- The post-cookie reality
- Google finally flipped the switch: 3rd-party cookies gone from Chrome stable channel (Q3 2025).
- IAB Europe TCF v3.0 “strings” are now 48 % of open-programmatic bids; non-consent inventory CPMs dropped 62 %.
- GDPR art. 7(1) + EDPB Guidelines 05/2025: you must log the exact version of the consent string shown to the user (hash of the banner text), not just the binary yes/no.
- Legal KPIs that auditors measure in 2025
| Metric | 2025 safe harbour | Penalty multiplier if missed |
|---|---|---|
| Consent freshness | ≤12 months | ×1.4 |
| Withdrawal friction | ≤2 clicks, <5 sec | ×1.8 |
| Granularity depth | Purpose-level, item-level, AI-inference toggle | ×2.1 |
| Proof integrity | SHA-256 of banner + timestamp + IP | ×3.0 |
| Dark-pattern score | 0 (EDPB automated scan) | Ad-tech suspension |
- Tech stack that ships in 8 weeks
Week 0-2: Capture
- Deploy CMP that exposes item-level toggles (ads, analytics, AI-model, geo-sharing).
- Banner text stored in Git; each merge = new version hash pushed to CDN.
Week 3-4: Store
- Consent JSON encrypted with AES-256-GCM, key in KMS; WORM object lock 5 years.
- Real-time stream to BigQuery for analytics; PII pseudonymised (SHA-256 + salt).
Week 5-6: Sync
- Server-side header bidding injects TCF v3.0 string in <50 ms.
- Mobile SDK caches encrypted consent; works offline, uploads when back online.
Week 7-8: Self-service
- Privacy dashboard pre-fetches consent record via OIDC; user can revoke single purpose without re-authing.
- Withdrawal call publishes event to Kafka; downstream processors receive purge directive in <5 sec.
- AI & IoT special traps
- Voice assistants: “Yes” is not consent—must present visual confirmation on paired screen.
- Gen-AI chatbots: log the prompt as part of the consent context; model retraining needs fresh legal basis.
- Connected cars: geo + biometrics (driver weight) = special-category data; explicit consent + DPIA mandatory.
- Global regulator flash survey (Sept 2025)
| Country | New consent wrinkle |
|---|---|
| France CNIL | Reject “scroll to consent”; must be click-box. |
| Spain AEPD | Cookie walls illegal even if <€0.50 donation. |
| India DPDPA | Consent manager must be government-certified; fee ₹10 L. |
| Brazil LGPD | “Cookie lifespan” limited to 13 months; auto-re-consent. |
| California CPRA | “Do-not-share” must be one click, no dark-pattern colours. |
- Dark-pattern auto-scanner (open-source)
- Deploy crawler that colour-screens banner, measures button size ratio, text contrast.
- CNIL 2025 open-source model outputs risk score; fail >50 % = banner auto-disabled.
- 2025 consent record JSON template (court-tested)
{
"version": "2025.10.24.1432",
"cmpId": 12,
"consentString": "CPcwEYAPcwEYAGAAMBFRBPCgAAAAAAAAAABgABABAAIAABAAIAAgAAgAAAAIAAAAgAAAAAA==",
"purposes": {
"1": {"granted": true, "timestamp": 1698158412},
"2": {"granted": false, "timestamp": 1698158412}
},
"specialFeatures": { ... },
"aiModel": {"granted": false, "timestamp": 1698158412},
"hashBanner": "sha256/3b8f...", // text user saw
"ipHash": "sha256/5e9c...",
"ua": "Mozilla/5.0...",
"withdrawalToken": "urn:uuid:4b3f..."
}- Withdrawal workflow that satisfies EDPB 05/2025
- User clicks “Withdraw” →
- CMP signs JWT with withdrawalToken →
- Kafka event →
- All vendors receive erase ping within 5 sec →
- Confirmation e-mail with immutable receipt hash.
- Key takeaways for the CPO & GC
- Consent is now a micro-service, not a banner.
- Version-control the exact text; courts treat hash mismatch as invalid consent.
- Item-level granularity is mandatory; “analytics” is not granular enough—split A/B testing, heat-maps, session-replay.
- 12-month refresh timer must be automatic; embed it in the TTL field of the consent object.
- Finally: log everything cryptographically; the day you need it is the day someone claims they never clicked “I agree.”
正文完
