Lightly edited transcription of PageFair remarks at rapporteur’s sessions at the European Parliament in Brussels on 29 May 2017, concerning the ePrivacy Regulation.
Statement at roundtable on Articles 9, and 10.
Dr Johnny Ryan: Thank you. PageFair is a European adtech company. We are very much in support of the Regulation as proposed, in so far as it relates to online behavioural advertising (OBA).
We have a general remark, and then two specific suggestions.
The general remark is hopefully an antidote to the view that you might hear from many here, that “if you do this, the sky will fall”.
The sky will not fall. The sky has already fallen.
- Citizens are blocking ads. Last time we counted it was 615 million of them blocking ads.
- Advertisers are annoyed with the current system. They are furious. Take a look at the industry press. The status quo is not working very well for them.
- I used to work in publishing, for The Irish Times. If I were still there it would annoy me that someone who comes to see my article will be identified and tracked from my article to be monetized at the cheapest possible price on the worst possible sites. Those sites compete with me and drive prices down.
- These problems are compounded by the fact that the data leakage from this system is used for nefarious purposes that now interfere with our electoral system.
So, we support the ePrivacy Proposal’s general direction on OBA.
Let me now make two specific suggestions.
On the consent question concerning Article 9, actually I think the problem lies in Recital 22.
I think somewhere, perhaps in Recital 22, there needs to be an explicit reference to publishers’ need to seek consent. Whether or not you make a direct reference to Do Not Track (DNT) from the W3C, that is a system that shows how this can work in practise.
[prompt type=”left” title=”Access the GDPR/ePR repository” message=”A repository of GDPR and ePrivacy Regulation explainers, official docs, and current status.” button_text=”Access Now” href=”https://pagefair.com/datapolicydocs/”]
I’m going to read out a sentence from the current Do Not Track spec, which is from August 2015.
“User granted site-specific exemptions [they mean consent] are agreed between the site and the user, stored by the user agent”.
This differs from the Commission’s proposal, which refers to the browser as “gatekeeper”. Publishers are rightly spooked when they think of the browser as a gatekeeper. That language was poorly chosen.
In contrast, the W3C Do Not Track standard treats the browser as the executor of an agreement between publisher and user. Recital 22 should recognise this.
The second suggestion is about privacy settings, which are in Article 10. This drifts into Article 8 as well, because they are so tightly bound.
Not all cookies are tracking, and not all tracking happens in cookies.
Some cookies have no privacy impact. Recitals 20 and 21, it seems on my reading, make clear that it should be permissible to store a cookie where there is no impact at all on privacy or personal data. But this is in conflict with Article 8, where permitted exceptions are few and tightly defined.
I’ll give you an example of a cookie that one might want to set as a publisher: let’s say my website decides that it will serve you the entire site in the colour pink two days a week. But on the third day it’s going to switch to the colour yellow. It will use a simple cookie that contains only the date of your first visit. The site can use this to know when the third day is, and then apply the colour pink.
Certainly, this colour change is not specifically necessary. Nor have you, the user, asked for it. But it should be permissible nonetheless. I should be able to display my site as I wish, provided there is no privacy impact on you. If you don’t like my site in pink, or in yellow, you can leave it.
Article 8 should contain a clear permission for cookies that have no impact on privacy. If you lump all cookies together then you close the door on all sorts of functionalities (even if frivolous, like this one) that have no privacy impact.
A view on privacy by default or by design.
When the early draft was leaked it had a strong privacy by default approach. When the official draft was later released it did not have this, and we thought that was a retrograde step. But the more we thought about it, the more unlikely it seemed that any unworthy party would be able to get consent in any case. The outcome will probably be exactly the same.
This is not a fashionable thing to say: it probably does not matter in this case in particular – not in all design cases – that the privacy is not by default. People will opt out any way, one merely has to present them with the opportunity.
Statement at roundtable on Article 8.
I have a further remark about Article 8. 1. (d). The clause gives an exemption from the requirement for consent where “necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.”
The Commission’s intention here was presumably to prevent analyses that build a profile of a citizen across several contexts, including across many websites, and between online and offline environments.
But I suggest the clause should be changed to say “…provided that the results of such measurement are controlled by the provider of the information society service requested…”
This allows the publisher to sub-contract, provided it is the controller of the data.
[x_callout type=”center” title=”Perimeter: the regulatory firewall for online media and adtech. ” message=”Feature-rich adtech, even without personal data. Control user data and 3rd parties in websites + apps. Get robust consent.” button_text=”Learn more” href=”https://pagefair.com/perimeter”]