PageFair’s long letter to the Article 29 Working Party

Dr Johnny Ryan GDPR

This note discusses a letter that PageFair submitted to the Article 29 Working Party. The answers may shape the future of the adtech industry.  Eventually the data protection authorities of Europe will gain a thorough understanding of the adtech industry, and enforce data protection upon it. This will change how the industry works. Until then, we are in a period of uncertainty. Industry can not move forward, business can not flourish. Limbo does not serve the interests of publishers. Therefore we press for certainty. This week PageFair wrote a letter to the Article 29 Working Party presenting insight on the inner workings of adtech, warts and all. Our letter asked the working party to consider five questions. We suspect that the answers may shape the future of the adtech industry.…

GDPR consent design: how granular must adtech opt-ins be?

Dr Johnny Ryan GDPR

This note examines the range of distinct adtech data processing purposes that will require opt-in under the GDPR.[1] In late 2017 the Article 29 Working Party cautioned that “data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes”.[2] Consent requests for multiple purposes should “allow users to give specific consent for specific purposes”.[3]  Rather than conflate several purposes for processing, Europe’s regulators caution that “the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose”.[4] This draws upon GDPR, Recital 32.[5] In short, consent requests must be granular, showing opt-ins for each distinct purpose. How granular must consent opt-ins be?

Overview of how the GDPR impacts websites and adtech (IAPP podcast)

The PageFair Team GDPR

In this podcast, the International Association of Privacy Professionals interviews PageFair’s Dr Johnny Ryan about the challenges and opportunities of new European privacy rules for website operators and brands.  Update: 3 January 2018: This podcast was the International Association of Privacy Professionals’ most listened to podcast of 2017.  The conversation begins at 4m 14s, and covers the following issues. Risks for website operators How “consent” is an opportunity for publishers to take the upper hand in online media Brands’ exposure to legal risk, and the agency / brand / insurer conundrum Personal data leakage in RTB / programmatic adtech How the adtech industry should adapt As we told Wired some months ago, it’s not just that websites might expose yourself to litigation, it’s that you might expose your advertisers to litigation too.…

Here is what GDPR consent dialogues could look like. Will people click yes?

Dr Johnny Ryan GDPR

THIS NOTE HAS NOW BEEN SUPERSEDED BY A A MORE RECENT PAGEFAIR INSIDER NOTE ON GDPR CONSENT DIALOGUES. PLEASE REFER TO THE NEW NOTE.  This note presents sketches of GDPR consent dialogues, and invites readers to participate in research on whether people will consent.  NoteIt is important to note that the dialogue presented in this note is only a limited consent notice. It asks to track behaviour on one site only, and for one brand only, in addition to “analytics partners”. This notice would not satisfy regulators if it were used to cover the vast chain of controllers and processors involved in conventional behavioural targeting. Consent requests In less than a year the General Data Protection Regulation (GDPR) will force businesses to ask Internet users for consent before they can use their personal data.…

The 3 biggest challenges in GDPR for online media & advertising

Dr Johnny Ryan GDPR

This note explains the three deepest challenges that the online advertising industry must overcome to survive the new European data rules. It also outlines our approach.  The General Data Protection Regulation (GDPR) and the ePrivacy Regulation (ePR) pose particular challenges for publishers, brands, and adtech companies. These go beyond the normal gap analysis and security overhaul that other businesses must undertake to comply with the new rules. Online advertising and media businesses’ ability to function online depends on the outcome of three deep challenges. Deep Challenge 1: Obtaining consent to process an internet user’s personal data. Despite some lingering debate to the contrary, businesses will need consent from internet users to use their personal data for online behavioral advertising. This poses a UX challenge.…

PageFair statement at European Parliament rapporteur’s ePrivacy Regulation roundtable

Dr Johnny Ryan GDPR

Lightly edited transcription of PageFair remarks at rapporteur’s sessions at the European Parliament in Brussels on 29 May 2017, concerning the ePrivacy Regulation.  Statement at roundtable on Articles 9, and 10.  Dr Johnny Ryan: Thank you. PageFair is a European adtech company. We are very much in support of the Regulation as proposed, in so far as it relates to online behavioural advertising (OBA).…

Why pseudonymization is not the silver bullet for GDPR.

Dr Johnny Ryan GDPR

Pseudonymization will not save online advertising companies from having to seek consent to use browsing and other personal data. This note explains why. Personal data will become toxic in May 2018 when the General Data Protection Regulation is applied, unless data subjects have given consent.[1] Some businesses may try to rely on “pseudonymization”, a partial method of anonymization, to continue to use personal data without consent. This would be a mistake, as the GDPR (and a previous opinion from the Article 29 Working Party[2]).…

Supporting new European data regulation

Dr Johnny Ryan GDPR

Unusually for an ad-tech company, PageFair supports the proposed ePrivacy Regulation. Here is why.
Additional note (11 May 2017): our position concerns the proposal’s impact on online behavioural advertising (OBA). Though there are kinks to work out, as we note in our recent statement to Parliament representatives, we strongly endorse the proposal’s broad approach to OBA.  The European Commission has proposed new rules for ePrivacy, which will supplement the GDPR.[1] Unlike colleagues in other digital advertising companies, PageFair commends the proposed privacy protections for online advertising.
Access the GDPR/ePR repositoryA repository of GDPR and ePrivacy Regulation explainers, official docs, and current status.Access Now PageFair has taken this position for two reasons. First, personal data are not required for online advertising.  The online advertising system can deliver relevant ads without the need to use personal data, or third party cookies that collect personal data.…

Why the GDPR ‘legitimate interest’ provision will not save you

Dr Johnny Ryan GDPR

The “legitimate interest” provision in the GDPR will not save behavioral advertising and data brokers from the challenge of obtaining consent for personally identifiable data. As previous PageFair analysis illustrates, personally identifiable data (PII) will become toxic except where it has been obtained and used with consent once the General Data Protection Regulation is applied in May 2018. Even so, many advertising intermediaries believe that they can continue to use PII data without consent because of an apparent carve-out related to “legitimate interest” contained in the GDPR. This is a false hope.

Ten Key Things That Happened in Q4

Dr Johnny Ryan Adblocking, GDPR

Amid the blizzard of press releases and conference tidbits concerning media, advertising, and adblocking, only some really matter. Here are the ten key things that happened in Q4. OCTOBER 1. US Department of Justice examines possible agency shenanigans.  It transpired that the US Department of Justice had launched an investigation into rigged bids that unfairly favored advertising agencies’ in-house services over others, at clients’ expense. The Association of National Advertisers’ report into agency kickbacks, released in June, exposed agency practises that shortchanged clients, and several big brand CMOs launched audits of their agencies. But the DOJ investigation now raises the stakes for agency executives: previous investigations in 2002 resulted in prison sentences. 2. Media consolidation AT&T agreed a deal to purchase Time Warner for $85.4 Billion.…