How can businesses navigate potential legal challenges related to data privacy and consent in a cookieless landscape?

Kiran: Well the main point to make here is that we’re not losing all cookies. We’ll still have the same data challenges that we do today. Consent, for example, is the number one thing on people’s minds when they think about cookies. How do you obtain that data lawfully? How do you do it unobtrusively? How can you make sure it’s not putting up barriers to the next stage of your website? Cookie banners are things that we all know and love (sort of!)

It’s just a case of figuring out what’s going to fill the gaps, so with privacy-enhancing technology and these new innovative technologies, we’ll think about ways that consent may possibly be bypassed in the future – or ways it can be managed differently.

I’m sure some of us here have heard about browser-based consents whereby users can select preferences in their browsers and that will apply across a range of websites. Now that’s sort of where we’re going towards, although that’s not set in stone. 

But these privacy-based challenges are by no means limited to cookies. When we think about things like server-to-server tracking, which is what some people think of when we say cookieless, truly cookieless technology is where nothing is downloaded to a device and everything is done through server-to-server communication.

So, if we start thinking about the possibility of bypassing certain laws around consent, it’s a very grey area. Even in 2020, the French regulator was examining the issues and they kept their comments unhelpfully vague back then as well. They said we require consent for all tracking technologies, whatever that means.

It’s just a case of regulators becoming increasingly specific over time to give us the guidance that we need to figure out what we can actually do, where we need consent, and how we put this into day-to-day practice. I’d love to hear from the rest of the panel about what that might look like in practice. 

Sarah W: Well, what I would say is that it’s really important for marketers and businesses to talk to somebody like Kiran because, with the GDPR, a lot of our clients didn’t even realise that there was such a thing as ‘legitimate use’ of somebody’s data.

A good example would be that they might not have given you their consent to send them an email campaign, but you can still retain their data and use their contact details if you’re offering a product with an unlimited warranty.

You need to be able to contact and communicate with them if they want to replace it. So it’s worth consulting with an expert on this about what data you can legitimately retain and use for legitimate reasons and as long as you stick to common sense, usually you’re good. Most of these regulations are made with common sense (mostly!)

Tom C: I think there’s a lack of education on the client side. When our clients heard this news it seemed to be quite anxiety-inducing – what do we do now? How do we utilise data?

I think there might be an opportunity to utilise first-party data a bit smarter and push towards demographic data. There’s still opportunity there, but again there’s that educational piece missing, it still feels a bit of a grey area at times and it’s not fully clear as to what people can use. 

Kate: It’s still developing, so it’s difficult to give a hard and fast answer about what’s right and wrong. It’s developing, and as an agency in this space, I would never advise my clients on exactly how to handle their data. I would expect them to be talking to people who specialise in that. 

What I would say is that it’s put a bit more of a focus on (from an agency perspective) – what data are we requesting, how do we want to use it, how can we make smarter choices about what you’re looking at and why – and then what do you want to do with it?

There were times ten years ago when we’d be looking for the front half of a postcode and they’d accidentally sent the whole address. That’s not what we want to see and actually, this had put a bit more of a focus on what people actually need, what are we going to use it for, and then you can sense check what you need to do with it so that you’re only getting the bits of information that you need to provide the right insight to power your advertising. 

There’s been some really positive cleaning of data in this process, because we’re using the right content to power what we’re doing going forward, with the right data – versus something that’s gotten old, a bit murky and has been bought in from somewhere (and might not ever actually have been quite right).

Sarah E: I think one of the key questions is, are we going to need the pop-ups anymore?! The answer is – I think it’s going to be dependent on how people are using data. And for organisations, it’s about understanding what you’re harvesting, why, and really looking at how you want to create that relationship.

There may be more opportunity to create more logged-in models, more environments for subscriptions and things like that – but we’re still going to see pop-ups in some shape or form. 

But it’s an opportunity to take the user on a journey a little bit more, especially if they’re engaging with you and your content. Then how you’re talking to them, how you’re harnessing their data, what you’re doing with it and how you’re explaining that to them needs to be thought about as part of the journey. 

Kiran: Just to round off with a point about the challenges of all of this, on the horizon we’ve got the Data Protection and Digital Information number 2 Bill coming towards the final stages in Parliament. We know with reasonable certainty what it’s going to look like and one of the big changes is that it’s going to start raising the level of fines to GDPR levels where we’re looking at £17.5 billion.

We’re in a game where the stakes are rising; however, in that same bill we have opportunities to create things like browser-led consents, so it’s not just about the increasing risk to marketers, but also trying to provide tools that can be used to plug that gap (where third party cookies used to give us the data).