The long-awaited major change in the collection and use of cookies, which was supposed to ban third-party cookies in Google Chrome, is not taking place in the end. However, new obligations have already emerged in the shadow of the event, including the obligation to redesign cookie bars on websites brought about by the Digital Markets Act. What changes have taken place since 7 March 2024?
Online store operators and marketing agencies were concerned about the announced end of support of third-party cookies in Google Chrome and their replacement as a result of the Privacy Sandbox project. The major change, which was to directly affect approximately two-thirds of the market using Google Chrome, was to be implemented as early as in 2025.
However, Google recently announced that it would not ban third-party cookies, but would continue to further develop its alternative Privacy Sandbox project; specific plans have not yet been revealed.[1] However, earlier this year, another significant change took place, which required an adjustment of the online marketing setup.
On 7 March 2024, new obligations for gatekeepers under Regulation (EU) 2022/1925 on contestable and fair markets in the digital sector, the Digital Markets Act (DMA), came into force. Under the DMA, the newly introduced term gatekeeper comprises businesses that provide the most important platform services, such as ByteDance Ltd. (TikTok), Microsoft Corporation (LinkedIn) or Apple Inc. (App Store).[2] The DMA aims to ensure a more contestable and open digital market.
The new obligations have a direct impact on selected services of gatekeepers but often also on the platform users. Have you noticed this change? Let us introduce its key points.
Under the DMA, gatekeepers are required not to combine or link datasets across their services without explicit consent of the users concerned. This means that, for example, services such as Messenger and Facebook provided by Meta Platforms, Inc. must first receive your consent before linking these services.
If such consent is not obtained, after 7 March, each service must create its own, separate user profile for that service only. Consent with linking of services is granted only for a certain period of time, usually one year. This principle of primary non-linking of services also applies to Alphabet Inc. (the owner of Google) and its Google Ads service. Furthermore, it can no longer use user data obtained from other Google services such as Google Analytics, Google Shopping or Google Play without the user’s consent.
In addition, Google must be able to prove that the relevant users have given their consent, and therefore requires proof from the operators or owners of websites that use Google Ads. To this end, Google has introduced a new feature called Consent Mode v2, which is explained in more detail in the following section.
Therefore, if you still want to continue to use cookie data for remarketing in your online store or refine your data through enhanced conversions in Google Ads, you must share the data by implementing Consent Mode v2.[3] Other marketing services such as Sklik from Seznam or Microsoft Advertising (formerly Bing Ads) are not affected by the new obligations.
Consent Mode v2
As opposed to the standard cookie bar, in which the user only approved or rejected the saving of various identifiers in their browser, the new DMA will expand the content of the bars. Consent Mode v2 is a tool that passes user decisions in the background to individual services operated by Google.
Two new parameters play a key role here: “ad_user_data” and “ad_personalization”. The “ad_user_data” parameter provides information on whether the website visitor has consented to the sharing of their data with Google’s advertising services, which allows the use of such non-anonymised data in advertising systems. The “ad_personalization” parameter, on the other hand, indicates whether the user has enabled ad personalisation, which is crucial for effective remarketing.
The implementation of Consent Mode v2 will result in changes to the appearance and content of the bar displayed on the website. It can no longer be called a cookie bar, as the bar now mediates user consent not only for cookies and other identifiers, but also for linking (not only) datasets within Google services.
Currently, it is therefore desirable to obtain consent in more areas than just cookies or functional, analytical and marketing identifiers, but also specifically consent to personalisation of ads and data sharing across Google services. This means that it is no longer sufficient to ask for consent to use cookies in general in the bar (although this was an incorrect solution even before). Instead, it is preferable to use more general, purpose-based wording, such as consent for “marketing” or “analytics”, and to stop using the incorrect “cookies” for good.
In case you are using bars from Google-certified providers,[4] you can assume that the necessary change has been made automatically or that you just need to carry out an update. However, it may be challenging if you rely on other providers or if you manage your own website cookie compliance.
Regardless of your provider, the implementation of Consent Mode v2 will also require the modification of the cookie policy if it is a separate document, or the personal data processing policy.
Consequences of absence of Consent Mode v2
Without the implementation of Consent Mode v2,[5] the functionality of Google Ads and other Google tools in your online store may be significantly limited. Google announced the changes in advance, namely in January earlier this year. Still, a significant number of online stores (let alone the public) may be assumed not to have noticed the news.
It should be taken into account that the absence of Consent Mode v2 may cause problems in remarketing activities and in conversion modelling, which are key components for successful advertising campaigns. Operators of websites, and especially online stores, who fail to adapt and update their bars in the near future may encounter data accuracy and quality issues, which could lead to incorrect or distorted results and significantly impair advertisers’ ability to efficiently target and evaluate their campaigns.
In addition to changing the content and appearance of the (cookie) bar, we recommend that you also modify the privacy policy. We recommend that you explicitly specify what types of data are collected when you use Google services. If you use favourite cookie tables, briefly include the new ad_user_data and ad_personalization parameters that Google works with.
The failure to comply with new information obligations on the website (i.e., making only technical adjustments without taking into account the legal aspect of the whole issue, which is often the case of many entities, in our experience), may lead to a standard fine of up to EUR 10,000,000 or 2% of the total annual turnover under Article 83 of the GDPR; in addition, supervisory authorities have recently been intensely placing these issues at the centre of their attention.
If you need help with setting up your cookie bar or privacy policy, we would be happy to assist you. Our dedicated team is able to cover the legal requirements for privacy, personal data and consumer protection regulation, as well as provide related technical support and advice on practical issues.
- [1] – A new path for Privacy Sandbox on the web. [20.8.2024]. Available at: https://privacysandbox.com/news/privacy-sandbox-update/
- [2] – Read more: https://digital-markets-act.ec.europa.eu/gatekeepers_en
- [3] – You can learn how to implement Consent Mode v2 here: https://support.google.com/google-ads/answer/10000067?hl=cs&sjid=8374916678562251346-EU
- [4] – Unlocking the full value of Consent Mode. CMP Partner Program [20.8.2024]. Available at: https://cmppartnerprogram.withgoogle.com/?sjid=12190572309268571407-EU
- [5] – To find out if you meet Consent Mode v2, use, for example, the following link: https://tagassistant.google.com/