Cookie Consent Regulatory Updates: How to Maintain Compliance

2. Speakers 2 Ralph T O'Brien CIPM, CIPT, CIPP/E, BSi LA, CISMP (Dis), FIP Principal Consultant, Europe TrustArc Matt Ferrell Sr. Product Manager TrustArc

3. Agenda 3 ● Recent EEA rulings and legal commentary (CJEU ruling, German Court, EDPB, Belgian DPA, Ireland DPA, and CNIL) ● Upcoming regulatory requirements (CCPA, ePrivacy regulation) ● Industry framework updates (IAB EU and CCPA)

5. ePrivacy is a directive not a regulation… …Therefore although most member state have adopted a law in the spirit of the ePrivacy directive, definitions, laws, guidance and enforcement differ from country to country across the EEA… …A new ePrivacy regulation has been proposed to arrive in conjunction with the 2016 GDPR, but has stalled through multiple EU presidencies. Wide scale non-compliance, and little enforcement. The trouble with cookies…

6. A number of judgements… ● Summary and legal context ● Planet49 use case judgement ● CJEU holding ○ Opt-in versus opt-out ○ Specific consent ○ Consent for non-personal data cookies ● Telemedia Act interpretation Website operators should… ● Disclose information about all cookie operations requiring consent, including the duration and third parties as well as their roles and functions. ● Obtain consent through an affirmative opt-in action. ● Avoid bundling consent. Users should be given the ability to make granular decisions. ● Implement a zero-cookie load solution. ● Provide a method for a user to withdraw consent at anytime. ● Keep a record of consent for accountability purposes. 6 Bundesgerichtshof & Court of Justice of the European Union

7. In Practice

8. ● May 4, 2020 EDPB adoption of consent guidelines ● Elements of valid consent ● Differences from Article 29 Working Party consent guidelines (April 2018) ○ Cookie walls ○ Implied consent from ambiguous actions (are not consent) ● Key takeaways and recommendations Key takeaways and recommendations ● Tear down that (cookie) wall! ● Consent manager cannot deem scrolling, swiping, or continued browsing of a webpage or use of a mobile app to constitute consent. European Data Protection Board (EDPB)

9. In Practice ‘GDPR experience’ for EEA CCPA Banner 9 Mobile Apps

10. July 2019 ● Disclose all third-party recipients before obtaining consent. ● Provide granular consent for each purpose of processing. ● Provide an easy way to withdraw consent. ● Limit cookie lifespan to 13 months for analytics cookies and other cookies to 25 months. ● Keep a record of consent. January 2020, CNIL draft consent recs. 1. Use simple consent UI, including a UI to decline cookies. 2. Use a neutral design. No nudging users to consent. 3. Record; (1) individual user consent, and (2) proof that consent mechanism is valid. 4. Transparency; a. Level One: purposes of the cookies, complete list of companies using the cookies and their roles, and a mechanism to enable the user to opt in or decline the use of non-essential cookies. b. Level Two: Describe the scope of the consent given, including whether the consent covers other websites. CNIL - French Data Protection Authority French Council of State held in June 2020 that CNIL cannot ban cookie walls altogether, but that doesn’t make cookie walls legal for data subjects in France.

11. In Practice √ X

12. April 2020 cookie sweep, enforcement Oct… ● Analytics cookies require prior consent. ● Zero cookie load. ● Consent via a cookie banner or pop-up is acceptable, if... ○ Notice given for specific purposes of non- required cookies and allows for rejecting non-required cookies, ○ No "nudging" a user into accepting cookies. ○ Checkboxes or toggles clearly marked as ON or OFF. ● Users must be able to change their cookie preferences at any time. ● A cookie used to store user's consent should have a lifespan of 6 months. ● No implied consent. No pre-checked boxes and or sliders set to ‘on’. ● A cookie consent banner must not obscure the text of the privacy or cookie notice. Users must always be able to read the cookies and privacy notices without any cookies being set (except for essential cookies). ● Accessibility must be taken into account in designing interfaces to accommodate people with vision impairments or color blindness. DPC - Irish Data Protection Authority

13. 13 5 October Deadline

14. In Practice 14

15. Belgian Data Protection Authority (the "DPA") cookie guidance, Apr 2020 Cookie Lifespan ● No unlimited lifespan. ● Delete essential cookies once their purpose has been achieved. Consent ● Obtain consent for all non-essential cookies (including analytics and social media plugins). ● Obtain consent prior to use of cookies. ● Offer granular consent options. ● Keep a record of consent. ● Consent should be as easy to withdraw as it is to give. ● “Cookie walls” are not permitted. ● Consent must be from unambiguous affirmative action. Belgian Data Protection Authority

16. Transparency ● Give all relevant information prior to obtaining consent, including... ○ The entity responsible for the use of cookies, ○ The cookies’ purposes, ○ The data collected through cookies, and ○ The cookie lifespan. ● Must give notice of users’ rights, including the right to withdraw consent. ● Have a cookie notice which discloses... ○ The types of cookies used ○ Cookie purposes and lifespan ○ Whether third-parties have access to such cookies ○ Information about how to delete cookies; ○ The legal basis for the use of cookies ○ Individuals’ rights and the ability to make a complaint to the supervisory authority; and ○ Information about any automated decision making, including profiling. Belgian Data Protection Authority

17. In Practice Stand-alone Embedded 17

19. ● Are the CCPA Regulations final yet? ● When will the CCPA Regulations be enforced? (Oct. 1, 2020… probably) ○ https://oal.ca.gov/july-1-effective_date/ ○ https://oal.ca.gov/october-1-effective_date/ Key takeaways and recommendations ● Interpret browser privacy settings as a valid request to opt out of the sale of personal information ● For users opting in after having opted out, a second confirming step is required. This means that a user must clearly request to opt-in and then, in a separate step, confirm their choice to opt in. CCPA

20. In Practice DNT is back! Are you sure? 20

22. IAB EU/CCPA IAB EU IAB CCPA

24. Deliver a branded experience Customize the full consent experience from design to delivery, all tailored to your brand Take control of GDPR, CCPA, and beyond Demonstrate compliance Receive a detailed report that provides an audit trail on the consent behaviour of your users Meet global regulations Configure the consent experience to display the applicable consent banner based on user's location Understand website’s tracking behaviour Automatically detect and categorize tracker changes through scheduled website scans, reflecting updates in your Cookie Policy With 7 years of proven success, our industry-leading Cookie Consent Manager provides a configurable solution that enables organizations to meet cookie compliance requirements across the globe while delivering a branded consent experience. 24

25. Deliver a customized consent experience Meet global consumer consent requirements and display the applicable consent banner based on user’s geolocation. Configure the consent approach Customize the full consent experience, from design to delivery, all tailored to your brand Deploy with ease Add a simple JavaScript tag to the website for quick deployment Integrated solution Integrate with your tag management system and meet different consent use cases, including “zero- cookie load” Multi-Language Support Detect browser language preference and support any languages including 45 default languages 25

27. Upcoming Webinars 27 Past Webinars Building Consumer Trust through Data Subject Rights / DSAR Management October 14, 2020 @ 9:00 PST The Brazilian LGPD is Here: What You Need to Know Free Download How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requirements Free Download

28. © 2019 TrustArc Inc Proprietary and Confidential Information Thank You! See http://www.trustarc.com/insightseries for the 2020 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with compliance, please reach out to sales@trustarc.com for a free demo.