Posts

PageFair writes to all EU Member States about the ePrivacy Regulation

This week PageFair wrote to the permanent representatives of all Member States of the European Union in support for the proposed ePrivacy Regulation.
Our remarks were tightly bounded by our expertise in online advertising technology. We do not have an opinion on how the proposed Regulation will impact other areas.
The letter addresses four issues:

  1. PageFair supports the ePrivacy Regulation as a positive contribution to online advertising, provided a minor amendment is made to paragraph 1 of Article 8.
  2. We propose an amendment to Article 8 to allow privacy-by-design advertising. This is because the current drafting of Article 8 will prevent websites from displaying privacy-by-design advertising.
  3. We particularly support the Parliament’s 96th and 99th amendments. These are essential to enable standard Internet Protocol connections to be made in many useful contexts that do not impact of privacy.
  4. We show that tracking is not necessary for the online advertising & media industry to thrive. As we note in the letter, behavioural online advertising currently accounts for only a quarter of European publishers’ gross revenue.

[x_button shape=”rounded” size=”regular” float=”none” href=”https://pagefair.com/wp-content/uploads/2018/03/PageFair-letter-on-ePrivacy-to-perm-reps-13-March-2018.pdf” info=”none” info_place=”top” info_trigger=”hover”]Read the letter [/x_button]

The digital economy requires a foundation of trust to enable innovation and growth. The enormous growth of adblocking (to 615 million active devices) across the globe proves the terrible cost of not regulating. We are witnessing the collapse of the mechanism by which audiences support the majority of online news reports, entertainment videos, cartoons, blogs, and cat videos that make the Web so valuable and interesting. Self-regulation, lax data protection and enforcement have resulted in business practices that promise a bleak future for European digital publishers.
Therefore, we commend the Commission and Parliament’s work thus far, and wish the Council (of Ministers of the Member States) well in their deliberations.

GDPR's non-tracking cookie banners

This note outlines how an anomaly in European law will impact cookie storage and presents wireframes of permission requests for non-tracking cookies. 
Online media will soon find itself in an anomalous position. It will be necessary to apply the GDPR’s consent requirements to cookies that reveal no personal data, even though the GDPR was not intended to be applied in this way.[1]
Recital 26 of the GDPR says that “the principles of data protection should … not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person…”.[2]
Even so, a hiccup in the choreography of European Law making is creating an unexpected situation in which the GDPR’s conditions will apply to cookies that reveal or contain no personal data.
The Data Protection Directive currently sets out the conditions under which consent should be sought for the storage of cookies.[3] However, this Directive will be repealed on 25 May 2018, before the forthcoming ePrivacy Regulation introduces new conditions for cookie consent.[4]
The Commission had intended that both the GDPR (which repeals the Data Protection Directive) and the ePrivacy Regulation (which updates cookie consent conditions) would be applied on the same date. But now that the ePrivacy Regulation is considerably delayed, a provision of the GDPR that says references to the Data Protection Directive “shall be construed as references to this Regulation” will apply to non-personal data in cookies also.[5]
Non-personal data are data that can not be related to an identifiable person. For example, there is no unique identifier, the data could relate to many people, and could not be used to single out an individual. As the European Court of Justice said in 2016, data are not personal “if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and manpower, so that the risk of identification appears in reality to be insignificant”.[6]
The GDPR way of asking for consent does not neatly apply to data such as these, that are not personal. For example, the language of the GDPR’s requirements for consent refers explicitly to personal data concepts. Consider some of the important terms: “processing” is “any operation or set of operations which is performed on personal data or on sets of personal data…”.[7] The word “processing” does not have this meaning where personal data are absent. Nor does the word “controller”, because a controller is “the natural or legal person … which … determines the purposes and means of the processing of personal data…”. [8] Similarly, “profiling” is “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects…”[9].

Less friction

Therefore, although the GDPR provides for a very high standard of information to be presented with consent requests, as elaborated in a previous PageFair Insider note,[10] there is considerably less friction when using the GDPR requirements to request storage permission for data that are not personal.
The following table shows what elements are relevant when the GDPR’s requirements for consent are applied to cookies that neither contain nor revel personal data, as opposed to when it is applied to any processing of personal data.

Information to accompany consent requests
GDPR consent requirements – items listed in Article 13 Cookies where there are no personal data Any processing of personal data
the identity and the contact details of the controller[11] and, where applicable, of the controller’s representative;[12] N/A (there is no controller) Yes (where applicable)
the contact details of the data protection officer, where applicable;[13] N/A (there are no personal data) Yes (where applicable)
the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;[14] N/A (there are no personal data being processed) Yes
where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party; N/A N/A
the recipients or categories of recipients of the personal data, if any;[15] N/A (there are no personal data being shared) Yes (where applicable)
where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.[16] N/A (there are no transfers of personal data) Yes (where applicable)
the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;[17] N/A (there is no storage of personal data) Yes
the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;[18] N/A (there are no personal data) Yes
where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;[19] N/A (there is no processing of personal data) Yes
the right to lodge a complaint with a supervisory authority;[20] Yes Yes
whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;[21] N/A (there are no personal data) Yes (where applicable)
the existence of automated decision-making, including profiling,[22] referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.[23] N/A (there are no personal data) Yes (where applicable)

As the table shows, the requirements for consent are considerably less demanding when used to request storage permission for non personal data, such as non-tracking cookies. This is because the GDPR was not intended to be applied in this manner. Below is a wireframe of a “storage permission” dialogue.

Storage permission

In this simple wireframe the question mark button reveals two informational buttons. 
The “my data rights” button provides information about how to lodge a complaint with the supervisory authorities, which is required under Article 13, paragraph 2, d. The “What is stored” button describes the non-personal data stored on the device, providing assurance to the user that their consent will not impact their fundamental right to privacy or their fundamental right to data protection. 
Note that this only applies where publishers and their adtech vendors scrupulously avoid the collection and any other processing of personal data, including all unique identifiers, as Perimeter Trusted Partners do. Otherwise, the GDPR’s consent requirements apply as normal.

The future

This anomalous situation will change when the ePrivacy Regulation is applied at some point in 2018 or later. The question is whether enough sensible pro-privacy businesses and NGOs will make the case for non-tracking cookies in the new Regulation. In late 2017 PageFair wrote to Members of the European Parliament to argue the case for permitting non-tracking cookies under the ePrivacy Regulation.[24] Our argument was that websites need a means to store information to operate, even for ancillary operations that their visitors do not request (such as A/B testing, for example) without bothering their users. Certainly, consent is essential where personal data are concerned, or where there exists the possibility to access communications information, for example, or private photo albums. But where non-tracking cookies are concerned, there must be an easier way. Unless there is some provision for protecting the humble non-tracking cookie, websites’ ability to smoothly transition to privacy-by-design advertising will be harmed.
[x_callout type=”center” title=”Perimeter: the regulatory firewall for online media and adtech. ” message=”Feature-rich adtech, even without personal data. Control user data and 3rd parties in websites + apps. Get robust consent.” button_text=”Learn more” href=”https://pagefair.com/perimeter”]

Notes

[1] Regulation (EU) 2016/679 of The European Parliament and of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Article 2, paragraph 1, notes the material scope of the Regulation: “This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.”
[2] ibid., Recital 26.
[3] This is because the ePrivacy Directive, Article 2, paragraph f, and Recital 17, say that consent under the ePrivacy Directive should have the same meaning as previously defined in the Data Protection Directive.
[4] Article 94 of the GDPR repeals Directive 95/46/EC (the Data Protection Directive).
The ePrivacy Directive, Recital 17, says that “For the purposes of this Directive, consent of a user or subscriber, regardless of whether the latter is a natural or a legal person, should have the same meaning as the data subject’s consent as defined and further specified in Directive 95/46/EC. Consent may be given by any appropriate method enabling a freely given specific and informed indication of the user’s wishes, including by ticking a box when visiting an Internet website.”
The ePD Article 2, (f) says “‘consent’ by a user or subscriber corresponds to the data subject’s consent in Directive 95/46/EC”.
[5] The GDPR, Article 94, paragraph 2, says that references to the Data Protection Directive “shall be construed as references to this Regulation [the GDPR]”.
[6] Judgment of the Court (Second Chamber) Patrick Breyer v Bundesrepublik Deutschland, Case C-582/14, 19 October 2016.
[7] ibid., Article 4, paragraph 2.
[8] ibid., Article 4, paragraph 7.
[9] ibid., Article 4, paragraph 4.
[10] “GDPR consent design: how granular must adtech opt-ins be?”, PageFair Insider, 8 January 2018 (URL: https://pagefair.com/blog/2018/granular-gdpr-consent/).
[11] Note that the GDPR defines “controller” as an entity concerned with personal data. The definition in Article 4, paragraph 7, begins: “the natural or legal person … which … determines the purposes and means of the processing of personal data…”.
[12] The GDPR, Article 13, paragraph 1, a.
[13] ibid., Article 13, paragraph 1, b.
[14] ibid., Article 13, paragraph 1, c.
[15] ibid., Article 13, paragraph 1, e.
[16] ibid., Article 13, paragraph 1, f.
[17] ibid., Article 13, paragraph 2, a.
[18] ibid., Article 13, paragraph 2, b.
[19] ibid., Article 13, paragraph 2, c.
[20] ibid., Article 13, paragraph 2, d.
[21] ibid., Article 13, paragraph 2, e.
[22] Note that “profiling” is defined in the GDPR as a processing of personal data. The definition in Article 4, paragraph 4 begins: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects…”
[23] ibid., Article 13, paragraph 2, f.
[24] PageFair to European Parliament ePrivacy rapporteurs, 5 July 2017, re “non-tracking cookies in the ePrivacy Regulation” (URL: https://pagefair.com/blog/2017/non-tracking-cookies/).
[25] “Guidelines on consent under Regulation 2016/679”, Article 29 Working Party, 28 November 2017, p. 20.

How to audit your adtech vendors' GDPR readiness (and a call to adtech vendors to get whitelisted as Trusted Partners)

This note describes how publishers can audit their adtech vendors’ readiness for the GDPR, and opens with a call for adtech vendors to collaborate with PageFair so that they can be whitelisted as Trusted Partners by PageFair Perimeter. 

How adtech and media will work under the GDPR

We anticipate that the GDPR will indeed be enforced, whether by national regulators or by NGOs or individuals in the courts. We also realise that consent is the only applicable legal basis for online behavioural advertising (See analysis). Personal data can not be processed for OBA in the absence of consent.

However, consent dialogues for adtech need a “next” button -or a very long scroll bar- because online behavioural advertising requires many different opt-ins to accommodate many distinct personal data processing purposes.  How many people will click OK 10+ times? (See analysis).

Even people do repeatedly opt-in for various adtech processing purposes, that consent will be inconsequential if there is continued widespread leakage of personal data through RTB bid requests, JavaScript in ads, mobile SDKs, and assets loaded from 3rd parties. Consent only has meaning if one prevents the personal data from falling into the hands of parties that do not have consent (See discussion).

Therefore, it is essential to plan for the eventuality that very few, if any, people will provide the ten or more opt-ins required to cover the diverse range of data processing purposes conducted by today’s online behavioral advertising ecosystem.

The only way to remove all risk of fines and legal suits for publishers, advertisers, and adtech vendors, is to use no personal data at all, unless one has consent. This would put routine advertising outside the scope of the GDPR, with no controllers, processors, nor personal data breaches.

PageFair Perimeter is working with a group of adtech vendors who can provide publishers with direct and programmatic adtech that uses only non-personal data (See footnote for a discussion of non-personal data).[1] Aside from non-personal cookie storage, there will be no need to seek consent because there will be no processing of personal data. 

In the minority of cases where valid consent is present, the corresponding vendors will be free to add incremental value by consensually using personal data.

Perimeter will block all 3rd parties that process personal data on its client publishers’ websites and apps, unless consent is present. Trusted Partner adtech vendors, who can operate programmatic and direct advertising without personal data, will be whitelisted (and promoted to publishers).

This note proceeds with two sections. The first describes Trusted Partner adtech vendors. The second outlines what questions publishers should ask their adtech vendors to audit their use of personal data and GDPR-readiness.

PageFair is calling for “Trusted Partner” Adtech vendors

PageFair is working with a group of adtech vendors who can provide publishers with direct and programmatic adtech that uses only non-personal data. (see footnote for a discussion of non-personal data). And of course, if appropriate consent is present, then these adtech vendors can process personal data.

Subject to verification that personal data is not processed without consent, PageFair Perimeter will whitelist Trusted Partners’ technology, while continuing to block all other 3rd parties.

We invite adtech vendors to work with us as Trusted Partners. Trusted Partners provide versions of their services that scrupulously prevent the collection or other processing of Personal Data, except where suitable consent has been obtained from the data subject and data protection requirements have been satisfied in a manner consistent with the GDPR.

[x_button shape=”rounded” size=”regular” float=”none” href=”https://goo.gl/forms/2RmmTbSiOy89Dx0l2″ info=”none” info_place=”top” info_trigger=”hover”]Become a Trusted Partner[/x_button]

PageFair will share methods for performing essential adtech functions (bid requests, frequency capping, measurement and reporting, etc.) with partners.[2]

How publishers can examine their adtech vendors’ personal data processing and GDPR-readiness.

The following section is a questionnaire for web and mobile publishers to use when exploring whether their adtech vendors are safe under the GDPR.

Questionnaire for adtech vendors

1. Unique identifiers

For each unique user identifier that you use, or introduce into the page, please list the primary purpose, the type, the duration of the identifier, what other companies might receive it, and what secondary purposes it might be used for.

Identifier name Primary purpose Secondary purposes Type
Example: 1st party cookie. 3rd party cookie. localStorage cookie. eTag supercookie. Flash supercookie. HSTS supercookie. device fingerprint / statistical ID. IP stack fingerprint. Other.
Lifetime of ID Other recipients

2. Other personal data

Do you use any other personal data (e.g., IP address, name, address, social security numbers, credit card numbers, email addresses or email address hashes)?

  1. What are their purpose?
  2. Where do you obtain this data from?
  3. Is there auditable consent from the user for the use of this personal data for this purpose?
  4. How do you match this data to unique user IDs?

3. Adtech server-to-server calls

What other advertising systems do you make server-to-server calls to that may communicate user IDs or other personal information, for example RTB bid requests, or automated transfer of RTB or ad call logs?

4. Cookie syncing / user matching

What other domains do you perform cookie syncing / user matching with?

5. Frequency capping

Do you perform frequency capping using unique user IDs? How?

6. Impression counting

Do you depend on any unique user identifiers when you perform impression counting? (for example, to count “unique impressions”)

7. Conversion counting

If you perform conversion counting, does this depend on unique user identifiers to track the user from click to post-conversion?

8. View through counting

If you perform view-through counting, does this depend on unique user identifiers to track the user from view to post-conversion?

9. Viewability measurement

If you perform viewability measurement, does this depend on any unique user identifiers?

10. Cross-device identification

If you perform any cross-device identification of users, what IDs do you use, and how do you match mobile device IDs with other IDs?

11. Fraud detection

If you perform fraud detection, do you use unique identifiers to track devices between websites, or perform other per-user analytics to detect the possibility of bot traffic?

Conclusion

It is inevitable that the audit above will find the processing of personal data is the norm among adtech vendors. This exposes the vendors, and their clients, under the GDPR.

PageFair invites all adtech vendors to provide versions of their service that operate outside the scope of the GDPR. We intend is to share insights on the tweaks required to take personal data out of adtech (where consent is absent) with Trusted Partners, and promote vendors who operate as Trusted Partners to publishers who use Perimeter.

Our objective is to minimize the number of vendors that publishers must block to protect themselves from GDPR liabilities.

[x_button shape=”rounded” size=”regular” float=”none” href=”https://goo.gl/forms/2RmmTbSiOy89Dx0l2″ info=”none” info_place=”top” info_trigger=”hover”]Become a Trusted Partner[/x_button]

[x_callout type=”center” title=”Perimeter: the regulatory firewall for online media and adtech. ” message=”Feature-rich adtech, even without personal data. Control user data and 3rd parties in websites + apps. Get robust consent.” button_text=”Learn more” href=”https://pagefair.com/perimeter”]

Notes

[1] Non-personal data are any data that can not be related to an identifiable person. As Recital 26 of the GDPR observes, “the principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”. This recital reflects the finding of the European Court of Justice in 2016 that data are not personal “if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and manpower, so that the risk of identification appears in reality to be insignificant”. Judgment of the Court (Second Chamber) Patrick Breyer v Bundesrepublik Deutschland, Case C-582/14, 19 October 2016.

[2] For methods of performing frequency capping, impression counting, click counting, conversion counting, view through measurement, and viewability measurement see PageFair note at https://pagefair.com/blog/2017/gdpr-measurement1/.

Supporting new European data regulation

Unusually for an ad-tech company, PageFair supports the proposed ePrivacy Regulation. Here is why.
[x_alert type=”success”]Additional note (11 May 2017): our position concerns the proposal’s impact on online behavioural advertising (OBA). Though there are kinks to work out, as we note in our recent statement to Parliament representatives, we strongly endorse the proposal’s broad approach to OBA.[/x_alert]
 The European Commission has proposed new rules for ePrivacy, which will supplement the GDPR.[1] Unlike colleagues in other digital advertising companies, PageFair commends the proposed privacy protections for online advertising.
[prompt type=”left” title=”Access the GDPR/ePR repository” message=”A repository of GDPR and ePrivacy Regulation explainers, official docs, and current status.” button_text=”Access Now” href=”https://pagefair.com/datapolicydocs/”]
PageFair has taken this position for two reasons.

First, personal data are not required for online advertising. 

The online advertising system can deliver relevant ads without the need to use personal data, or third party cookies that collect personal data. Where cookies are required for advertising, non-tracking cookies are adequate.
Consider (A) and (B) below.

  1. The online advertising industry already uses systems to target advertising online without using personal data. Advertising media have relied on ‘contextual’ targeting for over a century. Many of the digital tools that advertisers and their agencies use to buy advertising space already offer contextual targeting. This is often accompanied by ‘behavioural’ targeting that uses personal data, but these data are not strictly necessary for the placement of relevant advertising on websites.
  2. Even if point A was not already the case, PageFair has developed a method of serving ‘group-interest based’ relevant ads that target ads relevant to reader’s interests without using personal data. We envisage sharing this freely with no commercial terms. This is an example of the kind of innovation that the proposed Regulation will stimulate.

Second, trustworthy publishers will benefit from the proposed rules.

By making Do Not Track (DNT) enforceable, the Regulation puts a new commercial value on trust. Publishers that have earned the trust of their users will benefit from the proposed Regulation. A small, niche topic website that has earned the trust of its users is more likely to gain a user’s consent to use her personal data than a large website that misleads with “click bait” headlines and so forth. Trust is the new asset that matters, and the size of the publisher is immaterial.
Publishers will gain power over advertising intermediaries (agencies, ad-tech companies), reversing the trend of two decades. Today, visiting a website exposes a citizen’s personal data to a cascade of third parties, and to third parties of third parties. Under the new Regulations, visiting a website will be like visiting one’s doctor: the new Regulations create a situation in which no one else is admitted to the consultation room unless both citizen and publisher invite them in.
Ad-tech companies that now extract more than half of the money spent by advertisers will have to cooperate with publishers to gain consent exceptions from visitors for the use of their personal data.[2] This creates an opportunity for publishers to command a greater share of the advertising budget. Indeed, trustworthy publishers are likely to become attractive targets for acquisition by advertising holding companies.
 

Conclusion

The status quo is unsustainable in two respects. On the one hand, the aggregation and processing of personal data by data brokers and others with access to the OBA system poses threats to citizens’ individual interests, and to society.[3] On the other hand, the brands that pay for online advertising are deeply dissatisfied with how it currently works. The world’s largest advertisers complain of poor or misleading data about advertising and its effectiveness.[4] They also waste billions of dollars a year due to ‘ad fraud’, in which advertisers pay for clicks and views that are actually simulated by ‘ad fraud bots’.[5]
The enormous growth of adblocking (to 615 million active devices) across the globe proves the terrible cost of not regulating. We are witnessing the collapse of the mechanism by which audiences support the majority of online news reports, entertainment videos, cartoons, blogs, and cat videos that make the Web so valuable and interesting. There is no future for a European digital media, content, or advertising industry based on the kind of data practice that self regulation and lax data protection have permitted.
The digital economy requires a foundation of trust to enable innovation and growth. The high data protection standards in the ePR as proposed are entirely compatible with the success of the publishing and media industry on the one hand, and the advertising industry on the other. Indeed, they are essential.
The ePR, together with the GDPR, puts a new premium on trust that will help publishers, and will change the web for the better.

See also 

See our analyses on the ePrivacy Regulation the GDPR:

 
[x_callout type=”center” title=”Perimeter: the regulatory firewall for online media and adtech. ” message=”Feature-rich adtech, even without personal data. Control user data and 3rd parties in websites + apps. Get robust consent.” button_text=”Learn more” href=”https://pagefair.com/perimeter”]

Notes

[1] The European Commission’s proposed ePrivacy Regulation is currently under negotiation between the European Commission, the European Parliament, and the Council of Ministers of European Union Member States.
[2] “Tracking Preference Expression (DNT): W3C Candidate Recommendation”, W3C, 20 August 2015 (URL: https://www.w3.org/TR/tracking-dnt/). For technical details of how publisher-specific exemptions function see https://www.w3.org/TR/tracking-dnt/#exceptions.
[3] Two alarming examples of how OBA leakage in the United States has enabled the aggregation of sensitive personally identifiable information: Tanya O’Carroll and Joshua Franco, “‘Muslim registries’, Big Data and Human Rights”, Amnesty Interntional, 27 February 2017 (URL: https://www.amnesty.org/en/latest/research/2017/02/muslim-registries-big-data-and-human-rights/); and “Cambridge Analytica Explained: Data and Elections”, Privacy International, 13 April 2017 (URL: https://medium.com/@privacyint/cambridge-analytica-explained-data-and-elections-6d4e06549491).
[4] For example, see one of several speeches by the CMO of the world’s largest advertiser: “P&G’s Pritchard Blasts Objections to His Digital Demands as ‘Head Fakes'”, Advertising Age, 2 March 2017 (URL: http://adage.com/article/cmo-strategy/p-g-s-pritchard-dismisses-objections-digital-demands-head-fakes/308144/).
[5] Mikko Kotila, Ruben Cuevas Rumin, Shailin Dhar, “Compendium of ad fraud knowledge for media investors”, World Federation of Advertisers and The Advertising Fraud Council, 2016 (URL:  https://www.wfanet.org/app/uploads/2017/04/WFA_Compendium_Of_Ad_Fraud_Knowledge.pdf), p. 3.