The Cookiecalypse Is Only the Beginning

The global advertising industry is facing a gigantic upheaval due to the imminent end of third-party cookies. This development is often dramatized as the "cookiecalypse", suggesting the grand finale of an era. However, if we take a look at current changes in data protection around the world, it quickly becomes clear that the cookiecalypse is only the beginning.

Even though the EU has long been considered a pioneer in data protection, a current assessment shows that countries around the world are also increasingly prioritizing the issue. In the USA, regulations are still mostly limited to individual states, but the more states follow suit, the more likely it is that nationwide regulations will be introduced. However, data protection has also long been on the agenda of legislators in other regions and markets around the world, such as India. Even if the key driver for stricter data protection is geopolitical, particularly due to concerns about election interference and the protection of national security, the laws coming into force have the potential to have a significant impact on the advertising industry. Two developments in the major Western markets demonstrate this in particular.

What browsing and location data reveals about us

Against the backdrop of several enforcement actions against three major bulk data collectors, the US Federal Trade Commission (FTC) published a statement. It makes a clear assertion: according to the FTC, both browsing and location data should be classified as sensitive data. The authority justifies this by stating that the findings that can be drawn from the data can be traced back to specific individuals and that these conclusions can be drawn with ease. Cases were cited in which users were divided into alarmingly specific and sensitive target group segments for advertisers, such as "parents of preschoolers,” "Christian church goers," or "wealthy and not healthy".

For this reason, the FTC summarizes that browsing and location data can paint an intimate picture of a person's life, including their religious affiliation, health status, financial situation and sexual orientation. It is therefore clear to the authority that data that allows such conclusions to be drawn must be classified as sensitive as specific data about this information itself. Furthermore, the FTC writes in its statement that companies should not have a free pass to market, sell and monetize people's data if it is not used to deliver the company's desired product or service.

Consent is personal data

On our side of the Atlantic, the European Court of Justice recently ruled that the TC string, which forms the basis of the consent procedure as it is currently used, is considered personal data. This calls into question the functionality and legality of processing the TC string over many years. The ECJ justifies this decision by stating that the TC string contains the preferences of the internet user's consent and is therefore information that "relates to a natural person" within the meaning of Article 4(1). If this information is then linked to an IP address, it can make it possible to identify the person concerned.

Back in 2019, Gartner predicted that by 2024, 75% of the world's population will have their personal data protected by data protection regulations - we are seeing this development come to fruition right now. At the same time, we are seeing that existing data protection regulations are becoming stricter and users are becoming more aware of the need to protect their data. As an industry, we must therefore assume that these trends will continue in the future. Thus, we should ask ourselves whether highly touted cookieless alternatives such as first-party data, universal IDs or even data clean rooms can really master the current data protection challenge in a sustainable and promising way or whether they are just a temporary band-aid.