Airwide Solutions

Aug 16, 2018

Email address: Tim looks after the product management team that covers ad serving, targeting, optimisation, workflow and creative globally. Prior to that, he worked in the telecoms sector for a number of years, with stints at Regus, Airwide Solutions and Schlumberger. Timholds a CIPP/E and CIPT from the International Association of Privacy Professionals, an MBA from INSEAD and a BSc in Chemistry from the University of Sheffield. We’re working on getting more articles from this author! We’re working on getting more articles from this author! Following the updated privacy laws enforced by the EU parliament, websites are legally required to show their cookie policy notice - and many users are happily accepting these notices and giving access to their data as they log onto their favourite sites. Tim Sleath, Vice President of Product Management at Exponential explains how the advertising industry could go a step further beyond GDPR In the flurry over recent months of establishing legal bases for data processing, and ensuring contracts reflect the reality of communicating with data subjects, it’s kind of become established that consent is somehow “better” than legitimate interest. I’ve seen it described as the “gold standard”. However, this is a misconception that will have negative consequences for users. Consider: many companies used to be very careful about NOT acquiring PII (Personally Identifiable Information) such as email addresses, precisely because this triggered personal data legislation. So vast swathes of the adtech industry (and doubtless many other companies too, given the near-universal remit of GDPR) who previously steered clear of such data, now find themselves in possession of it by virtue of cookie id and IP address…and therefore may as well gather any other personal data that’s available as there’s no administrative reason why not. Granted, the personal data needs to have a legal basis, but even if we look at the “gold standard” of consent, does anyone really think that will mean users have taken the opportunity to become fully informed and control their data usage? It’s more likely that, a user trying to access a page will do whatever’s quickest to dismiss any pop-up obscuring it – even if that means consenting. If not consenting still allows the page to load, then that’s ok too (if the website goes out of business some time down the road, ho hum). Assuming consent will empower users is identical to thinking the Ts & Cs provided by companies mean users are completely aware of their rights – in both cases, they would, if users read them. These are legal solutions to real-world problems, and they simply don’t suit the user experience. The missed trick with GDPR was allowing for an additional class of data – many argued for “pseudonymous” data such as cookie IDs to be more lightly regulated than “personal” data. Anyway, that ship has sailed. The US sectoral approach allows for much more flexibility – e.g. for advertising, the laws are not necessarily lighter (though often perceived as such) but are composed of a combination of federal and state law combined with industry codes of conduct. For example, the US are policed by entities such as the Better Business Bureau who can check up on your compliance with Digital Advertising Alliance and Network Advertising codes. These codes of conduct can be more specific and updated far more frequently than a lumbering juggernaut of an EU-wide regulation. So, we can expect that firms where a legal basis is in place will start obtaining more personal data for an individual, not less. This therefore increases the likelihood of breaches involving more significant data than just cookie ids and IP addresses, such as email address, phone number, name and credit card number – these are all classified as personal data under GDPR. Sure, those breaches will be punished using the more potent fines available to DPOs (Data Protection Officers), but that’s not going to help the affected users. And sure, there is plenty of narrative around GDPR that privacy by design, data minimization and encryption at rest are all good things, but these a) aren’t mandated, and b) can’t be policed proactively, so aren’t going to solve the whole problem. Where do we end up then? GDPR means all web/app users will be asked for consent for data processing, the scope of which will increase; 99% will not pay any attention to what’s being asked, and many of those will consent (virtually all of them, if it’s required to access the content). The additional tragedy is that the fraction who don’t consent are likely to be the same users who already exercised control via existing opt-outs or ad blocking plugins. There has been some debate about whether it’s “allowed” to block access to content if a user does not consent to data processing. I think this is a specious debate – there are laws to avoid companies not discriminating against buyers on the basis of ethnicity or sexuality. However, this is not discrimination, unless it is discriminatory to withhold your product/service from people who don’t want to pay for it. The ePrivacy regulation is the next milestone on the journey, building on the GDPR to provide a degree of sectoral focus on electronic communications. While still draft, the law will probably be defined before the end of 2018 and come into effect 2019-2020. The signs are that it will unequivocally rely on consent for online interactions but if so, this will entrench the flawed behaviour resulting from GDPR. The industry can, I’m sure, innovate further, perhaps combining the IAB Europe consent framework and the Digitrust initiative within the browser itself. However, without codes of conduct to ensure users are treated with respect by companies, no laws requiring pages of text to be read by users will truly result in improved protections and may well be putting users’ data at higher risk. Did you find this useful? Yes