Advertisers' cookieless checklist: what to ask vendors

Due to the nature of certain cookieless technology, there is a risk that insights from campaign analytics and tracking will become less specific.

As such, when adopting a cookieless approach to online advertising and tracking, it will be key to consider the following when understanding and assessing risk:

• Undertake your usual data due diligence on the provider
• Consider the provider’s role as controller or processor
• The type of cookieless technology being deployed (see below)
• The quality of the output (what insight are you actually getting?)
• Importantly, whether the technology is truly “cookieless” and hence falls outside the requirements of PECR as to user consent and will operate within the revised commercial environment

As part of assessing the type of cookieless technology being deployed, and the roles of the parties, you may wish to consider asking the following questions of the vendor.

Be aware of approaches that seem intended to circumvent either regulatory or commercial rules through technological “tricks”. Any benefit from these types of solutions will likely be short-lived, and they come with a significant associated risk that regulators and/or commercial entities responsible for enforcing the respective rules on cookies and the use of identifiers will view the use of these approaches as attempting to deliberately take a non-compliant approach, with associated consequences.

Questions to ask prospective vendors

1. What data does the vendor collect from users, both directly and indirectly? And how is this data collected?

2. What on-device technologies are being used by the vendor/publisher?

These questions are important as establishing responses can help to identify technologies which may be marketed as “cookieless” but that actually make use of technologies that, although not strictly third-party cookies, are subject to the same regulatory requirements for consent (by accessing and/or storing information on the user’s device), and equally will not be able to compliantly operate in the new commercial environment of ATT and Privacy Sandbox.

3. What data is exchanged between the advertiser and the vendor/publisher?

In order to establish your role with respect to any personal data exchanged between the demand-side and the relevant vendor/publisher, it is important to identify exactly what data is exchanged between the parties. This will enable an assessment to be undertaken as to the party determining the means and purposes for processing, and hence identifying the data controller(s).

4. Can the advertiser link and/or match audiences directly with vendor/publisher audiences?

5. Can the advertiser directly address single identities?

6. Will the vendor/publisher directly connect identifiers to establish a match between vendor/publisher and advertiser platforms?

All of these questions help to classify the technology based on the categories discussed above.

Remember, if a technology:

• functions by making audiences or interest groups generated by a publisher on the basis of its first-party data, without any direct access to individual identifiers, this technology likely makes use of unlinked audiences.
• functions by making use of audiences or interest groups provided by the underlying browser or operating system, generated on-device and without exposing underlying direct identifiers, this technology likely makes use of Browser/Operating-System linked audiences.
• allows direct linking of advertiser and publisher audiences, including through the use of directly connected identifiers, this technology likely makes use of linked audiences.

You can find out more about each of these technologies via IAB UK here. Understanding the answer to the questions above will help to identify and manage the compliance risk associated with the use of this technology, including understanding your role with regard to any processed data and the controller(s) of the relevant data, and your associated transparency obligations that you may need to reflect within your privacy policy or similar.

7. If so, which identifiers and under which framework (UID2, User-enabled ID tokens etc.)?

Understanding whether an industry-standard framework is being deployed by the relevant cookieless solution is important as it can inform your risk view. You may wish to consider undertaking general assessments of the key identifier frameworks (such as UID2) – subsequent reviews of technologies under those frameworks can then cross-reference to the general risk positions previously identified.

8. What lawful basis (consent or legitimate interests) is the vendor/publisher relying on for processing personal data? If consent, who is responsible for obtaining this consent?

This is important to establish, as it can impact the obligations of each party with regard to their compliance obligations, in particular when considering the responsibilities of each party with regard to establishing lawful basis for processing.