PageFair writes to all EU Member States about the ePrivacy Regulation

This week PageFair wrote to the permanent representatives of all Member States of the European Union in support for the proposed ePrivacy Regulation.
Our remarks were tightly bounded by our expertise in online advertising technology. We do not have an opinion on how the proposed Regulation will impact other areas.
The letter addresses four issues:

  1. PageFair supports the ePrivacy Regulation as a positive contribution to online advertising, provided a minor amendment is made to paragraph 1 of Article 8.
  2. We propose an amendment to Article 8 to allow privacy-by-design advertising. This is because the current drafting of Article 8 will prevent websites from displaying privacy-by-design advertising.
  3. We particularly support the Parliament’s 96th and 99th amendments. These are essential to enable standard Internet Protocol connections to be made in many useful contexts that do not impact of privacy.
  4. We show that tracking is not necessary for the online advertising & media industry to thrive. As we note in the letter, behavioural online advertising currently accounts for only a quarter of European publishers’ gross revenue.

[x_button shape=”rounded” size=”regular” float=”none” href=”” info=”none” info_place=”top” info_trigger=”hover”]Read the letter [/x_button]

The digital economy requires a foundation of trust to enable innovation and growth. The enormous growth of adblocking (to 615 million active devices) across the globe proves the terrible cost of not regulating. We are witnessing the collapse of the mechanism by which audiences support the majority of online news reports, entertainment videos, cartoons, blogs, and cat videos that make the Web so valuable and interesting. Self-regulation, lax data protection and enforcement have resulted in business practices that promise a bleak future for European digital publishers.
Therefore, we commend the Commission and Parliament’s work thus far, and wish the Council (of Ministers of the Member States) well in their deliberations.

Adtech must change to protect publishers under the GDPR (IAPP podcast)

The follow up to the International Association of Privacy Professionals’ most listened to podcast of 2017. 
Angelique Carson of the International Association of Privacy Professionals quizzes PageFair’s Dr Johnny Ryan on the crisis facing publishers, as they grapple with adtech vendors and attendant risks ahead of the GDPR. The podcast covers:

  • Why personal data can not be used without risk in the RTB/programmatic system under the GDPR.
  • Where consent falls short for publishers.
  • How vulnerable the online advertising system is, because of central points of legal failure.
  • The GDPR is part of a global trend. New privacy standards are on the way in other massive markets including China (and in important tech ecosystems such as Apple iOS, Firefox).

This is the follow up to an earlier IAPP and PageFair podcast discussion (which was the International Association of Privacy Professionals’ most listened to podcast of 2017).

[x_button shape=”rounded” size=”regular” float=”none” href=”” info=”none” info_place=”top” info_trigger=”hover”]Listen at IAPP[/x_button]

[x_button shape=”rounded” size=”regular” float=”none” href=”” info=”none” info_place=”top” info_trigger=”hover”]Listen on iTunes[/x_button]

Click here to view PageFair’s explainers and official documents about the changes websites and apps must make under the new privacy rules. Elsewhere you can find details about Perimeter, PageFair’s GDPR solution for publishers.
[x_callout type=”center” title=”Perimeter: the regulatory firewall for online media and adtech. ” message=”Feature-rich adtech, even without personal data. Control user data and 3rd parties in websites + apps. Get robust consent.” button_text=”Learn more” href=””]

PageFair statement at European Parliament rapporteur's ePrivacy Regulation roundtable

Lightly edited transcription of PageFair remarks at rapporteur’s sessions at the European Parliament in Brussels on 29 May 2017, concerning the ePrivacy Regulation. 
Statement at roundtable on Articles 9, and 10. 
Dr Johnny Ryan: Thank you. PageFair is a European adtech company. We are very much in support of the Regulation as proposed, in so far as it relates to online behavioural advertising (OBA). Read more

Why pseudonymization is not the silver bullet for GDPR.

Pseudonymization will not save online advertising companies from having to seek consent to use browsing and other personal data. This note explains why.
Personal data will become toxic in May 2018 when the General Data Protection Regulation is applied, unless data subjects have given consent.[1]
Some businesses may try to rely on “pseudonymization”, a partial method of anonymization, to continue to use personal data without consent. This would be a mistake, as the GDPR (and a previous opinion from the Article 29 Working Party[2]). Read more

The Need to Know Adblock Slidedeck (updated!)

Dr Johnny Ryan of PageFair presented at The Advertising Research Foundation in New York this month.

This presentation includes

  • The latest adblock figures globally and for the US
  • Demographic discussion of who adblock users are
  • Options for media owners to address adblocking, from access restriction to tamper-proof ad serving
  • Unexpected benefits for marketers from the adblocking crisis

[x_video_embed type=”16:9″]




He was speaking alongside Omnicom, Annalect, and Intel.

Reprieve for IT departments as EU court rules on IP addresses

If you run a website, you might want to breathe a sigh of relief. A decision[1. The text of the ruling is available in a range of European languages (excluding English as of the time of writing) at] this morning from the European Court of Justice means that websites can continue to store visitor IP addresses.
The EU Court of Justice (ECJ) ruled that IP addresses are to be considered “personal data”, which are subject to the EU’s data protection rules, but hedged against causing disruption by watering down the ruling.
From the ECJ press release:

The dynamic internet protocol address of a visitor constitutes personal data, with respect to the operator of the website, if that operator has the legal means allowing it to identify the visitor concerned with additional information about him which is held by the internet access provider.

It would have been a shock to many if the ruling had gone the other way.[1. It could have been different, if the additional clause referring to legal means had not been included, as personal data is subject to stringent protection in the EU. Interestingly, the ruling slightly diverges from an opinion of an ECJ Advocate General delivered in May. Cases before the ECJ are considered in advance by an Advocate General, who publishes a (non-binding) opinion with which the Court often agrees. In May, AG Campos Sánchez-Bordona issued an opinion on this case that agreed that dynamic IP addresses constitute personal data, but also said that these data can be processed and stored without consent in cases where this is necessary to ensure a web service’s functionality.]

Why this matters

The immediate impact of a decision stopping the logging of IP addresses would have been disruption to many websites and services. IT departments everywhere would have thrown up their hands in despair at the task of expunging IP addresses from systems and databases that have relied on them.
Web services routinely keep a log of their users’ IP addresses. These logs are used for numerous largely mundane and innocuous purposes, such as to provide customized features to particular users, to prevent or enable access to content, or to blacklist IP addresses involved in “denial of service” attacks against a site.
IP addresses are rather more valuable to other companies. For instance, some adtech companies use IP addresses to identify and target consumers. Netflix and other content providers rely on IP addresses to restrict the use of VPNs to access TV shows and movies in blocked countries.[1. Geolocation can work at just the country-level, making it unnecessary to track individual IP addresses, and there are ways for Netflix et al to prevent VPN abuse, especially as business entities do not enjoy the same protection as individuals, but such workarounds would take time and money.]
While the ruling will probably pass by unnoticed, it is clear that websites have been granted a very real (although possibly temporary[1. The General Data Protection Regulation could change the rights landscape once it is applied in May 2018, as it includes stringent rules on how websites can handle personal data.]) reprieve, as the EU has been quick to act on ECJ rulings despite potentially devastating effects on companies both in Europe and elsewhere.
[share title=”Share this Post” facebook=”true” twitter=”true” google_plus=”true” linkedin=”true” pinterest=”true” reddit=”true” email=”true”]

Background to the ECJ’s decision

The ECJ was asked to rule on two issues:

  1. whether an IP address is personal data,[1. See (accessed October 11, 2016). Also, this is not the first time that the ECJ has concluded that IP addresses could be considered personal data. In Case C-70/10 Scarlet Extended SA v SABAM, a dispute between an ISP and a company “responsible for authorising the use by third parties of the musical works of authors, composers and editors”, the ECJ ruled that the ISP, Scarlet, could not be compelled to install a filtering system to detect and prevent the unlawful exchange of copyrighted works, as

    …the filtering system would also be liable to infringe the fundamental rights of its customers, namely their right to protection of their personal data and their right to receive or impart information, which are rights safeguarded by the Charter of Fundamental Rights of the EU. It is common ground, first, that the injunction would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content on the network is sent. Those addresses are protected personal data.

    However, while it opened the door to the classifying of IP addresses as personal data and was referenced in the Breyer opinion, AG Campos Sánchez-Bordona noted that the SABAM case was “in a context in which the collection and identification of IP addresses was carried out by the Internet service provider”. Today’s judgement has farther-reaching consequences: the ISPs in the SABAM case already knew who their customers are, whereas the Breyer case affects any and all websites.] and

  2. whether the practice of logging IP addresses without consent was legal.[1. Or, more precisely, in accordance with the relevant provision of the German Telemedia Act, which states that a website provider may collect and process the personal data of users without their consent only to the extent it is necessary to (1) enable the general functionality of the website or (2) arrange payment. In addition, the relevant provision of the Telemedia Act states that enabling the general functionality of the website does not permit user data to be processed after the user closes, or navigates away from, the website.]

This followed eight years of litigation in various German courts[1. From Amtsgericht to Landgericht to Bundesgerichtshof.], which initiated in an action taken against the German government by Patrick Breyer, a member of Germany’s Pirate Party.[1. Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland. EUR-Lex. (accessed October 11, 2016).] Breyer argued that government websites did not have an unrestricted right to indefinitely record the IP addresses of visitors without their consent.
Although IP addresses on their own are largely innocuous, Breyer gave two ways that government websites could combine IP addresses with other data to identification of an individual.
First, internet service providers (ISP) record customers’ real names and addresses, and assign their IP addresses. It is not inconceivable that a government could gain access to these records and connect a person’s real identity to their IP address.
Second, when combined with pages visited or search terms, IP addresses can provide an extensive profile of the visitor’s “political opinion, illnesses, religion, union affiliation” and more.[1. Translated from the original German suit brought by Breyer: (accessed October 12, 2016).]

The ruling

Today’s ruling will probably allow the German Supreme Court to rule against Breyer, as it effectively states that:

  1. a dynamic IP address constitutes personal data for a website operator only if it has the legal means enabling it to identify the visitor with the help of additional information from the ISP
  2. a website operator may collect and store personal data without consent for an indeterminate period so as to ensure the continued functioning of the website

[x_promo image=””]


JANUARY 3, 2008
Patrick Breyer asks Berlin local court to stop German government websites logging IP addresses
AUGUST 13, 2008
Local court dismisses case, arguing that an IP address is insufficient to identify an individual
JANUARY 31, 2013
Breyer appeals decision to Berlin district court, which orders German government to cease unrestricted logging of IP addresses
SEPTEMBER 16, 2014
German Federal Court of Justice addresses appeals from both parties
DECEMBER 17, 2014
German Federal Court of Justice refers two questions to European Court of Justice
MAY 12, 2016
Advocate General Sánchez-Bordona delivers his non-binding but influential opinion
OCTOBER 19, 2016
European Court of Justice rules that IP addresses are personal data under some circumstances
[x_callout type=”center” title=”Perimeter: the regulatory firewall for online media and adtech. ” message=”Feature-rich adtech, even without personal data. Control user data and 3rd parties in websites + apps. Get robust consent.” button_text=”Learn more” href=””]

Eight Things From Q3 Worth Knowing

Now, ten days into October, we have had time to digest on the events of the last quarter. As is ever the case with history, only some of the headlines of the last three months will have any lingering impact. But of all the events in the past three months the following eight are worth knowing about. This post is a quick digest of the ones that will shape the environment.
Read more

Global stakeholders discuss new approach to the Blocked Web

From late 2015 onward PageFair drew together global consumer groups, advertisers, agencies, publishers and browsers for senior level roundtable discussions on adblocking. These were held at The Financial Times, at Mozilla, and at MEC Global. The most recent roundtable was organised by both PageFair and Digital Content Next.
Participants at the PageFair roundtables included the World Federation of Advertisers, the 4A’s, DCN, the World Association of Newspapers, the National Newspaper Association, International Federation of Periodical Publishers, Havas, Google, Mozilla, the Centre for Democracy and Technology, the EFF, the Open Rights Group, the European Commission, the UK Government, the World Economic Forum, and many others including the global advertising holding companies.
Read more

Four big ideas emerge from PageFair global stakeholder roundtable

A growing segment of Web users sees few or no ads. Publishers are suffering mounting revenue losses as a result. But even as blocking of advertising harms publishers it also undoes the mistakes of the first 20 years of advertising on the Web.
Several vendors including PageFair have the technology to display ads in a way that is not affected by blocking. In the future it is likely that major industry incumbents (such as SSPs and CDNs) will also gain this ability.
We believe that the ability to defeat blockers should not simply enable a return to the situation before adblocking. Hundreds of millions of users have rebelled against the status quo in advertising. We must listen to them.
Advertising can be better. Earlier this month PageFair drew together the first summit of global stakeholders including consumer groups, advertisers, publishers, and browsers to consider the form that advertising on the blocked Web should take. You can read AdAge coverage here.
The roundtable, which PageFair convened at Mozilla’s London office, included the World Federation of Advertisers, the European Commission, the World Economic Forum, Mozilla, IAB Europe, ISBA, the Worldwide Magazine Media Association (FIPP), the World Association of Newspapers and News Publishers, Digital Content Next (DCN), the Electronic Frontier Foundation (EFF), and others.[1. The meeting was held under the Chatham House Rule. The participants mentioned here are a selection of those who have waived their right to anonymity.] The discussion focused on how to better respect users, support publishers, and provide value to advertisers.

The Four Points.

The following is a synthesis of points that emerged (as a majority view):

  • The user must have immediate tools to reject and to complain about advertising. This puts the consumer at the core of reform.
  • There should be a more sustainable balance between ‘above the line’ and ‘below the line’ advertising on the Web. Rather than restore all ads we should display only a limited number of premium advertising slots. This will make a better impact for brands and clean up the Web.
  • Use of contextual targeting to establish ad relevance can be increased. This will end what some view as an over-reliance on behavioral tracking of users.
  • Better metrics of advertising success are needed to reform the economics and quality of online advertising. This will end the race to the bottom. 

Note: revised on 15 April 2016 following participant feedback.
These Four Points amount to a basis for a tentative concord among four key communities – consumer groups, advertisers, agencies, and publishers – about a responsible approach to advertising beyond blocking.

Agencies can have their cake and eat it.

The Four Points, though radical, do not mark a painful departure for the advertising industry. It is true that large quantities of capital and other resources are being invested by agencies into the further development of personalized and captivating advertising. That is likely to continue.
But in parallel the Four Points provide agencies with a new and separate opportunity to respond to blockers with contextual targeting that does not track users, and with simple, respectful formats in an uncluttered part of the Web.
It is this parallelism – the ability of agencies to leverage the new opportunity of advertising beyond blocking without cannibalizing their status quo business – that will give publishers an opportunity to sustain themselves beyond adblocking.
And fundamental to this approach is an understanding that adblockers are a new and valuable segment.
adblock user

What the Four Points mean

Point 1. The user must have immediate tools to reject and to complain about advertising. This puts the consumer at the core of reform.

Point 1 makes consumer choice paramount. The user should, literally, have an immediately obvious mechanism, such as a large X, and a simple thumb up and thumb down button that he or she can tap to kill the ad or give immediate feedback.
This will also give the advertiser useful insight on which ads are positively and negatively received.

Point 2. There should be a more sustainable balance between ‘above the line’ and ‘below the line’ advertising on the Web. Rather than restore all ads we should display only a limited number of premium advertising slots. This will make a better impact for brands and clean up the Web.

Rather than use technology to simply put all the ads back what is proposed here is to limit the quantity of ads. And rather than imposing a prescriptive standard of what a “quality” ad is, this approach exploits the market conditions that arise when a limited number of ads has the benefit of abundant audience attention. The scarcity of this inventory will incentivize advertisers and agencies to invest in quality creative.
We know that the formats that blocking users are most willing to tolerate are text, image, and skippable video pre-roll.

Chart: survey of adblock users who were asked what types of advertisement they would be most willing to tolerate. 

Combining these formats with scarce inventory establishes a premium form of advertising that better serves brands and improves the user experience.
In other words the ads that are displayed will be not only fewer but better too.

Point 3. Use of contextual targeting to establish ad relevance should be increased. This will end the over-reliance on behavioral tracking of users.

Blockers are largely cookie-less users, because the majority have blocked tracking cookies. They can not be tracked across the Web. This means that the ‘below the line’ marketing activities that focus on the bottom of the marketing funnel become unworkable.

But this creates a new opportunity: appeal to these users in the same way as the glossy advertisements do in premium magazines. Ads can be shown to relevant consumers simply by using the context of the content alongside which they appear. For example, an ad for golf equipment is likely to be relevant to a person who visits a site to read a piece of content about a golf event. Using contextual relevance is how offline media have always placed advertising, and it works for the Web too. 
Taken together, points 2 and 3 dramatically expand the role that the Web can play in the marketers toolkit. This new type of premium ad can help marketers use the Web as an ‘above the line’ medium similar to TV, radio and magazine and newspaper advertising, which focus on the top of the marketing funnel.
The PageFair Funnel

Point 4. Better metrics of advertising success are needed to reform the economics and quality of online advertising. This will end the race to the bottom.

More realistic metrics, perhaps akin to those used off line to measure important results like purchase intent, could incentivise procurement departments within brands to focus on value over price. Rather than spend their budgets on lots of cheap inventory that appears in inferior places (the audience might be bots) advertisers equipped with better metrics are likely to invest inventory that can cut through the clutter.