Consent to use personal data has no value unless one prevents all data leakage

Dr Johnny Ryan GDPR Leave a Comment

Websites and advertisers can not prevent personal data from leaking in programmatic advertising. If not fixed, this will render consent to use personal data meaningless. 

The GDPR applies the principle of transparency:[1] People must be able to easily learn who has their personal data, and what they are doing with it.

Equally importantly, people must have surety that no other parties receive these data.

It follows that consent is meaningless without enforcement of data protection: unless a website prevents all data leakage, a visitor who gives consent cannot know where their data may end up.

But the online advertising system leaks data in two ways. This exposes brands, agencies, websites, and adtech companies to legal risk.

How data leakage happens 

If “programmatic”advertising or “real time bidding” was ever a mystery to you, take 43 seconds to watch this PageFair video. It shows the process in which an advertiser decides that a person visiting a website is the right kind of person to show an ad to (click full screen).

This system was not built for data protection. Instead, it was built to enable hundreds of businesses to trade personal data about the people visiting websites, to determine what ads to show them, and what advertisers should pay to show those ads.

The next video shows what happens to personal data in this system. It illustrates each step in the selection and delivery of a single ad. (33 seconds)

The yellow arrows in this video show who ad exchanges and other advertising technology services share data about the website visitor with.

These data include the ad exchange’s own identifier on the user, the URL the user is visiting, the user’s IP address, and the details of the user’s browser and system.

Hundreds of parties receive these data in the milliseconds before an ad is shown.

To complicate matters, some websites work with more than one ad exchange, conducting a mega auction known as “header bidding”, to solicit the more bids for their ad units. The following video is 68 seconds long, and shows how this works.

Conclusion: there are two problems 

First, personal data about a website visitor are shared with hundreds of parties every time the website requests an ad through one or more ad exchanges. There is nothing to prevent these hundreds of parties from leaking these data to anyone else. This must be controlled.

Second, the advertisement that the website visitor is shown, once the bidding process concludes, often contains JavaScript. This code can then summon trackers (or worse). This, also, must be controlled.

The forthcoming Open RTB 3.0 specification contains measures to limit data leakage.[2] But not to stop it entirely. Unless publishers can exercise complete enforcement of data protection on their sites, consent is meaningless. Moreover, so long as data can leak then all parties involved are exposed to legal hazard: publishers and their partners too.[3]

PageFair has been developing a solution to this problem.

See solutions

Notes

[1] The GDPR, Article 5, paragraph 1 (a), Article 12, Recital 39, and 60.

[2] Websites can prevent specific companies from placing bids to buy ad space on their pages. Websites can also reject JavaScript ads from unauthorised domains. The specification also contains scope for “whitelisted/blacklisted JS trackers”. Open RTB 3.0 draft specification, IAB TechLab, September 2017, pp 14, 27, and AdCom draft specification, IAB TechLab, September 2017, p. 14.

[3] The GDPR, Article 82, paras. 1, 3 – 4, Recital 146. After judgement the processors or controllers who have paid full compensation can claim back part of the compensation from processors or controllers also responsible (ibid., Article 82, para. 5).