Overview of how the GDPR impacts websites and adtech (IAPP podcast)

The PageFair Team GDPR Leave a Comment

In this podcast, the International Association of Privacy Professionals interviews PageFair’s Dr Johnny Ryan about the challenges and opportunities of new European privacy rules for website operators and brands.  The conversation begins at 4m 14s, and covers the following issues. Risks for website operators How “consent” is an opportunity for publishers to take the upper hand in online media Brands’ exposure to legal risk, and the agency / brand / insurer conundrum Personal data leakage in RTB / programmatic adtech How the adtech industry should adapt As we told Wired some months ago, it’s not just that websites might expose yourself to litigation, it’s that you might expose your advertisers to litigation too. But this can be fixed. Click here to view PageFair’s repository of explainers, analysis, and official documents about the new privacy rules.…

Frequency capping and ad campaign measurement under GDPR

Sean Blanchfield GDPR Leave a Comment

This note describes how ad campaigns can be measured and frequency capped without the use of personal data to comply with the GDPR.  It is likely that most people will not give consent for their personal data to be used for ad targeting purposes by third parties (only a small minority [1] of people online are expected to consent to third party tracking for online advertising). Even so, sophisticated measurement and frequency capping are possible for this audience. This note briefly outlines how to conduct essential measurement (frequency capping, impression counting, click counting, conversion counting, view through measurement, and viewability measurement) in compliance with the EU’s General Data Protection Regulation. This means that publishers and advertisers can continue to measure the delivery of the ads that sustain their businesses, while simultaneously respecting European citizens’ right to protection of their personal data.…

Consent to use personal data has no value unless one prevents all data leakage

Dr Johnny Ryan GDPR Leave a Comment

Websites and advertisers can not prevent personal data from leaking in programmatic advertising. If not fixed, this will render consent to use personal data meaningless.  The GDPR applies the principle of transparency:[1] People must be able to easily learn who has their personal data, and what they are doing with it. Equally importantly, people must have surety that no other parties receive these data. It follows that consent is meaningless without enforcement of data protection: unless a website prevents all data leakage, a visitor who gives consent cannot know where their data may end up. But the online advertising system leaks data in two ways. This exposes brands, agencies, websites, and adtech companies to legal risk. How data leakage happens  If “programmatic”advertising or “real time bidding” was ever a mystery to you, take 43 seconds to watch this PageFair video.…

Research result: what percentage will consent to tracking for advertising?

Dr Johnny Ryan GDPR Leave a Comment

This note presents the results of a survey of 300+ publishers, adtech, brands, and various others, on whether users will consent to tracking under the GDPR and the ePrivacy Regulation.  In early August we published a note on consent, and asked whether people would click “yes”. We would like to thank the 300+ colleagues who responded to our research request. Now we present the results. Tracking for a single brand, on a single site. 305 respondents were asked by a publisher to permit a named brand and its analytics partners to track them on the site. A previous note explains the design of this notice. It is important to note that this is a limited consent notice. It asks to track behaviour on one site only, and for one brand only, in addition to “analytics partners”.…

How the GDPR will disrupt Google and Facebook

Dr Johnny Ryan GDPR 22 Comments

Google and Facebook will be disrupted by the new European data protection rules that are due to apply in May 2018. This note explains how.  Google and Facebook will be unable to use the personal data they hold for advertising purposes without user permission. This is an acute challenge because, contrary to what some commentators have assumed, they cannot use a “service-wide” opt-in for everything. Nor can they deny access to their services to users who refuse to opt-in to tracking.[1] Some parts of their businesses are likely to be disrupted more than others. The GDPR Scale When one uses Google or Facebook.com one willingly discloses personal data. These businesses have the right to process these data to provide their services when one asks them to. …

Here is what GDPR consent dialogues could look like. Will people click yes?

Dr Johnny Ryan GDPR 4 Comments

This note presents sketches of GDPR consent dialogues, and invites readers to participate in research on whether people will consent.  Consent requests In less than a year the General Data Protection Regulation (GDPR) will force businesses to ask Internet users for consent before they can use their personal data. Many businesses lack a direct channel to users to do this. Therefore, it is likely that they will have to ask publishers to seek consent on their behalf. This is a sketch of what a GDPR consent request by a publisher on behalf of a third party may look like, with references to the elements required in the GDPR. Update: it is important to note that this is a limited consent notice.

The 3 biggest challenges in GDPR for online media & advertising

Dr Johnny Ryan GDPR 1 Comment

This note explains the three deepest challenges that the online advertising industry must overcome to survive the new European data rules. It also outlines our approach.  The General Data Protection Regulation (GDPR) and the ePrivacy Regulation (ePR) pose particular challenges for publishers, brands, and adtech companies. These go beyond the normal gap analysis and security overhaul that other businesses must undertake to comply with the new rules. Online advertising and media businesses’ ability to function online depends on the outcome of three deep challenges. Deep Challenge 1: Obtaining consent to process an internet user’s personal data. Despite some lingering debate to the contrary, businesses will need consent from internet users to use their personal data for online behavioral advertising. This poses a UX challenge.…

Risks to brands under new EU regulations

Dr Johnny Ryan GDPR Leave a Comment

Brands face serious new risks under the GDPR and the ePrivacy Regulation (ePR), and agencies will not be able to shield them. This note explains why, and describes what these risks are.  When the GDPR and the ePrivacy Regulation (ePR) apply a year from now brands that use personal data in their marketing campaigns will become exposed to new legal risks, irrespective of their arrangements with ad agencies. Though the new rules are European, the exposure will be global.
Access the GDPR/ePR repositoryA repository of GDPR and ePrivacy Regulation explainers, official docs, and current status.Access Now Brands are directly exposed for two reasons. Why agencies can not shield brands The first reason is legal. The first reason is that the text of the General Data Protection Regulation (GDPR) says that “each controller or processor shall be held liable for the entire damage”, where more than one controller or processor are “involved in the same processing”[1]. …

PageFair statement at European Parliament rapporteur’s ePrivacy Regulation roundtable

Dr Johnny Ryan GDPR Leave a Comment

Lightly edited transcription of PageFair remarks at rapporteur’s sessions at the European Parliament in Brussels on 29 May 2017, concerning the ePrivacy Regulation.  Statement at roundtable on Articles 9, and 10.  Dr Johnny Ryan: Thank you. PageFair is a European adtech company. We are very much in support of the Regulation as proposed, in so far as it relates to online behavioural advertising (OBA).…

Why pseudonymization is not the silver bullet for GDPR.

Dr Johnny Ryan GDPR Leave a Comment

Pseudonymization will not save online advertising companies from having to seek consent to use browsing and other personal data. This note explains why. Personally identifiable data (PII) will become toxic in May 2018 when the General Data Protection Regulation is applied, unless data subjects have given consent.[1] Some businesses may try to rely on “pseudonymization”, a partial method of anonymization, to continue to use PII without consent. This would be a mistake, as the GDPR (and a previous opinion from the Article 29 Working Party[2]).…