Google adopts non-personal ad targeting for the GDPR

The PageFair Team GDPR

This note examines Google’s recent announcement on the GDPR. Google has sensibly adopted non-personal ad targeting. This is very significant step forward and signals a change in the online advertising market. But Google has also taken a new and problematic approach to consent for personal data use in advertising that publishers will find hard to accept.  Google decides to use non-personal ad targeting to comply with the GDPR  Last Thursday Google sent a policy update to business partners across the Internet announcing that it would launch an advertising service based on non-personal data in order to comply with the GDPR.[1] PageFair has advocated a non-personal approach to advertising for some time, and commends Google for taking this position. As we noted six months ago,[2] Google AdWords, for example, can operate without consent if it discards personalized targeting features (and unique IDs).…

PageFair writes to all EU Member States about the ePrivacy Regulation

Dr Johnny Ryan GDPR

This week PageFair wrote to the permanent representatives of all Member States of the European Union in support for the proposed ePrivacy Regulation. Our remarks were tightly bounded by our expertise in online advertising technology. We do not have an opinion on how the proposed Regulation will impact other areas. The letter addresses four issues: PageFair supports the ePrivacy Regulation as a positive contribution to online advertising, provided a minor amendment is made to paragraph 1 of Article 8. We propose an amendment to Article 8 to allow privacy-by-design advertising. This is because the current drafting of Article 8 will prevent websites from displaying privacy-by-design advertising. We particularly support the Parliament’s 96th and 99th amendments. These are essential to enable standard Internet Protocol connections to be made in many useful contexts that do not impact of privacy.…

PageFair’s long letter to the Article 29 Working Party

Dr Johnny Ryan GDPR

This note discusses a letter that PageFair submitted to the Article 29 Working Party. The answers may shape the future of the adtech industry.  Eventually the data protection authorities of Europe will gain a thorough understanding of the adtech industry, and enforce data protection upon it. This will change how the industry works. Until then, we are in a period of uncertainty. Industry can not move forward, business can not flourish. Limbo does not serve the interests of publishers. Therefore we press for certainty. This week PageFair wrote a letter to the Article 29 Working Party presenting insight on the inner workings of adtech, warts and all. Our letter asked the working party to consider five questions. We suspect that the answers may shape the future of the adtech industry.…

GDPR consent design: how granular must adtech opt-ins be?

Dr Johnny Ryan GDPR

This note examines the range of distinct adtech data processing purposes that will require opt-in under the GDPR.[1] In late 2017 the Article 29 Working Party cautioned that “data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes”.[2] Consent requests for multiple purposes should “allow users to give specific consent for specific purposes”.[3]  Rather than conflate several purposes for processing, Europe’s regulators caution that “the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose”.[4] This draws upon GDPR, Recital 32.[5] In short, consent requests must be granular, showing opt-ins for each distinct purpose. How granular must consent opt-ins be?

The regulatory firewall for online media and adtech

The PageFair Team GDPR

This note announces Perimeter, a regulatory firewall to enable online advertising under the GDPR. It fixes data leakage from adtech and allows publishers to monetize RTB and direct ads, while respecting people’s data.  PageFair takes a strict interpretation of the GDPR. To comply, all media owners need to protect their visitors’ personal data, or else find themselves liable for significant fines and court actions. In European Law, personal data includes not only personally identifiable information (PII), but also visitor IP addresses, unique IDs, and browsing history.[1] The problem is that today’s online ads operate by actively disseminating this kind of personal data to countless 3rd parties via header bidding, RTB bid requests, tracking pixels, cookie syncs, mobile SDKs, and javascript in ad creatives.…

Overview of how the GDPR impacts websites and adtech (IAPP podcast)

The PageFair Team GDPR

In this podcast, the International Association of Privacy Professionals interviews PageFair’s Dr Johnny Ryan about the challenges and opportunities of new European privacy rules for website operators and brands.  Update: 3 January 2018: This podcast was the International Association of Privacy Professionals’ most listened to podcast of 2017.  The conversation begins at 4m 14s, and covers the following issues. Risks for website operators How “consent” is an opportunity for publishers to take the upper hand in online media Brands’ exposure to legal risk, and the agency / brand / insurer conundrum Personal data leakage in RTB / programmatic adtech How the adtech industry should adapt As we told Wired some months ago, it’s not just that websites might expose yourself to litigation, it’s that you might expose your advertisers to litigation too.…

Frequency capping and ad campaign measurement under GDPR

Sean Blanchfield GDPR

This note describes how ad campaigns can be measured and frequency capped without the use of personal data to comply with the GDPR.  It is likely that most people will not give consent for their personal data to be used for ad targeting purposes by third parties (only a small minority [1] of people online are expected to consent to third party tracking for online advertising). Even so, sophisticated measurement and frequency capping are possible for this audience. This note briefly outlines how to conduct essential measurement (frequency capping, impression counting, click counting, conversion counting, view through measurement, and viewability measurement) in compliance with the EU’s General Data Protection Regulation. This means that publishers and advertisers can continue to measure the delivery of the ads that sustain their businesses, while simultaneously respecting European citizens’ right to protection of their personal data.…

Adtech consent is meaningless unless one stops data leakage

Dr Johnny Ryan GDPR

Websites and advertisers can not prevent personal data from leaking in programmatic advertising. If not fixed, this will render consent to use personal data meaningless.  The GDPR applies the principle of transparency:[1] People must be able to easily learn who has their personal data, and what they are doing with it. Equally importantly, people must have surety that no other parties receive these data. It follows that consent is meaningless without enforcement of data protection: unless a website prevents all data leakage, a visitor who gives consent cannot know where their data may end up. But the online advertising system leaks data in two ways. This exposes brands, agencies, websites, and adtech companies to legal risk. How data leakage happens  If “programmatic”advertising or “real time bidding” was ever a mystery to you, take 43 seconds to watch this PageFair video.…

The Privacy Case for Non-Tracking Cookies: PageFair writes to the European Parliament

Dr Johnny Ryan GDPR

In the last month, we have written to the MEPs leading the Parliament’s work on the ePrivacy Regulation (the “rapporteurs”) to propose an amendment. Here is a copy of the letter. PageFair supports the proposed ePrivacy Regulation, in so far as it will change online behavioural advertising. This is an unusual position for an ad tech company, and we have described why we have taken it in a previous note. We agree with the restriction on the use of tracking cookies in Article 8 of the Commission’s proposal for an ePrivacy Regulation, and in the draft report of the Parliament’s rapporteur. However, non-tracking cookies should not be treated the same way as tracking cookies. While tracking cookies pose a severe risk to data protection (Article 8 of the EU Charter of Fundamental Rights) and privacy of communications (Article 7 of the EU Charter of Fundamental Rights), non-tracking cookies do not.…

Here is what GDPR consent dialogues could look like. Will people click yes?

Dr Johnny Ryan GDPR

THIS NOTE HAS NOW BEEN SUPERSEDED BY A A MORE RECENT PAGEFAIR INSIDER NOTE ON GDPR CONSENT DIALOGUES. PLEASE REFER TO THE NEW NOTE.  This note presents sketches of GDPR consent dialogues, and invites readers to participate in research on whether people will consent.  NoteIt is important to note that the dialogue presented in this note is only a limited consent notice. It asks to track behaviour on one site only, and for one brand only, in addition to “analytics partners”. This notice would not satisfy regulators if it were used to cover the vast chain of controllers and processors involved in conventional behavioural targeting. Consent requests In less than a year the General Data Protection Regulation (GDPR) will force businesses to ask Internet users for consent before they can use their personal data.…