliant organizations under its new guidance.

California: CCPA enforcement began in July 2020, with the notable aspects of the regulation including no requirement for prior consent for cookies, and consumers being able to opt-out of cookies that are used as part of a “sale” of personal information. The approval of the CPRA in November, will see the introduction of an opt-out of “cross-context behavioral advertising” which can be considered a sale or “sharing” of information, and the introduction of “Limit the Use of My Sensitive Personal Information” button on websites. The CPRA will enter into effect in January 2023.

Where Do We Stand with IAB TCF 2.0?

The Belgian DPA (APD) investigated IAB Europe’s Transparency and Consent Framework (TCF) and reported finding GDPR infringements. The APD’s report concluded that the IAB Framework allows companies to swap sensitive information about people without authorization and controls for the processing of intimate personal data that occurs in the real-time-bidding (RTB) system are inadequate.

IAB Europe has responded to the Belgian DPA’s allegation, “While IAB Europe is currently assessing the APD’s report, we note that the findings point to several alleged compliance issues that stem solely from IAB Europe’s role as Managing Organization of the Framework. We respectfully disagree with the APD’s apparent interpretation of the law, pursuant to which IAB Europe is a data controller in the context of publishers’ implementation of the TCF.”

Where to go from here:

  • The report isn’t final – the APD has not technically found the TCF to breach the GDPR.
  • The IAB had until December 7 to issue their response, which prompted a process of review and counter-response.
  • In the meantime, the TCF’s technical operations are not affected by the report and will continue to function.

For more information on how OneTrust can support your consent and preference management visit OneTrust Consent & Preference Management, or request a demo to see how OneTrust’s comprehensive enterprise privacy management software can help your organization operationalize compliance.

Further cookies and AdTech reading: