New cookie regulations and Consent Mode v2: The Phantom Menace

The coming months will pose a great challenge for digital advertisers in Europe. The European Digital Markets Act (DMA) came into effect on March 6, 2024, forcing large digital platforms like Google or Meta to take steps to comply with the new regulations within their role as “gatekeepers.”

The DMA establishes a list of dos and don’ts that these large companies will need to implement in their daily operations with the goal of ensuring fair and open digital markets. These obligations aim to open up opportunities for all companies to compete in the markets based on the merits of their products and services, giving them more room to innovate against the big tech giants that have enjoyed a dominant position so far.

To comply with the new legislation, Google is enforcing the implementation of Consent Mode v2, an updated framework for managing user consent for online advertising within the European Economic Area (EEA) and applicable in the Google environment. The reality is that in its first weeks, the new European legislation and the implementation of Consent Mode v2 are generating a seismic event whose scope is still unpredictable, where advertisers are facing a significant loss of data whether they comply or not with the new rules of the game.

Google's Threat

From now on, if you do not send consent information through Google’s Consent Mode v2, Google will block the capture of new data from European Union users in your Google audiences. You will not be able to store new user data in your Google Analytics 4 audience lists, nor share it with Google Ads. This could have a massive impact on your ability to convert new customers.

In Google’s words:

To continue using the features of measurement, ad personalization, and remarketing, you must obtain consent for the use of personal data from end users located in the European Economic Area (EEA) and share consent signals with Google. […] If you use Analytics data with a Google service (such as Google Ads, Google Play, or Display & Video 360, among others) and take no action, only end users who are outside the EEA will be included in the audiences using your linked advertising products starting in early March 2024.Source

But there’s more, because it’s not enough for Google that you set up your own cookie banner, or that you use a consent management platform of your choice (commonly known as CMPs, for Consent Management Platforms), but you must use a CMP certified by Google… or face the consequences:

Starting January 16, 2024, if a partner does not adopt a CMP certified by Google, only limited ads will be eligible to be shown in EEA and UK traffic. Traffic from a Google-certified CMP will continue to be eligible for personalized ads.” Source

Limited ads disable the collection, sharing, and use of personal data for ad personalization. […] This means that some features are not available for limited ads [including] any ad personalization, audience targeting, Remarketing, interest-based categories […]” Source

Google Certified CMPs

The impact of the DMA coming into force at the beginning of March, and the ripple effect caused by the mandatory use of Consent Mode v2 across various Google services, has been felt among CMPs, which have started a frantic race in recent days to (1) appear on the lists of CMPs certified by Google, and (2) adapt their software and documentation to the new legal and operational framework.

The fact is that figuring out which CMPs are certified by Google as of today is quite a challenge. The Google Analytics help provides a list of 16 CMPs, among which are some of the most used, such as Cookiebot, CookieYes, Complianz, or Iubenda, with links to the web pages of these CMPs where instructions on how to implement Consent Mode v2 are given.

On the other hand, the Google CMP Partner Program provides a slightly more extensive list that includes 18 CMPs. But the most complete list can be found on the help pages of Google Ad Manager, which at the time of writing this blog entry already included 125 CMPs certified by Google. This last list is probably the most complete and reliable of all.

But having your cookie banner with a Google certified CMP does not automatically imply compliance with European legislation, nor with Google’s Consent Mode v2. The configuration of the CMP and its connection with Google is not trivial at all, neither from a technical point of view nor from a legal and operational one. If you need help configuring Consent Mode v2, you can contact us or read this other blog post where we discuss purely technical issues. In any case, if a significant portion of the traffic to your website comes from Spain, the first step is to understand what the Spanish regulations say about the use of cookies, which is what I proceed to describe below.

What the Spanish Regulations Say About the Use of Cookies

In January 2024, the Spanish Data Protection Agency (AEPD) updated the Guide on the Use of Cookies, where it specifies that the cookie acceptance banner must explicitly offer the possibility to reject cookies. This regulation came into force on January 11, 2024, leaving websites that have not yet adapted to the new legal framework vulnerable to sanctions in the event of complaints by third parties.

Banner de cookies ejemplos

Examples of “acceptable” Cookie Banner configurations, with the explicit option to reject cookies. Source: AEPD 2024.

Implementing the new regulations will (logically) lead to a substantial increase in the number of users who reject cookies, making the task of media buyers more difficult, as it will blind us in one eye. But my recommendation is to adapt to the new framework without delay if you haven’t already, as this is a prerequisite for the normal operation of Google Analytics and Google Ads to resume. Moreover, regardless of whether you use the services of any of Google’s platforms or not, any of your competitors could report you, resulting in a significant financial penalty.

The new guide from the AEPD also includes the following considerations:

  • Users must not be given the impression that they have to accept cookies in order to navigate the website.
  • Users must not be clearly pushed to accept cookies. The color or contrast of the text and buttons (or equivalent mechanisms) must not be obviously misleading to users, leading to involuntary consent. It will not be valid, for example, if the option to reject cookies is a button with text that does not contrast enough with the color of the button and, therefore, cannot be read.
  • The button or mechanism to configure cookies, that is, to manage user preferences, must take the user directly to the settings panel, without having to scroll through large amounts of text looking for the information, which should still be permanently accessible. Regarding the settings panel, the level of granularity in displaying the cookie selection should be assessed by the website’s publisher, although it is advisable to consider the following rules: Cookies should be grouped at least by their purpose, so that the user can accept cookies for one or more purposes and not for another or others (for example, the user might choose to accept analytical cookies but not behavioral advertising cookies).
  • […] Continuing to navigate is not a valid way to give consent. Similarly, the act of consulting the second layer of information, if the information is presented in layers, as well as the navigation necessary for the user to manage their preferences regarding cookies, does not constitute an active behavior from which the acceptance of cookies can be inferred.
  • […] The user, in any case, may refuse to accept cookies. The option to reject cookies must be offered at the same layer and at the same level as the option to accept them, and the mechanism used for this purpose (button or other) must be similar.
  • […] Following the guidelines of the EDPB on consent, for it to be given freely, access to services and functionalities must not be conditional on the user’s acceptance of the use of cookies. Therefore, so-called “cookie walls” that do not offer an alternative to consent, as explained below, cannot be used.
  • […] There may be certain cases where not accepting the use of cookies prevents access to the website or the total or partial use of the service, provided that the user is adequately informed about this and an alternative is offered, not necessarily free, to access the service without having to accept the use of cookies.

The new guide from the AEPD, however, has some ambiguous points, such as the one about “Users must not be clearly pushed to accept cookies.” What does “clearly” mean? Is it valid for the option to reject cookies to be a button with text that can be perfectly read but offers less contrast than the accept cookies button? We understand that it is, but we are not legal experts, and our opinion does not have legal validity. What we can say is that some companies like Amazon also interpret it this way, while other large companies like El Corte Inglés have opted for a more conservative option, making the accept and reject cookies buttons exactly the same.

Banner cookies Amazon

Amazon Spain Cookie Banner

Banner cookies Corte Inglés

El Corte Inglés Cookie Banner

The Short-Term Future

It is expected that in the short term, the AEPD will clarify the landscape regarding this and other doubts about the implementation of the new regulations. In any case, this will not be the only major change awaiting us in the near future, once the privacy of information shared online has become a priority within the European Union. Google has already announced that third-party cookies will be completely eliminated by the end of 2024. It is estimated that 1% of Google Chrome users are already testing this cookie-less approach in January 2024.

Cronograma eliminación cookies de terceros
Timeline for the Phased Elimination of Third-Party Cookies in Chrome

Although the new regulations currently only affect the EEA, it’s only a matter of time before they extend to other countries. On the other hand, the transformation in cookie management will soon be universal. This is a huge challenge but also a great opportunity for those who first adapt to the new scenario.

Do you have questions about the implementation of Consent Mode v2 and/or the management of cookies on your website? Contact us without obligation. We will be happy to help you.

MOST RECENT ARTICLES

Scroll to Top

Can We Help You?

Included by Google in the Top 3% of Spanish PPC agencies
Neotec-CDTI-logo
Subsidized by the CDTI in 2021-2023.

FÁKTICA ANALYTICS

Calle Núñez de Balboa, 35A

28001 Madrid

Spain

 

DATALYTICS

4 Portland Ct

St. Louis, MO 63108

USA

Contact: info@faktica.com
Can We Help You?

Ask Us for a No-Obligation Quote

Request a Traffic, Cost, and Potential Conversions Estimate

Ask About Our Pay-for-Performance Pricing

Get a Free Opportunities Analysis

Can We Help You?

Don’t hesitate to reach out to us