Facebook and adtech face a turbulent time in Europe’s courts: the Brussels case.

Dr Johnny Ryan GDPR

This note examines a Belgian court ruling against Facebook’s tracking and approach to consent. Facebook and adtech companies should expect tough sanctions when they find themselves before European courts – unless they change their current approach to data protection and the GDPR.  Facebook is playing a dangerous game of “chicken” with the regulators. First, it has begun to confront users in the EU with a new “terms of service” dialogue, which denies access to Facebook until a user opt-ins to tracking for ad targeting, and various other data processing purposes.[1] (more detail in footnote 1) This dialogue appears to breach several important principles of the GDPR, including the principle of purpose limitation,[2] freely given, non-conditional consent,[3] and of transparency.[4] In other words, if Facebook attempts to collect consent in this manner, that consent will be unlawful.…

Google adopts non-personal ad targeting for the GDPR

The PageFair Team GDPR

This note examines Google’s recent announcement on the GDPR. Google has sensibly adopted non-personal ad targeting. This is very significant step forward and signals a change in the online advertising market. But Google has also taken a new and problematic approach to consent for personal data use in advertising that publishers will find hard to accept.  Google decides to use non-personal ad targeting to comply with the GDPR  Last Thursday Google sent a policy update to business partners across the Internet announcing that it would launch an advertising service based on non-personal data in order to comply with the GDPR.[1] PageFair has advocated a non-personal approach to advertising for some time, and commends Google for taking this position. As we noted six months ago,[2] Google AdWords, for example, can operate without consent if it discards personalized targeting features (and unique IDs).…

Risks in IAB Europe’s proposed consent mechanism

Dr Johnny Ryan GDPR

This note examines the recently published IAB “transparency and consent” proposal. Major flaws render the system unworkable. The real issue is what should be done with the vast majority of the audience who will not give consent.  Publishers would have no control (and are expected to blindly trust 2,000+ adtech companies) The adtech companies[1] who drafted the IAB Europe proposal claim that “publishers have full control over who they partner with, who they disclose to their users and who they obtain consent for.”[2] But the IAB Europe documentation shows that adtech companies would remain entirely free to trade the personal data with their business partners if they wish. The proposed system would share a unique[3] consent record “throughout the online advertising ecosystem”, every time an ad is loaded on a website:[4] “the OpenRTB request [from a website to an ad exchange] will contain the entire DaisyBit [a persistent cookie],[5] allowing a vendor to see which other vendors are an approved vendor or a publisher and whether they have obtained consent (and for which purposes) and which have not.”[6] There would be no control over what happens to personal data once they enter the RTB system: “[adtech] vendors may choose not to pass bid requests containing personal data to other vendors who do not have consent”.[7] This is a critical problem, because the overriding commercial incentive for many of the companies involved is to share as many data with as many partners as possible, and to share it with parent companies that run data brokerages.…

PageFair writes to all EU Member States about the ePrivacy Regulation

Dr Johnny Ryan GDPR

This week PageFair wrote to the permanent representatives of all Member States of the European Union in support for the proposed ePrivacy Regulation. Our remarks were tightly bounded by our expertise in online advertising technology. We do not have an opinion on how the proposed Regulation will impact other areas. The letter addresses four issues: PageFair supports the ePrivacy Regulation as a positive contribution to online advertising, provided a minor amendment is made to paragraph 1 of Article 8. We propose an amendment to Article 8 to allow privacy-by-design advertising. This is because the current drafting of Article 8 will prevent websites from displaying privacy-by-design advertising. We particularly support the Parliament’s 96th and 99th amendments. These are essential to enable standard Internet Protocol connections to be made in many useful contexts that do not impact of privacy.…

Adtech must change to protect publishers under the GDPR (IAPP podcast)

Dr Johnny Ryan GDPR

The follow up to the International Association of Privacy Professionals’ most listened to podcast of 2017.  Angelique Carson of the International Association of Privacy Professionals quizzes PageFair’s Dr Johnny Ryan on the crisis facing publishers, as they grapple with adtech vendors and attendant risks ahead of the GDPR. The podcast covers: Why personal data can not be used without risk in the RTB/programmatic system under the GDPR. Where consent falls short for publishers. How vulnerable the online advertising system is, because of central points of legal failure. The GDPR is part of a global trend. New privacy standards are on the way in other massive markets including China (and in important tech ecosystems such as Apple iOS, Firefox). This is the follow up to an earlier IAPP and PageFair podcast discussion (which was the International Association of Privacy Professionals’ most listened to podcast of 2017).…

PageFair’s long letter to the Article 29 Working Party

Dr Johnny Ryan GDPR

This note discusses a letter that PageFair submitted to the Article 29 Working Party. The answers may shape the future of the adtech industry.  Eventually the data protection authorities of Europe will gain a thorough understanding of the adtech industry, and enforce data protection upon it. This will change how the industry works. Until then, we are in a period of uncertainty. Industry can not move forward, business can not flourish. Limbo does not serve the interests of publishers. Therefore we press for certainty. This week PageFair wrote a letter to the Article 29 Working Party presenting insight on the inner workings of adtech, warts and all. Our letter asked the working party to consider five questions. We suspect that the answers may shape the future of the adtech industry.…

PageFair Trusted Partners To Join GDPR Compliance Initiative

Dr Johnny Ryan GDPR

This note announces an initiative among adtech companies to keep online advertising operations outside the scope of the GDPR by using no personal data. Dublin, Ireland (24 January, 2018) – PageFair has announced a joint initiative with eight other advertising companies to help equip website and app publishers with new ways of advertising  that fully comply with Europe’s new GDPR regulations.  Among the members are Adzerk, Bannerflow, Bydmath, Clearcode, Converge Digital, Digitize, SegmentIQ, and Velocidi.  The EU’s new privacy regulations will prohibit the kind of online tracking that has powered advertising up to now, unless every user gives explicit consent to the companies that track them. Publishers, advertisers and tech companies who ignore the regulation could face fines of up to €20 million or 4% of their global turnover.  …

GDPR’s non-tracking cookie banners

Dr Johnny Ryan GDPR

This note outlines how an anomaly in European law will impact cookie storage and presents wireframes of permission requests for non-tracking cookies.  Online media will soon find itself in an anomalous position. It will be necessary to apply the GDPR’s consent requirements to cookies that reveal no personal data, even though the GDPR was not intended to be applied in this way.[1] Recital 26 of the GDPR says that “the principles of data protection should … not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person…”.[2] Even so, a hiccup in the choreography of European Law making is creating an unexpected situation in which the GDPR’s conditions will apply to cookies that reveal or contain no personal data.…

How to audit your adtech vendors’ GDPR readiness (and a call to adtech vendors to get whitelisted as Trusted Partners)

Dr Johnny Ryan GDPR

This note describes how publishers can audit their adtech vendors’ readiness for the GDPR, and opens with a call for adtech vendors to collaborate with PageFair so that they can be whitelisted as Trusted Partners by PageFair Perimeter.  How adtech and media will work under the GDPR We anticipate that the GDPR will indeed be enforced, whether by national regulators or by NGOs or individuals in the courts. We also realise that consent is the only applicable legal basis for online behavioural advertising (See analysis). Personal data can not be processed for OBA in the absence of consent. However, consent dialogues for adtech need a “next” button -or a very long scroll bar- because online behavioural advertising requires many different opt-ins to accommodate many distinct personal data processing purposes.  …

GDPR consent design: how granular must adtech opt-ins be?

Dr Johnny Ryan GDPR

This note examines the range of distinct adtech data processing purposes that will require opt-in under the GDPR.[1] In late 2017 the Article 29 Working Party cautioned that “data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes”.[2] Consent requests for multiple purposes should “allow users to give specific consent for specific purposes”.[3]  Rather than conflate several purposes for processing, Europe’s regulators caution that “the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose”.[4] This draws upon GDPR, Recital 32.[5] In short, consent requests must be granular, showing opt-ins for each distinct purpose. How granular must consent opt-ins be?