Ward PLLC, Data Strategy and Legal Compliance, 🎧 E8 Podcast: Interview with Cookiebot CEO on Technical Solutions to GDPR Readiness

Do you have cookies on your website?

Of course, you do! [In fact, almost every website in existence utilizes cookies now]

With GDPR on the way, the time to come into compliance is now, and the Ward brothers are interviewing a great SaaS solution Founder and CEO, Daniel Johannsen.

Mr. Johannsen explains how Cookiebot can analyze any site and identify the necessary changes to be compliant while ensuring a great user experience.

PODCAST:

TRANSCRIPT

Jay: “Are You DataSmart?” a weekly podcast on data security, information management and all things related to the data you have, how to protect it and maximize its value. I’m Jay Ward.

Christian: And I’m Christian Ward. And today we’ve got a very special program where we are going to have join us Daniel Johannsen, the founder and CEO of Cybot, which is a company that built Cookiebot, something that Jay and I have been looking at quite a bit. And Daniel will join us in a minute. Jay, I know, before we start, we were just joking earlier as we were trying to get the podcast all set up about sort of the whole Facebook-Cambridge Analytica panic that has gripped the nation. It certainly seems like to you and me, it’s sort of the common use case for a lot of data.

Jay: Yeah, it’s interesting that what we’re looking at is a public reaction, not necessarily to something that’s illegal, but really to perhaps the revelation of what is legal and what you’re allowed to do, what’s commonplace for digital service providers and social media providers. You know, from my perspective, it’s not necessarily… we don’t know enough to know whether a law has been broken or not, but I do think what we know is that the public outcry and the regulatory outcry already is going to lead to, in my opinion, more strict enforcement of the GDPR and more strict enforcement of the upcoming e-privacy regulation.

Christian: Absolutely. I’m also kind of blown away by, as you said, the revelation of what we call in the business audience extension, the concept of…very common, actually, really what most of the ad-buying platforms out there are based upon, which is by identifying some features of certain customers, you can then clone and reach out to, not necessarily just their relationships, but people that have similar features and functions. And this really goes to the heart of some of the things that cookies have classically been built for, to build cookie pools. We’ve covered that in the past. And so what I’d like to do is bring Daniel into the discussion. Daniel, you know, first off, just tell us a little bit about yourself, about Cybot and about your business.

Daniel: Thank you. Well, I started the business within the industry for about 20 years ago and have had several companies and founded Cybot for about five years ago. And at that point, I’ve learned a lot about how the economy of the internet worked. I’ve been building a lot of websites for customers and seeing the whole ecosystem of the economy from the inside. So at that point, I thought there was a need for some kind of solution to provide transparency to the end users about what was going on, and also to the companies that were using a lot of embedded third parties on their websites. So I saw the internet as a great platform, a lot of possibilities to create a sustainable base for a digital community, not only a playground but also a place where you can drive your development further as a company and as a society.

Christian: Absolutely. I think it’s an interesting concept of the internet as something both wonderful and terrible. And I think we struggle with that, and certainly, we struggle with that when it comes to privacy. And Jay has often spoken on this program and in his blog posts about the concept of the right to privacy. And obviously, Europe has… Well, I like to say, in many ways, Europe is always ahead of us in their thoughts around regulations. But in privacy, in particular, GDPR is one area, the e-privacy directive as well. Jay, when you think about sort of where we’re going and the technology that Cybot has, we always talk about, how are we going to handle cookies? They are the underlying driver of a substantial amount of our user experience online. And while there are different types of cookies, the GDPR and the e-privacy directive are certainly stepping in to control a little bit more of how they’re used. And that’s why we found Cookiebot so fascinating. Daniel, if you could tell us a little bit about Cookiebot, this one product of Cybot’s in particular.

Daniel: Yes. Well, it’s a software as a service provided from the cloud, and it delivers a service that makes some of these very complex rules easy to handle. When you’re a company and you need to comply with the GDPR, it’s a huge challenge. Let’s be honest about that. I think it’s a challenge that we need to meet, but of course, we also need to help the companies comply. So this corner of GDPR that handles online tracking, we’re creating a solution which makes it easy for the companies to comply. So that’s the basic goal of our service.

Christian: And so, Jay, I’m not sure if you’re able to jump in on the legal framework, when we talk about complying, what are the major things that companies have to understand or be prepared to do?

Jay: Well, it’s a dual approach, because the GDPR has its own requirements for how data is used, stored, transferred, sold. And the upcoming e-privacy regulation is going to really refine that. It’s going to refine the application of GDPR and the application of European data protection principles, specifically to cookies. I think that building… In the same way that the GDPR built on the data protection directive from the mid-’90s, the end is attempting to cure some of the defects. The e-privacy regulation builds on and corrects some of the defects in the e-privacy directive. And the reason that it’s necessary is in each European member state, there have been different approaches by the data protection authorities to the regulation of cookies, what counts as consent, what doesn’t count as lasting consent. And so, by harmonizing all of these regulations and creating one set applicable standard across the Union, the EU plans to change the way we think of consent by making it actual consent that can be revoked, change the way that we approach the collection of tracking data, which is fundamentally what cookies are about, monetizing the tracking of user actions on the internet, and changes the way we make use of that information to harmonize it with the principles in the GDPR. So think of the GDPR kind of like the [U.S.] Constitution, and the e-Privacy regulation as a specific piece of legislation that’s meant to enact some of those principles. And if you have that framework in mind, you’ll see if you’re not complying with both, you’re likely facing down some pretty harsh scrutiny from regulators.

Christian: And knowing that, Daniel, we’ve talked on the show before about some of the fines that are potential. And using your platform, I not only checked my own sites, but the sites of several of my customers. It’s really fast. It’s really in-depth. Explain a little bit of how someone uses the product. I know it’s SaaS, and it’s ongoing, but you also have this phenomenal way of very quickly analyzing. And it’s almost like a health checkup of, how are you doing on your compliance? Walk us through how that works.

Daniel: Yeah, well, there are several challenges when you want to achieve compliance. First of all, you need to get an overview. What’s going on under the hood of my website? A lot of companies don’t know that today. So one thing we created is an online scanner, which, when you’ve registered your website with us, automatically scans the site to simply map out all the different trackers operating on your website. And it’s not only cookies. There are also several other technologies, but let’s just call them all cookies. Concepts are the same. And they’re triggered in different ways. For example, interactive user actions, and so on, can trigger cookies. So what we do is to simply make a complete user simulation. And by that, analyze and lock all the tracking going on. So once you got that overview, you have to gain control, both as a company, controlling which sort of banner is operating on your website, and also hand over control to the visitor to obtain consent, so that the visitor can choose to switch on, of which cookies and trackers should be allowed during their session. So we made it possible for the website owner to gain this control and also to, in an easy way, obtain a comply and consent that includes, for example, prior consent holding back cookies until the visitor has consented.

Christian: That’s amazing. And I’ve tried to explain… For example, we work, and have worked in the past, with some great e-commerce platforms. You have things like Shopify and these various store massive fronts out there, and they rely on cookies for so many elements and so many add-on platforms. Like you said, I think most people don’t even realize just how many cookies they’re already using. And while some are what we would call necessary and some are convenient, there’s also the fact of most of tracking of how a different e-commerce or website solution is doing, many times is actually done by cookie or pixel-ing on various pages. So when you say that the system gives you that sort of whole view, how do you keep up, so to speak? I understand you walk through a typical user experience, but how do you keep up with all the various types of cookies that are out there?

Daniel: It’s, of course, a challenge to create a platform that can do this automatically. But once you’re there, it’s not that difficult, because the browser technology is what it is. So you can do certain things, and some things you can’t. So the way cookies are set, and other kinds of trackers, are basically all the same. They do different things, they handle different data, and as you say, some are really helpful and some are…they are only for the purpose of tracking and so on. But it doesn’t really matter what the purpose is…of course it does, but not to the scanner. It looks at all the technical aspects of it, and then we have a cookie repository where we research and describe in cooperation with the different providers what is the exact purpose of this cookie. And this way, the website owner can inform the end user about the purpose of the different cookies.

Jay: So to me, Daniel, that concept, the repository of the different type of cookies or beacons or all the different forms of tracking technology, is really valuable, because GDPR and the e-privacy directive are going to require businesses to be able to explain what they’re doing to users, explain what they’re doing to regulators, and in order to meaningfully be able to consent, users are going to have to understand what they’re consenting to. So if you go to the CNIL, you know, the French data protection authority’s website and the cookie banner that they have pops up and says, “Do you consent?” or “Do you want to learn more?” They let you customize. And if your customers, Daniel, Cookiebot users, want to be able to offer their customers the chance to customize what tracking is allowed or not, they need to understand it. So I think that repository is a great idea because it gives control to your customers.

Daniel: Yes, exactly. And also, we try to make it easy to handle for the end user, because you can make a lot of different solutions to this, but the usability is also critical, because if it’s too complicated if you have to read too much, it will create no real value. So we also focused a lot on creating that simple user experience. And for example, when a visitor hits a website for the first time, they see a banner which makes them choose between four different categories of cookies, preference cookies, statistic cookies and marketing cookies. And of course, there’s also the category of strictly necessary cookies, which needs to be set to make the website work. But this way, you, as a user, only have to take a decision on four, three different types of cookies, and you can open a details pane to read more details about this thing called cookies if you want to. And this way, we believe that we created a solution that’s not only providing compliance but also real value to the user, not drowning them in a lot of different descriptions and very, very long terms and so on, and this way you give them a genuine choice.

Christian: It’s outstanding. Look, I think, for anyone facing down the upcoming enforcement of these regulations and these technical ramifications, this is a daunting task. I think a lot of companies continue to sort of throw their hands up in the air to regulators, saying, “Oh, gosh. We don’t know how to solve this. It’s such a difficult problem.” I love the creativity that Cybot and the Cookiebot program are bringing to this, which provides a very simple SaaS-based approach to make sure that people can be compliant, and further, to your point, give the citizens and the consumer experience a very simple, easy-to-use path.

Daniel, tell us a little bit about how Cookiebot scales or what the pricing is. We do want our listeners to understand a little bit more about how they can use Cookiebot. Obviously, it’s available at www.cookiebot.com, and we’ll post this all on the site following the podcast, but tell us a little bit about how you price it and how you are marketing it to not only European but around the world.

Daniel: Yeah. Well, we’re marketing it, of course, online, and through partners, as we take on resellers, but also customers can sign up directly from our website, and that’s what most customers do, by simply registering and adding the domain to the configuration. We have a free plan for very small websites which have less than 100 subpages, but for larger websites, we price the monthly subscription fee based on the volume of the website. So for example, if you have less than 500 pages, you pay $10 per month. The largest subscription size is $41 per month. And so this way, we try to create a model that makes it possible for every website in the world who needs to comply to actually get a quick and not too expensive solution. Because if you look at the alternatives and try to create a solution like this on your own, or manually go through your website once a month to see what is going on now, the amount of time spent during that is enormous. And it’s a task that can be automated, and that’s what we’re doing.

Christian: That’s excellent. I think, number one, the access, the direct access for consumers or businesses to come in and buy a program, I love that you have a free alternative for some really lightweight sites with not as much page depth, because it really helps people, number one, and most importantly, get compliant, understand if they’re compliant. Tell me a little bit about the reseller program. I think we’ve seen this as a great way for people that work in data and data partnerships to build out reseller programs. Is this the sort of thing where people that help or platforms that help businesses or small businesses or even large enterprises build their digital presence online? Do they have the ability to basically add this as a reseller to the services they provide?

Daniel: Yes. Basically, we see two types of resellers. The agencies you mentioned have absolutely most of those as resellers at the moment, because they have an existing customer base who all need a solution for this. So for them, it’s easy to become a reseller and make an offer to all their clients and work only with one tool to provide to their customers. And the other type of resellers we see coming in now are companies more specialized in e-privacy, in the whole legal aspect, who want also to be able to direct their clients to some real and concrete solutions. Because there’s a lot of talk, there’s a lot of principles, but when it comes down to really implementing solutions, there’s not so many. So they want to be able to list some tools that their clients can use.

Christian: Yeah, absolutely. Look, I think people are looking to their trusted advisors for answers. Another question, just in terms of the business model. There are a lot of companies that, while they are happy to work with a SaaS solution like Cookiebot, they also need the consulting side. They need to understand the ongoing preparation to be able to be prepared to demonstrate that they are in compliance. Do you also offer, for larger enterprises, direct access? Jay and I have obviously talked with some of you team members there at Cybot. Do you see the need for being available to larger enterprises on an account management basis? Is that part of the service?

Daniel: Not really. It’s important to us to stick to the scalable SaaS model. And of course, we talk a lot to our customers and listen to them, and also the big enterprises, but mainly we try to hook them up with our resellers who will then delivery consultancy to them.

Christian: Yes.

Jay: The benefit of doing that is that you don’t end up becoming a processor or a controller of data yourself. You can stick with the SaaS model without having to fall into the sort of nettlesome compliance side of GDPR and e-privacy.

Daniel: Yes, exactly. And there’s a lot of good people out there who are doing a good job on that. So we leave that to them.

Christian: Yeah, that’s brilliant. That’s excellent. So it certainly seems like the resource side makes a lot of sense. And obviously, this is a global thing. Jay and I were kicking off the podcast, talking a little bit about the mild hysteria here in the States. I’m not sure how much across the pond it’s gotten picked up, about Facebook and Cambridge Analytica, and sort of the whole concept of audience, audience extension, audience targeting. But look, I think your solution is an elegant, simple approach. We’ve used it. We sort of look forward to continue to see its growth in the market, but mostly I’m really excited about the idea of a technical approach that diagnoses very clearly what is going on on a particular platform or website, and then offers a solution at a very reasonable cost, particularly in light of the fines that may be incurred if you do not get in compliance. So congrats to you and the team over at Cybot for building Cookiebot. It’s outstanding.

Daniel: Thank you.

Christian: Jay, any other thoughts before we wrap up?

Jay: I am having some little technical difficulties on this one. That’s exactly what you want from your data security lawyer. One of the reasons why I think this topic was so worth talking about again and again is that the cookie banner that you have on your website is the first thing that regulators will see.

Daniel: Exactly.

Jay: We’ve talked about it before. We’ll talk about it again. Think of a health inspector going to a restaurant, watching a chef walk in, dropping food on the floor, picking it up and walking in. That’s the analog to what we’re talking about here. If it looks sloppy upfront, if it’s no compliant upfront, you’re going to set the tone for the review. So making data-smart choices and approaching how you handle cookies in a serious way, it’s just a part of having a strong game. It’s a part of making the decisions that will keep you on the right side of the regulator’s eyes. And so we’re going to talk about this again, and hopefully, I’m sure we’ll talk with Daniel again in the future to continue to dive into this issue. We’re really appreciative that you’ve taken the time to be with us today, Daniel.

Daniel: Thank you so much.

Christian: Excellent. Well, thank you for listening to this episode of “Are You DataSmart?” We appreciate Daniel Johannsen joining us as the founder and CEO of Cybot, which built Cookiebot, one of the fastest and best ways to get into compliance and to understand what state [your site] is in when it comes to cookie usage. We look forward to speaking to everyone next week. Thank you.

Jay: Thanks again.

PODCAST:

Share this:

Like this:

Related

Leave a Reply Cancel reply