What is a cookie, and what is the problem?
On its website, the CNIL explains that cookies are computer files stored by a server on the Internet user's computer, which are used to collect data on the user's browsing habits. While some are essential for the customer experience, such as memorising the contents of a shopping basket or display preferences, others are the subject of controversy. They include all the cookies used to collect information on the tastes and interests of Internet users. These are the very cookies that enable brands to target them with personalised advertising.
For several years now, consumers have been paying close attention to the use of their personal data. The General Data Protection Regulation (GDPR) was validated by the European Union in 2016, and applied in 2018, under the supervision of the CNIL in France.
The "Internet watchdog" has therefore established rules and published guidelines to regulate the use of user data, particularly with regards to the omnipresent advertising cookies found on the web. Although its rules are sometimes difficult to follow, with often far-reaching recommendations regarding data regulation, a number of points have been clarified since 1 October.
What are the latest CNIL guidelines?
The use of cookies is not entirely called into question by the CNIL, which intends to keep allowing brands and sites to earn money from Internet advertising. It is rather a question of bringing more transparency to their operation in order to obtain "conscious" consent from the user.
In its guidelines published on 1 October, the CNIL outlines two fundamental rules. First of all, for an Internet user to choose to accept or refuse cookies on a site, the latter must inform him or her "in a clear and concise manner" about the use of these cookies: personalised or geo-localised advertising, personalisation of content, sharing of information with social networks... everything must be mentioned. Moreover, the option chosen by the Internet user must be easy to understand, whatever the choice. The CNIL considers that cookie banners with a single "Accept cookies" button are non-compliant, as they may influence the user's choice. Implicit acceptance is also refused. Companies concerned must comply before March 2021.
The consequences
Already shaken by Google's announcement that it would remove third-party cookies from its Chrome browser in early 2020, adtech players must now adapt in order to integrate the latest recommendations from the CNIL.
For some time now, we have seen certain data brokers, whose model was entirely based on cookies, present their technology as a means of pooling their customers' data. The question of collecting and exploiting data is no longer on the table. But while these big names in adtech are urgently pivoting their activities through diversification, other players in the market are vying for ingenuity in finding new ways to retrieve consumer information without breaking the RGPD framework.
In the lead, Google is working on its Privacy Sandbox project, a suite of open APIs set up by the Chrome browser to replace cookies. The latest addition is the FLOC method, which stands for Federated Learning of Cohorts. These cohorts, or audience segments, established according to the browsing habits of Internet users by the browsers themselves, allow advertisers to continue to target users according to their centres of interest, without needing to know their personal browsing habits. Each segment is made up of hundreds or even thousands of people, which makes it possible to circumvent the RGPD regulations by moving from "one-to-one" targeting to "one-to-few" targeting.
Other solutions or ideas are emerging regularly, such as at IBM, which announced in early October the implementation of a series of tools powered by artificial intelligence as an alternative to third-party cookies. Audience prediction, popularity prediction of certain content, analysis of geographical and meteorological data... the American firm is pulling out all the stops to offer its clients and partners new ways of targeting a qualified audience without cookies.
Another option put forward by Pierre-Emmanuel Cros, managing partner at IPG Mediabrands and president of the Mobile Marketing Association in France: the use of Apple and Google advertising IDs. In an interview conducted by MindMedia, Pierre-Emmanuel Cros underlines that the alternative to cookies has existed since the beginning of these platforms, and were even used in the early days of mobile advertising, well before the arrival of third-party cookies. At the time, technical identifiers such as UDID (hardware identifier of the smartphone) were used to identify Internet users on mobiles. Apple and Google subsequently developed their own internal tracking identifiers. According to Pierre-Emmanuel Cros, "nearly a quarter of inventories use the advertising ID, not the cookie, to identify Internet users".
The end of third-party cookies does not mean the end of ad targeting, and the post-cookie world leaves room for all possible innovations for continuing to reach users via advertising, without using their personal data.
At DeepReach, we believe in local digital marketing that respects the privacy of consumers.
