GDPR consent design: how granular must adtech opt-ins be?

Dr Johnny Ryan GDPR Leave a Comment

This note examines the range of distinct adtech data processing purposes that will require opt-in under the GDPR.[1] In late 2017 the Article 29 Working Party cautioned that “data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes”.[2] Consent requests for multiple purposes should “allow users to give specific consent for specific purposes”.[3]  Rather than conflate several purposes for processing, Europe’s regulators caution that “the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose”.[4] This draws upon GDPR, Recital 32.[5] In short, consent requests must be granular, showing opt-ins for each distinct purpose. How granular must consent opt-ins be?

Overview of how the GDPR impacts websites and adtech (IAPP podcast)

The PageFair Team GDPR Leave a Comment

In this podcast, the International Association of Privacy Professionals interviews PageFair’s Dr Johnny Ryan about the challenges and opportunities of new European privacy rules for website operators and brands.  Update: 3 January 2018: This podcast was the International Association of Privacy Professionals’ most listened to podcast of 2017.  The conversation begins at 4m 14s, and covers the following issues. Risks for website operators How “consent” is an opportunity for publishers to take the upper hand in online media Brands’ exposure to legal risk, and the agency / brand / insurer conundrum Personal data leakage in RTB / programmatic adtech How the adtech industry should adapt As we told Wired some months ago, it’s not just that websites might expose yourself to litigation, it’s that you might expose your advertisers to litigation too.…

Here is what GDPR consent dialogues could look like. Will people click yes?

Dr Johnny Ryan GDPR 4 Comments

THIS NOTE HAS NOW BEEN SUPERSEDED BY A A MORE RECENT PAGEFAIR INSIDER NOTE ON GDPR CONSENT DIALOGUES. PLEASE REFER TO THE NEW NOTE.  This note presents sketches of GDPR consent dialogues, and invites readers to participate in research on whether people will consent.  NoteIt is important to note that the dialogue presented in this note is only a limited consent notice. It asks to track behaviour on one site only, and for one brand only, in addition to “analytics partners”. This notice would not satisfy regulators if it were used to cover the vast chain of controllers and processors involved in conventional behavioural targeting. Consent requests In less than a year the General Data Protection Regulation (GDPR) will force businesses to ask Internet users for consent before they can use their personal data.…

The 3 biggest challenges in GDPR for online media & advertising

Dr Johnny Ryan GDPR 1 Comment

This note explains the three deepest challenges that the online advertising industry must overcome to survive the new European data rules. It also outlines our approach.  The General Data Protection Regulation (GDPR) and the ePrivacy Regulation (ePR) pose particular challenges for publishers, brands, and adtech companies. These go beyond the normal gap analysis and security overhaul that other businesses must undertake to comply with the new rules. Online advertising and media businesses’ ability to function online depends on the outcome of three deep challenges. Deep Challenge 1: Obtaining consent to process an internet user’s personal data. Despite some lingering debate to the contrary, businesses will need consent from internet users to use their personal data for online behavioral advertising. This poses a UX challenge.…

PageFair statement at European Parliament rapporteur’s ePrivacy Regulation roundtable

Dr Johnny Ryan GDPR Leave a Comment

Lightly edited transcription of PageFair remarks at rapporteur’s sessions at the European Parliament in Brussels on 29 May 2017, concerning the ePrivacy Regulation.  Statement at roundtable on Articles 9, and 10.  Dr Johnny Ryan: Thank you. PageFair is a European adtech company. We are very much in support of the Regulation as proposed, in so far as it relates to online behavioural advertising (OBA).…

Why pseudonymization is not the silver bullet for GDPR.

Dr Johnny Ryan GDPR Leave a Comment

Pseudonymization will not save online advertising companies from having to seek consent to use browsing and other personal data. This note explains why. Personal data will become toxic in May 2018 when the General Data Protection Regulation is applied, unless data subjects have given consent.[1] Some businesses may try to rely on “pseudonymization”, a partial method of anonymization, to continue to use personal data without consent. This would be a mistake, as the GDPR (and a previous opinion from the Article 29 Working Party[2]).…

Supporting new European data regulation

Dr Johnny Ryan GDPR Leave a Comment

Unusually for an ad-tech company, PageFair supports the proposed ePrivacy Regulation. Here is why.
Additional note (11 May 2017): our position concerns the proposal’s impact on online behavioural advertising (OBA). Though there are kinks to work out, as we note in our recent statement to Parliament representatives, we strongly endorse the proposal’s broad approach to OBA.  The European Commission has proposed new rules for ePrivacy, which will supplement the GDPR.[1] Unlike colleagues in other digital advertising companies, PageFair commends the proposed privacy protections for online advertising.
Access the GDPR/ePR repositoryA repository of GDPR and ePrivacy Regulation explainers, official docs, and current status.Access Now PageFair has taken this position for two reasons. First, personal data are not required for online advertising.  The online advertising system can deliver relevant ads without the need to use personal data, or third party cookies that collect personal data.…

Why the GDPR ‘legitimate interest’ provision will not save you

Dr Johnny Ryan GDPR Leave a Comment

The “legitimate interest” provision in the GDPR will not save behavioral advertising and data brokers from the challenge of obtaining consent for personally identifiable data. As previous PageFair analysis illustrates, personally identifiable data (PII) will become toxic except where it has been obtained and used with consent once the General Data Protection Regulation is applied in May 2018. Even so, many advertising intermediaries believe that they can continue to use PII data without consent because of an apparent carve-out related to “legitimate interest” contained in the GDPR. This is a false hope.

Ten Key Things That Happened in Q4

Dr Johnny Ryan Adblocking, GDPR Leave a Comment

Amid the blizzard of press releases and conference tidbits concerning media, advertising, and adblocking, only some really matter. Here are the ten key things that happened in Q4. OCTOBER 1. US Department of Justice examines possible agency shenanigans.  It transpired that the US Department of Justice had launched an investigation into rigged bids that unfairly favored advertising agencies’ in-house services over others, at clients’ expense. The Association of National Advertisers’ report into agency kickbacks, released in June, exposed agency practises that shortchanged clients, and several big brand CMOs launched audits of their agencies. But the DOJ investigation now raises the stakes for agency executives: previous investigations in 2002 resulted in prison sentences. 2. Media consolidation AT&T agreed a deal to purchase Time Warner for $85.4 Billion.…

Europe’s new privacy regime will disrupt the adtech Lumascape

Dr Johnny Ryan GDPR Leave a Comment

In a year and a half, new European rules on the use of personal information will disrupt advertising and media across the globe. Here are the three biggest impacts.  Since 1996 when cookies were first repurposed to track users around the Web there has been an assumption that gathering and trading users' personal information is the essence of advertising online. This is about to change.