135 million Euro fine levied on industry giants Amazon and Google due to missing consent – what that means for your company

This message is making the entire digital marketing industry sit up and take notice. The French data protection authority CNIL levied fines on Google and Amazon amounting to 100 million and 35 million Euros respectively. The reason: The absence of information which meant no informed consent to place tracking cookies could be given. Now that the French data protection authority is taking decisive action, it is only a matter of time before the German authorities follow suit. Companies should not wait any longer to act, especially given that most of them rely on services such as Google Analytics or Facebook. But what concrete measures can companies and, more specifically, website operators actually take? And will this decision affect the performance marketing of your company? Mischa Rürup, CEO at Usercentrics, provides some tips and tricks as to how companies can protect themselves now and gives his perspective of expected developments in the coming year 2021.

For the first time, large US concerns such as Google or Amazon are being brought to justice for using tracking cookies without the valid consent of users. But why is a French national ruling such an important precedent for an entire industry? Many would probably now think “Due to GDPR, of course!” but it really is not that simple. It is true that the General Data Protection Regulation (GDPR) stipulates that website operators require a legal basis for the use of web technologies for marketing purposes. This applies since the law came into force in May 2018. A legal basis is the explicit consent of the user in most cases. Contrary to what was originally suspected, the French data protection authority did not base its decision on the GDPR (although it applies in all of Europe) but rather on the ePrivacy Directive. The reason: According to the GDPR, the Irish data protection authority would be responsible for data protection violations committed by the internet giant Google as it has its European headquarters there. But since the Irish DPC (Data Protection Commissioner) is frequently criticized for not cracking down hard enough, the CNIL is showing its own initiative. 

The legal situation is confusing – therefore the following creed must apply: Better safe than sorry! But what concrete steps can companies take right now? If a company wishes to use cookies, pixels or other technologies for tracking or retargeting, it must pay attention to the following: In addition to user consent, the GDPR stipulates that consent must be informed, prior, explicit, voluntary, granular, documented and revocable in order to be valid. If the consent fails to fulfil even one of these criteria then it is invalid. As the first step, companies should check whether they use technologies on their websites which require consent. The famous “legitimate interest” with which a few companies justify their trade only applies in the most specific of cases such as, for example, with shopping basket cookies in the online shop to guarantee a seamless payment process. Should web technologies such as Google Analytics or Facebook tracking tools be found in the list, it is absolutely essential to obtain user consent. This can be obtained legally with so-called Consent Management Platforms (CMP) and be securely documented in the event of an audit by the national data protection authority. 

1. Check whether your website triggers third-party requests without the user providing consent. It is important to know here that the GDPR does not just apply to cookies but rather all queries which leave your website (so-called HTTP requests). These can originate, for example, via embedded elements such as Google Maps or social media buttons. 
2. Check the right to choose in your consent banner. Does your banner have an Accept and a Reject button? The law only assumes that a right to choose exists when providing consent is just as easy as declining consent. 
3. Check the granularity. Can the user click on details, read up on every individual technology and decide granularly? Important: There is no such thing as general consent in an entire category such as tracking. An important component of valid consent is granularity.
4. Do you know your opt-in rate? A low opt-in rate automatically leads to low performance marketing results. But given all the possibilities for optimizing your banner you should never mislead your customers and force them to provide consent e.g. by concealing the opt-out option.
5. Do not, under any circumstances, overlook the apps because the provisions of the GDPR also apply to apps. Apps are often built into so-called SDKs which harvest data and profile users.

That all-powerful industry giants have been affected behind their “walled gardens” sends a strong message. And regardless – it was only a matter of time before the data protection authorities got serious. Especially given that events in France provide an idea of what is to come in Germany as here there is also a new data protection law on the agenda. The so-called Telecommunications Telemedia Data Protection Law (TTDSG) is announced for December 21, 2020. This shall finally provide clarity in Germany’s confusing legal landscape by replacing the data-protection provisions previously valid at the national level in the Telemedia Law (TMG) und the provisions regarding data protection and telecommunications secrecy of the Telecommunication Law (TKG) and merging them into the TTDSG. Furthermore, the law provides a new rule for the use of cookies and comparable technologies with which the provisions of the ePrivacy Directive will ultimately be unambiguously incorporated into German law. The TTDSG is therefore a reaction to two precedent-setting court rulings: the ECJ ruling from October 1, 2019 in the matter of Planet49 and the FCJ ruling from May 28, 2020, the so-called Cookie II ruling. 

Legal developments aside, voices in the market are getting louder, calling for the death of cookies. These developments do not in any way render technical upgrades obsolete. It is certainly true that a trend in 2021 is moving away from third-party data to first-party data; that is data harvested by the company itself which is not subsequently passed on to third parties. But also in this case cookies or similar technologies are placed directly onto the website and therefore require the specific consent of the user. The motto “Better safe than sorry.” therefore applies here also.

Compliance & Marketing in Harmony

Munich technology company Usercentrics is a market leader in the field of Consent Management Platforms (CMP). The SaaS solution from Usercentrics enables companies to gather, manage and document consent provided by users on all digital channels such as websites or apps – and achieve high opt-in rates in the process. This guarantees compliance with current and future international data protection guidelines such as GDPR, ePrivacy Regulation and CCPA and enables it to be integrated into the marketing and data strategy. Since its founding in 2017, the company has grown strongly and now has over 300 enterprise customers including Commerzbank, Fitness First and Telefonica. Further information can be found at usercentrics.com.