Law Firm: US Companies Should Heed New Microsoft User Consent Policy
Websites based in the U.S. should be aware of an upcoming Microsoft Advertising requirement on user consent even if they don't target users in Europe, law firm Frankfurt Kurnit blogged Thursday.
Sign up for a free preview to unlock the rest of this article
The tech giant announced March 31 that starting May 5, Microsoft Advertising will require all websites using its tracking tools to send a consent signal whenever someone from the EU, U.K. or Switzerland visits. This policy helps Microsoft align with global privacy rules such as the EU General Data Protection Regulation (GDPR) and aims to show its "unwavering commitment to putting user privacy at the forefront of our priorities," the company said.
The Consent Mode lets companies gain insight about users while respecting their privacy and complying with privacy rules, Microsoft said. It applies to any client using universal event tracking on the Microsoft Advertising Platform as well as the Universal Pixel, Segment and Conversion pixels within Microsoft Invest, Curate or Monetize.
The feature enables the adjustment of cookies based on the consent status of users visiting websites from the European Economic Area, U.K. and Switzerland, Microsoft said.
Under the GDPR, websites are required to obtain users' permission before placing or activating most tracking technologies, Frankfurt Kurnit wrote. "Microsoft's new policy is a direct response to this: if a site includes Microsoft's tracking code, it must now inform Microsoft whether a user has opted in to data collection." If no signal is provided, Microsoft may limit or block data collection entirely from visitors from those regions.
While the California Consumer Privacy Act doesn't explicitly require opt-in consent for cookies or tracking, "the legal landscape in California is shifting," the law firm noted. There's a rise in California Invasion of Privacy Act complaints, with some plaintiffs arguing that use of third-party tracking tools without affirmative user consent amounts to illegal wiretapping.
As these claims gain traction in court, many privacy professionals are now advising U.S. companies to treat third-party cookies similarly to how they would under the GDPR, said the firm: "Do not fire any cookies unless the user has opted in."
Businesses should now implement a consent management platform (CMP) that displays a cookie banner, allows visitors to make informed choices and prevents tracking until consent is granted, Frankfurt Kurnit said. Once a CMP is in place, sites must configure tracking tags to respond appropriately.
Companies should also review and update their privacy policies to explain how their sites collect, share and use personal data, and regularly test privacy compliance tools and user interfaces to make sure they're accurate and fair: "Specifically, users should find it just as easy to opt out of tracking as it is to opt in."