Simplify for Success - Conversation with Odia Kagan
Odia is a Partner and Chair of GDPR Compliance and International Privacy at Fox Rothschild.
She spoke about cookie banners and ways to operationalize them to provide control and choice to the users. She also discussed the importance of disclosures and how they should be more explicit and transparent.
Listen to it here:
Hello everyone, welcome to our podcast around simplifying for success. Simplification requires discipline and clarity of thought. This is not often easy in today's rapid-paced work environment. We've invited a few colleagues in the data and information governance (IG) space to share their strategies and approaches for simplification.
Today, we will be talking with Odia Kagan, Odia is a partner and chair of the GDPR Compliance and International Privacy at Foxtrot Child.
Over the past few years, Odia has assisted more than 80 companies, from US-based multinationals to startups on their path to compliance with EU GDPR. Odia is certified as a fellow information privacy FIP by the International Association of Privacy Professionals (IAPP), a designation signifying comprehensive knowledge of privacy and data protection laws, she is also certified by IAPP as a Certified Information Privacy Manager and certified information privacy professional in the laws of the United States, privacy sector (CIPP/US), the laws of the European Union (CIPP/E) and by the PEBC as a certified data protection officer (CDPO).
Odia is an adjunct professor at Drexel University, Client School of Law. As part of its JD and Master of Legal Studies programs where she teaches upper-level courses on cyber security and privacy regulation, she speaks regularly on topics of privacy, information security at a variety of industry and professional events. Welcome to the podcast, Odia.
Thank you very much, nice to be here.
Today we'll be talking about cookies and consent. There is a lot that is happening in this space. Almost every company now has implemented a cookie consent tab in their browser to address the privacy issues. Do you think it's working?
Depends on what “working” means. Do you mean companies that are trying to comply or tearing their hair out trying to figure out what that looks like, then yes? And it's working. I think that it's a complicated issue because what's happening is, I think, number one, companies, especially on the US side, are becoming more aware that cookies are a thing and cookies are a thing that gets enforced. And while that may have been kind of a gray area that was unexpected. It's no longer that because the California Attorney General issued a report of enforcement after one year of the California Consumer Privacy Act (CCPA), having gone into effect. And in that report, they outlined a number of enforcements that are centering around cookie compliance, specifically in the context of cookies potentially being a sale, targeted advertising cookies, maybe even analytics cookies being a sale. So, on the US side, there is cookie enforcement under CCPA, the Children’s Online Privacy Protection Act (COPPA) with serious fines issued, and then on the EU side.
So, cookies have been a thing for a long time, right?
So even from a consumer perspective, even when I'm in the US or when I travel to Europe, one thing that I notice is that I'm bombarded with a lot of options to choose from. If I have a denial, maybe I understand and I'm able to click that and say OK don't track my cookies. But for the most part, I end up accepting because, for a person who deals with privacy, it's overwhelming, so it doesn't work well from a consumer perspective as well, right?
I think that this issue of the banners and the so-called consent fatigue is a real issue. The ICO in England, both the outgoing Commissioner Elizabeth Denham and the incoming Commissioner John Edwards, said that even they click “I agree” because it's just frustrating and sometimes you don't know what you're doing and, sometimes, it takes time and the options aren't clear. I think that there are a number of issues here. Number one is a banner or a cookie management platform with preferences-is this the best solution? If it is the best solution, there is a question of how do you operationalize this banner in a way that actually works for human beings, and what do I need? I mean that the point of the banners is to provide individuals with control or with choice. Because the idea is in Europe, right under privacy, you need to get real consent. Real consent now, meaning the consent guebre style, meaning informed and ambiguous and freely given. So you need and on even kind of privacy principles and on the US side, control or choice, right? It could be an opt-out, but you need to still understand what it is that you're opting out of or what it is that you're not opting out of.
And the question is in the current formulations of these platforms or banners, do we get to that result? So one thing that Camille in France and Noyb, the nonprofit organization is Camille is enforcing and Noyb has issued a number of complaints about this to encourage enforcement is the ability, for example, to reject all in the first layer. The Noyb enforcement has a helpful infographic of like eight things that they are looking for in the cookie consents. And some of them have to do with the description of the third party sharing or the absence or presence of dark patterns in the consent process. So the question is if you when you have this interface- Is it by design or by accident causing you to click “I accept to agree on all” and what is the way to actually resolve that problem? If either by making the banners better or by finding something that isn't kind of banner or cookie sender specific?
So you mentioned the UK Data protection chief talking about, cookies, right? So she recently issued a statement that she is in favor of a browser or a device-level setting to allow Internet users to set lasting cookies because the barrage of consent popups continue to infect websites, and it's just impossible to, even if it's very clear, it's impossible to sort of manage that. Do you think it's a new direction or have you gone down that path in the past? Has it worked well in the past or do you think that is, even if you don't think about the past, the future might be different? Do you think that's a good suggestion to come up with device-level or browser-level settings as opposed to cookie banners for each website?
So I have a bunch of thoughts about this. I think the first thing is the concept and the one big takeaway that I have from the banner initiative and from the UK’s Digital Culture, Media Sports Ministry, the Data Unlimited Initiative, I think the main and the most helpful takeaway is that it is a good idea to take a fresh look at things. It is a good idea to think about them. It is a good idea to think outside the box and to consult with individuals and stakeholders and understand what the concerns are and what the pain points are. So I think that is a good idea, thinking outside the box. I think the idea of a device or browser-based consent is not a new one DNT is one type of such solution that was advanced and, I think, other tech solutions like the TCF protocol that is already implemented and a lot of work was done on it is also there. So the second, so I don't think it's a new idea traction-wise is interesting because DNT obviously did not take off. There is a new product, there is a new technology opt-out the global privacy controls which have recently been endorsed by the California Attorney General in the CCPA FAQs as a way to comply with the CCPA opt-out, so this trend of looking at browser and device-based opt-outs or consent is a trend that we're seeing in a number of directions.
I think the issue is kind of multifold. Number one, I think to your point, collaboration and general access sense is a really important component in making this work, because when so, for example, the global privacy control is not recognized by all browsers, for example. So you have this solution but not everybody is on board with it, so that's an issue. And so in order for this to work, you need collaboration across technology and in the industry. Then the other question is so and this is sort of an open question. For example, under CCPA right, the opt-out that you are supposed to give is an opt-out of a sale.
Generally speaking, so an opt-out of the sharing and so is a browser-based solution for a specific browser for sharing by a website or something on a browser. That is limited to that browser is that the best way to comply with it, and if not, right, what other ways are there to do it?
Talked about this, but one of the things is to come up with this technology, standard organizations, or some way to have a coordinated approach across all the countries because you probably have billions of websites that we're talking about. Do you think that it's even possible to have a coordinated approach to handling cookies? What are some of the bigger challenges it is it just browsers not accepting it, or is there more to it? You talked about conflicting rules for example so.
The conflicting rules of them are, for example, about how to obtain the consent and should there be a “reject all” in the front layer, etc. I think that the issue is that's creating the problem is even deeper than that. The cookie banners or the cookie management platforms are supposed to be a vehicle, so in order to carry out number one transparency, which you have the disclosure requirement under the California law under the US laws, and you have the opt-out requirement. In Europe, it's disclosure plus consent.
And the question is when you look at the definition of consent and the implementation of consent, which we've seen, for example, and then the Norwegian DPA’s decision on Grinder and similar decisions, right? Consent entails and one of the important components of it, we've also seen it in Kinneil enforcements, etc., is consent includes third party sharing in the context of cookies, in the context of online and ad tech and real-time bidding involves sharing with a lot of third parties, right? ? I mean, I've called it like the angiogram of data sharing because when you have an angiogram and with the dye injected right, you see it going into all the veins and the sub veins and the sub veins and like going into a gazillion tributaries, and that's what it looks like, and so now the question is, how does this work with the sharing?
As the publisher, are you able to know where the data is going at the time you are disclosing it? If you do know or are able to figure this out, is it helpful for me as an individual to know these 1400 companies? Am I able to differentiate between them? I mean the consent needs to be meaningful and so the individuals need to know what's going on. Is the disclosure of the specific names and like where GDPR requires, is that helpful to me to make my decision.
Is it not helpful to me? Is there a better way to gauge the consumer intent, right? One thing that I saw that doesn't pertain to cookies, but there was a study that was done in the USA that was done trying to gauge people’s perceptions with respect to data sharing and according to that particular survey, people were not that concerned with sharing when the purpose of the sharing was, for example, research or the public benefit or something like that, and they were concerned for use for commercial gain.
Are people concerned at all or more concerned when you have analytics or audience measurement or even targeting for first-party optimization like I am taking on the information or to make decisions about myself? Or, is it limited to third-party sharing for other parties' purposes, and are people concerned with all sharing for all parties' purposes, or are there specific issues that need to be addressed, which are more problematic? Definitely like geo-locations, sensitive information, using information for things that have an impact on the individual we're talking all the things that we're talking, We're reading about profiling, automated decision-making, the case with the Monsignor that was outed through precise geolocation, like those types of things. These are the things that definitely people are concerned about and the question is what is the best way to make that happen. Then so that people actually consent or don't consent to the things that matter to them rather than clicking accept all or reject all. I mean maybe reject, accept, maybe reject all is safer but is that what people really want? And then when you do the reject all, what happens with bot models that include cookies as a way to not charge for the service, so I think that's the complexity. The complexity is not whether or not I can click or not click. The question is whether or not these banners and things-what is the way to operationalize the true consent of the individuals?
I was reading a study about and I was actually surprised by this information, which is someone of the websites actually published a study where they felt like consumers were more willing to give email than a physical address. Maybe because the assumption was that because with the email you could at least have some options to auto-delete or move the data to, junk folder, but somehow they felt that the physical address was more sensitive. So, that was surprising because I would have thought that physical address is something you can go to a directory and find. But I do want to ask you, and this is maybe a complex question, so I'm going to talk about a little bit, is it partly the company understanding of what is being shared.
You talked about these various tributaries of data like where once it starts. Here it goes, and it keeps going and most of the time the understanding of how much the data travels is limited, especially beyond the immediate party to which you share data. So that's why one or the complexity of even understanding what is confidential. Because yes, we understand that the Social Security number is confidential but do we understand sensitivities around individual data points? Like, for example, I mentioned name versus address. The third is also maybe I know everything about how the data is traveling, but how do I communicate that in a concise and easy manner? Something that is so complex for even me to understand for the purposes of providing consent. So I kind of want to take this in the context of the recent fine issued by the Irish data protection authorities on WhatsApp, where one of the statements they kind of talk about is they had failed to provide clear, transparent sufficient information concerning its processing activities.
But what is clear, transparent, and sufficient, because I want to focus on those three as opposed to just define or what WhatsApp did but what are your thoughts around how to make it clear, transparent, and sufficient from a consent perspective?
So I think it's a very difficult question and I think that it would be helpful to, number one, get more guidance but two, the guidance that we have and we have guidance, for example, and that's one so a couple of things, right? We have guidance on what it means in the cookie context, right from a number of days, right? We have the Kinneil updated guidance that they are actually now have notified that they are enforcing. They also had an enforcement project where they sent letters of non-compliance. So like 40 companies and then like 30 they said 80% came into compliance and then four needed a time extension and four didn't want to do it. But so we have guidance, right? Some guidance on how it works, more guidance is always, helpful. The question is, the guidance says That you need to identify the third parties with whom you are sharing. So in that situation, you said what is information.
How do you reconcile the information with respect to 500 companies that you're sharing with the overall principle of transparency? Which is to provide the disclosure in a way that is helpful to the consumer because the WhatsApp thing also said this needs to be what is going on and they were not talking about cookie sharing there, but one of the things they said about transparency was you can't have 50 documents and you can't have five different places. And having like chutes and ladders until you get to the conclusion you need to make it understood to the consumer what is actually going on with the data. And now the question is, as with respect to the data sharing, when you specify 500 companies and you're like, well, this is an analytics company and this is an analyst company and this is targeting and this is audience measurement.
Is anybody going to read 500 companies? #2 is anybody going to really understand the granularity #3 out of the 500? Maybe like 50 doing they are doing. The same thing so the question is, what is the best in this sort of granular description of each company. I'm getting you, what it is that you want in the is this in the old language. Remember the data protection directive that said, add such other things like Article 12 had this thing and such other things which are helpful to the consumer to understand, right? So is this way that gets the consumer to understand #1 and then #2 those that are. You've probably seen there's a huge buzz around this right now on surveillance advertising. So, there are those on the flip side that says why are we even tackling the best way to prepare or the sharing that's going on this sharing itself is a problem, maybe in the way that it's done, et cetera, right? That's the other end of both ends of this equation are number one. Should all of the data be collected? Should all of the sharing happen, or should there be limitations on the sharing? And how do you do that? How do you limit the sharing #1 and then #2 after you're left with whatever sharing you’re left with, is detailing all of the names and having people scroll? Scroll down through vendors, right? The best way to do it or is there a better way to do it?
No, I agree, yeah I focus on this clear, transparent, and sufficient right, because in the context of cookies, what we do find most of the time is this list of 500 vendors and a lot of information in a lot of detail, but at some point, you still don't understand what exactly is happening or how to choose your choices, how to make your choices and reduce the sharing of your information.
So, let's talk a little bit about Google, right? They have obviously announced that they are going to stop third-party cookies or sharing data with third parties and they are suggesting other ways to replace cookies. Do you have any thoughts on some of the new proposals that have been, that are being experimented with in terms of a new way of sharing information without invading privacy?
So let me talk about that generally, without addressing specific initiatives of specific companies. I think there is a couple of things that I want to mention about this. Number one in the wake of the so-called cookie deprecation by Google, everybody is talking about the move to first-party data. A couple of things about that number one is that is it going to be more helpful to companies or are people going to be happier to part with that data than something else. Number two, when you're talking about first-party data, you're not really solving the problem. That's not like the end of the discussion because first-party data is data too. And if you're collecting it via cookies, then you have the same e-Privacy considerations. And then if you are, collecting emails, you still have for both of them. The same considerations you need a GDPR legal basis you need a legal basis for sharing you.
Need to do.
Data minimization you need like all of those things, right? So first of all. First-party data is one thing that's being considered first-party data number one. All of the issues are left there. Number two, a lot of smaller companies are going to have a harder time relying on first-party data because it's more difficult and more expensive to do. A lot of companies don't have a first-party relationship with people anyway, and so they can't get access to first-party data, and then the next thing is that because of the issue with smaller companies to leverage these solutions there are discussions about sharing data, right? Uniform, ID sharing data, et cetera. And so here again, one really important point to note that when the sharing data is again subject to GDPR #2, there are these new solutions right like clean rooms and things like that that enable you to share data in ways that kind of minimize transfer, minimize iteration sometimes to use as pseudonymized information, etc. and those and tech solutions that reduce risk are a good thing, but they are not the Holy Grail because even when you share information in that way or you give access to information, giving access to information is sharing information too, and all of the issues with disclosure and legal basis and maybe consent, etc they remain and they still need to be, and they still need to be operationalized.
So, we talked a lot about GDPR, CCPA, especially cookies enforcement in the US through CCPA as well as through COPA. But if I'm in a company operating in the US and I don't have operations in Europe, do these decisions that are being made in Europe about cookies matter to me? Should I pay attention to it? If so, why, and if not, why?
I think that this is number one if you're a US-based company with no EU presence etc. right like one supposedly query whether privacy applies to you on the one hand. On the other hand, there are statements by the EDPB that talk about the fact that using cookies and trackers and things that could be monitoring or tracking the behavior of individuals. So, the question is if you don't have an EU presence, I don't think that's the gating item, the gating item is do you have an EU user ship, are you deploying cookies in the EU on purpose? In order to do something, in which case it may matter for you. If you aren't and you are completely US-based and you are not targeting the EU in any way, I still think that either you or your data protection counsel should pay attention. Because and this is something that's really been helpful to me in my practice is, I think the US system, the US laws are newer, especially in this context of the cookies. So, cookie enforcement is new. The other laws are not yet enforced because they're not yet in effect. And I think that anything that we can learn from the EU, like the problems, the issues, the issues with the consent, browser, consent-based, the issues with transparency, the issues with the opt ins. I think we can like learn and re-purpose them because a lot of the issues are common.
Figuring out how to disclose the cookies sharing two individuals in the way that is most effective for them. That's an obligation under the US because it may not be that the US regulators are going to interpret it in the same way as WhatsApp or Kinneil, right? But it's going to give you some idea as to what the issue is as well as to what may work and what may not Work. The opt-out there and the issue for example of dark patterns and dark patterns in connection with cookie banners, dark patterns in connection with the options or the opt-outs, that's actually been flagged specifically by the California Attorney General in the final statement of reasons and in the last iteration of the CCPA regulations talking about the prohibition of using dark patterns as part of the opt-out process of sale right, including the opt-out process of cookies. And so this thing if we get insight into dark patterns from similar instances in Europe, I think that would be helpful to us.
In the US, to understand it, by the way, but vice versa, right? The Federal Trade Commission had held a whole workshop on dark patterns and is probably going to issue some report on it and that obviously could be helpful for Europe in figuring out dark patterns and how to not how to make sure that you don't deploy them.
Any other closing thoughts?
I think my closing thought is I think that the first thing is that number one, cookie consent and cookie disclosure and cookie solutions are complex and it's something that should be on everybody’s radar including companies in the US. #2 I think it's like there is a famous Buddhist nun Pema Chodron, who has a statement about self-development that says “Start where you are”, and I think it applies here, right? Start where you are and improve right? If you don't have a good disclosure, then if you don't know what cookies you have, then figure that out or figure out most of it and then keep figuring it out. If you don't have a good disclosure, then get a better disclosure. Think about whether your disclosure applies to if regular people read it, will they understand? Look at your opt-out or opt-in interfaces and think about are these helpful for people. It’s trying to get a solution and prevent people from opting out. Or cause people to opt-in a way rather than presenting the options in a way that is objective, right? Like trying to do the best that you can and with the consumer with the transparency and consumer control individual control as principles and then right once you get there and you're ready for a paper of cookie compliance. Then yeah, if you have a presence in a number of European states, then you want to look at the different guidances and figure out which way you can weave yourself into them. So I think I think maybe if you may want to have one takeaway that is complicated like the Facebook relationship status and start where you are like the Buddhist saying.
Thank you so much. Great information. I appreciate you participating in the podcast.
Thank you very much, it was great to speak with you.
*Views and opinions expressed by guests do not necessarily reflect the view of Meru Data.*