Staying up to date with the latest global cookie policy requirements can be difficult. Following the GDPR, there have been many recent rulings, legal commentary, and industry framework updates that have modified requirements – requiring organizations to stay hyper-vigilant in order to maintain cookie compliance. As the upcoming Irish Data Protection Commission (the "DPC") October 2020 enforcement date approaches, organizations are scrambling to understand the consent mechanism updates and how to be able to stay agile enough to quickly implement future regulatory changes. Join us as we walk through recent cookie policy updates and provide guidance on how to utilize TrustArc Cookie Consent Manager to help you meet the new regulatory requirements. This webinar will review: -Recent rulings and legal commentary (CJEU ruling, German Court, EDPB, Belgian DPA, Ireland DPA, and CNIL) -Industry framework updates (IAB EU and CCPA) -Upcoming regulatory requirements (CCPA, ePrivacy regulation)

1. © 2020 TrustArc Inc. Proprietary and Confidential Information.
Cookie Consent Regulatory Updates:
How to Maintain Compliance
“A bite at a time…”
September 30, 2020
1

2. Speakers
2
Ralph T O'Brien
CIPM, CIPT, CIPP/E, BSi LA,
CISMP (Dis), FIP
Principal Consultant, Europe
TrustArc
Matt Ferrell
Sr. Product Manager
TrustArc

3. Agenda
3
● Recent EEA rulings and legal commentary
(CJEU ruling, German Court, EDPB, Belgian DPA, Ireland DPA, and CNIL)
● Upcoming regulatory requirements
(CCPA, ePrivacy regulation)
● Industry framework updates
(IAB EU and CCPA)

4. © 2019 TrustArc Inc Proprietary and Confidential Information
EEA:
Recent rulings and legal commentary

5. ePrivacy is a directive not a regulation…
…Therefore although most member state have
adopted a law in the spirit of the ePrivacy
directive, definitions, laws, guidance and
enforcement differ from country to country across
the EEA…
…A new ePrivacy regulation has been proposed
to arrive in conjunction with the 2016 GDPR, but
has stalled through multiple EU presidencies.
Wide scale non-compliance, and little
enforcement.
The trouble with cookies…

6. A number of judgements…
● Summary and legal context
● Planet49 use case judgement
● CJEU holding
○ Opt-in versus opt-out
○ Specific consent
○ Consent for non-personal data cookies
● Telemedia Act interpretation
Website operators should…
● Disclose information about all cookie operations
requiring consent, including the duration and third
parties as well as their roles and functions.
● Obtain consent through an affirmative opt-in
action.
● Avoid bundling consent. Users should be given
the ability to make granular decisions.
● Implement a zero-cookie load solution.
● Provide a method for a user to withdraw consent
at anytime.
● Keep a record of consent for accountability
purposes.
6
Bundesgerichtshof & Court of Justice of the European Union

7. In Practice

8. ● May 4, 2020 EDPB adoption of consent
guidelines
● Elements of valid consent
● Differences from Article 29 Working Party
consent guidelines (April 2018)
○ Cookie walls
○ Implied consent from ambiguous actions
(are not consent)
● Key takeaways and recommendations
Key takeaways and recommendations
● Tear down that (cookie) wall!
● Consent manager cannot deem scrolling,
swiping, or continued browsing of a
webpage or use of a mobile app to
constitute consent.
European Data Protection Board (EDPB)

9. In Practice
‘GDPR experience’ for EEA
CCPA Banner
9
Mobile Apps

10. July 2019
● Disclose all third-party recipients before
obtaining consent.
● Provide granular consent for each purpose
of processing.
● Provide an easy way to withdraw consent.
● Limit cookie lifespan to 13 months for
analytics cookies and other cookies to 25
months.
● Keep a record of consent.
January 2020, CNIL draft consent recs.
1. Use simple consent UI, including a UI to
decline cookies.
2. Use a neutral design. No nudging users to
consent.
3. Record; (1) individual user consent, and
(2) proof that consent mechanism is valid.
4. Transparency;
a. Level One: purposes of the cookies,
complete list of companies using the
cookies and their roles, and a mechanism
to enable the user to opt in or decline the
use of non-essential cookies.
b. Level Two: Describe the scope of the
consent given, including whether the
consent covers other websites.
CNIL - French Data Protection Authority
French Council of State held in June 2020 that CNIL cannot
ban cookie walls altogether, but that doesn’t make cookie
walls legal for data subjects in France.

11. In Practice
√
X

12. April 2020 cookie sweep, enforcement Oct…
● Analytics cookies require prior consent.
● Zero cookie load.
● Consent via a cookie banner or pop-up is
acceptable, if...
○ Notice given for specific purposes of non-
required cookies and allows for rejecting
non-required cookies,
○ No "nudging" a user into accepting
cookies.
○ Checkboxes or toggles clearly marked as
ON or OFF.
● Users must be able to change their cookie
preferences at any time.
● A cookie used to store user's consent
should have a lifespan of 6 months.
● No implied consent. No pre-checked
boxes and or sliders set to ‘on’.
● A cookie consent banner must not obscure
the text of the privacy or cookie notice.
Users must always be able to read the
cookies and privacy notices without any
cookies being set (except for essential
cookies).
● Accessibility must be taken into account in
designing interfaces to accommodate
people with vision impairments or color
blindness.
DPC - Irish Data Protection Authority

13. 13
5 October Deadline

14. In Practice
14

15. Belgian Data Protection Authority (the "DPA") cookie guidance, Apr 2020
Cookie Lifespan
● No unlimited lifespan.
● Delete essential cookies once their purpose has been achieved.
Consent
● Obtain consent for all non-essential cookies (including analytics and social media plugins).
● Obtain consent prior to use of cookies.
● Offer granular consent options.
● Keep a record of consent.
● Consent should be as easy to withdraw as it is to give.
● “Cookie walls” are not permitted.
● Consent must be from unambiguous affirmative action.
Belgian Data Protection Authority

16. Transparency
● Give all relevant information prior to obtaining consent, including...
○ The entity responsible for the use of cookies,
○ The cookies’ purposes,
○ The data collected through cookies, and
○ The cookie lifespan.
● Must give notice of users’ rights, including the right to withdraw consent.
● Have a cookie notice which discloses...
○ The types of cookies used
○ Cookie purposes and lifespan
○ Whether third-parties have access to such cookies
○ Information about how to delete cookies;
○ The legal basis for the use of cookies
○ Individuals’ rights and the ability to make a complaint to the
supervisory authority; and
○ Information about any automated decision making, including profiling.
Belgian Data Protection Authority

17. In Practice
Stand-alone
Embedded
17

18. © 2019 TrustArc Inc Proprietary and Confidential Information
Upcoming Regulatory Requirements

19. ● Are the CCPA Regulations final
yet?
● When will the CCPA Regulations
be enforced? (Oct. 1, 2020…
probably)
○ https://oal.ca.gov/july-1-effective_date/
○ https://oal.ca.gov/october-1-effective_date/
Key takeaways and recommendations
● Interpret browser privacy settings as a
valid request to opt out of the sale of
personal information
● For users opting in after having opted out,
a second confirming step is required. This
means that a user must clearly request to
opt-in and then, in a separate step, confirm
their choice to opt in.
CCPA

20. In Practice
DNT is back!
Are you sure?
20

21. © 2019 TrustArc Inc Proprietary and Confidential Information
Industry Framework

22. IAB EU/CCPA
IAB EU
IAB CCPA

23. © 2019 TrustArc Inc Proprietary and Confidential Information
Simplify Global Cookie Compliance

24. Deliver a branded
experience
Customize the full consent
experience from design to
delivery, all tailored to your brand
Take control of GDPR, CCPA, and beyond
Demonstrate
compliance
Receive a detailed report that
provides an audit trail on the
consent behaviour of your
users
Meet global
regulations
Configure the consent experience
to display the applicable consent
banner based on user's location
Understand
website’s tracking
behaviour
Automatically detect and
categorize tracker changes
through scheduled website
scans, reflecting updates in your
Cookie Policy
With 7 years of proven success, our industry-leading
Cookie Consent Manager provides a configurable
solution that enables organizations to meet cookie
compliance requirements across the globe while
delivering a branded consent experience.
24

25. Deliver a customized consent experience
Meet global consumer consent requirements and display the applicable consent banner based on
user’s geolocation.
Configure the
consent approach
Customize the full consent
experience, from design to
delivery, all tailored to your
brand
Deploy with ease
Add a simple JavaScript
tag to the website for quick
deployment
Integrated solution
Integrate with your tag
management system and
meet different consent use
cases, including “zero-
cookie load”
Multi-Language Support
Detect browser language
preference and support any
languages including 45
default languages
25

26. © 2019 TrustArc Inc Proprietary and Confidential Information
Q&A

27. Upcoming Webinars
27
Past Webinars
Building Consumer Trust through Data
Subject Rights / DSAR Management
October 14, 2020 @ 9:00
PST
The Brazilian LGPD is Here: What You Need
to Know
Free Download
How to Leverage Your GDPR Compliance for
CCPA, Privacy Shield & More New
Requirements
Free Download

28. © 2019 TrustArc Inc Proprietary and Confidential Information
Thank You!
See http://www.trustarc.com/insightseries for the 2020
Privacy Insight Series and past webinar recordings.
If you would like to learn more about how TrustArc can support you with compliance,
please reach out to sales@trustarc.com for a free demo.