Kees van den Bos, CookieFirst: “transparency is important to establish a trusted brand”

With GDPR being enforced in 2018, many email inboxes exploded with updated privacy policy notices from every company with an online presence that individuals have ever had business with.

Four years have passed since then, but many companies still struggle with obtaining valid consent for the use of cookies and other data collection purposes. And the users, in turn, get more educated and increasingly aware of their privacy rights, and demand easy-to-use and easy-to-understand cookie consent and policy interfaces.

To talk more about consent management and interface implementation and compliance, Cybernews sat down with Kees van den Bos, the CEO of CookieFirst – a company that offers a consent management platform.

Tell us how it all began. What was the idea behind CookieFirst?

CookieFirst started out of one of my other companies which was a full-service digital agency. In 2018, when the GDPR came into effect in Europe, we had to put a lot of effort into our clients’ digital presences, making them compliant with the newly enforced legislation. There were only a couple of consent management providers at the time, and they didn’t really allow for sufficient options to make the implementation fast and offer a good looking consent interface at the same time.

Also around that time, the exposure of the massive privacy violations by Cambridge Analytica through Facebook was brought to light in the New York Times interviews. This obviously spiked the interest of Data Protection Authorities around the globe to enforce privacy regulations. All of this combined formed the basis for the idea to develop our own suite of privacy SaaS solutions instead of buying software from third parties. We started the development of the software tool around February 2019 and went live in October of the same year with our first version.

Can you tell us a little bit about what you do? Why is using a consent management platform important?

The CookieFirst CMP allows companies to be more transparent towards their clients and website users on the type of data that is collected and with whom their data is shared, depending on their choice. This transparency is important to establish a trusted brand and a step towards a privacy-first company. As a company, you want to be trustworthy and the CookieFirst CMP helps build trust. Next to that, by using our software, organizations can protect themselves from the unlawful transfer of data through cookies or other tracking technologies which could lead to hefty fines due to privacy- and data protection laws.

Keeping up with privacy policy requirements can sometimes be complicated. What details do you think are often overlooked by organizations?

That really depends on which facets of policy requirements we discuss and for which country or even states in the US for example. When it comes to default settings for a cookie banner I have a few tips. In general, make sure your banner is configured properly and that no data is sent to 3rd parties before consent is obtained. Do not pre-select certain categories of cookies/trackers. Make sure there’s an opt-out or deny button with the same design as the ‘accept’ button on the first layer of the banner and do not offer implied consent, which is consenting to tracking by just browsing the website.

When it comes to compliance with privacy laws in general there can be quite some pitfalls, for instance not realizing you need to comply with multiple regulations. If you have a company registered in California, that processes data of EU citizens and has for example children among its website’s core target market you already need to comply with at least 3 regulations; the GDPR in Europe, the Children's Online Privacy Protection Act (COPPA) and the California Consumer Privacy Act (CCPA).

Another pitfall can be making sure that your documents and policies are up to date. If you look at organizations in general, regardless of their size, they all use a lot of 3rd party technologies and software platforms with which they share user data. Small and midsize companies often do not realize that they need to update their policies as a result of using new third-party services within the organization, whether it is new newsletter software or new advertising platforms on their website. And to be honest that is completely understandable but the management of the organization will need to understand the risks of adding/using new services as well.

How do you think the recent global events affected how people approach cybersecurity?

I think that people have become more educated over the past years on cybersecurity and how data is being used by organizations. People are now more conscious about what information to share with companies and have become more aware of the possibilities and potential risks of misuse of their personal data and misinformation, especially by hostile governments and entities threatening democratic norms and values. This has not only woken up consumers but also made clear that governments must take action to empower consumers and make it possible for them to educate themselves and recognize misinformation.

What security tools or practices do you think everyone should adopt to protect their privacy online?

I think there are some obvious choices to be made here, for instance using password managers. If you think about the number of accounts on the web that are used by a single person or accounts that have been used during a person’s life, most people use the same password over and over again. A password manager helps, in this case, to better manage the security of your personal data. Next to that, a VPN connection might help to obscure your actual location and identity used by trackers. This could also be helpful in enhancing your security and privacy on the web.

What dangers can customers be exposed to if a company they trust struggles to ensure compliance?

A lot can happen. From unintended targeted advertising of their visitors to not being able to get insurance or a job based on unintended sharing of data. It really depends on with whom you, as an organization, share your customer data and the type of data you share. For example, let’s say you have a psychological disorder and you’re Googling about this and looking for websites of medical treatments or visiting websites of clinics, is it ok if this visitor data combined with other data can be traced back to you individually? What if this data is then used when you apply for a job or insurance, or if you need to renew your driver’s license? This may be an extreme example but the uncontrolled sharing of data in an obscure and non-transparent way will eventually lead to events like this.

Can you share some tips for businesses looking to make their privacy policy user-friendly?

First of all, businesses should investigate and document all their procedures and policies where data is being accessed, collected, and used. Try to get an overview of all the services your company uses and document this thoroughly. You’d also want to make sure that the content of the public-facing policies like your privacy policy or cookie policy contains clear language – make sure people can actually understand what is written there. It is also important to refrain from vague language and purposes for data processing; sentences like “we may use your data for commercial purposes” don’t really make clear for which purposes data is used, and it is even unclear if the data is used at all. Use a good Consent Management Platform like CookieFirst to obtain valid consent from users and help to automate your data transfers.

It is also very important to segregate the privacy policy from any other policies that you have like the general terms and conditions, and possibly the cookie policy. Having separate policies makes it easier for your customers to find the specific information they might be looking for as well as make it easier for you to amend/update the different policies and keep track of changes since it is not one big document. It is also easier for your customers to understand changes if they are only applied to smaller policies/documents.

What data privacy issues would you like to see solved in the next few years?

The first thing that comes to mind is cross-border transfers of personal data to the US. After the EU Court of Justice annulled an adequacy decision by the European Commission in 2020 (Schrems II), Companies, especially, SMEs have been struggling to be compliant with the GDPR since data transfers to the US were officially not allowed anymore but many parties were using, for example, cloud services from Google or Amazon. A new, effective, adequate decision could make life easier for a lot of companies. It is, however, the question whether Mr. Schrems won’t just take a new adequacy decision to court once more. To avoid this, the US must make commitments, and/or even amendments to its legislation, to meet data protection requirements set out in the GDPR.

On April 22th, the EU accepted the outlines of the Digital Services Act, and the month before that the outlines of the Digital Markets Act were accepted as well. Both legislations aim “to create a safer digital space in which fundamental rights of all users of digital services are protected” as well as “to establish a level playing field to foster innovation, growth, and competitiveness both in the EU as well as globally.”

The adoption of these legislations will, hopefully, better protect consumers’ privacy as well as increase effective supervision by Data Protection Authorities, for example when it comes to tackling misinformation. It should also decrease monopolies by large entities and thus give a chance to smaller emerging competitors to flourish.

Would you like to share what the future holds for CookieFirst?

I cannot get into much detail as it is confidential information but of course, we never stop innovating. There will be a lot of new features coming to the platform over the course of 2022. We serve customers all over the globe, both small businesses, enterprises, and everything in between, the demands are very different per business category and we intend to release features that would help all organizations comply with local legislation even easier and faster. Next to our continuous innovation in the CookieFirst consent management platform, we will also release a new privacy platform by the end of the year that will give organizations of all sizes a 360 degrees approach to their privacy needs. We will allow all organizations to become privacy-first organizations with ease. Whether you need to do data inventory mapping, document and policy management, hire external counsel, or make data subject access requests easier and less cumbersome. A true fully integrated approach to all the privacy topics and challenges that an organization could face, all around the globe.