Posts

PageFair writes to all EU Member States about the ePrivacy Regulation

This week PageFair wrote to the permanent representatives of all Member States of the European Union in support for the proposed ePrivacy Regulation.
Our remarks were tightly bounded by our expertise in online advertising technology. We do not have an opinion on how the proposed Regulation will impact other areas.
The letter addresses four issues:

  1. PageFair supports the ePrivacy Regulation as a positive contribution to online advertising, provided a minor amendment is made to paragraph 1 of Article 8.
  2. We propose an amendment to Article 8 to allow privacy-by-design advertising. This is because the current drafting of Article 8 will prevent websites from displaying privacy-by-design advertising.
  3. We particularly support the Parliament’s 96th and 99th amendments. These are essential to enable standard Internet Protocol connections to be made in many useful contexts that do not impact of privacy.
  4. We show that tracking is not necessary for the online advertising & media industry to thrive. As we note in the letter, behavioural online advertising currently accounts for only a quarter of European publishers’ gross revenue.

[x_button shape=”rounded” size=”regular” float=”none” href=”https://pagefair.com/wp-content/uploads/2018/03/PageFair-letter-on-ePrivacy-to-perm-reps-13-March-2018.pdf” info=”none” info_place=”top” info_trigger=”hover”]Read the letter [/x_button]

The digital economy requires a foundation of trust to enable innovation and growth. The enormous growth of adblocking (to 615 million active devices) across the globe proves the terrible cost of not regulating. We are witnessing the collapse of the mechanism by which audiences support the majority of online news reports, entertainment videos, cartoons, blogs, and cat videos that make the Web so valuable and interesting. Self-regulation, lax data protection and enforcement have resulted in business practices that promise a bleak future for European digital publishers.
Therefore, we commend the Commission and Parliament’s work thus far, and wish the Council (of Ministers of the Member States) well in their deliberations.

Can websites use "tracking walls" to force consent under GDPR?

This note examines whether websites can use “tracking walls” under the GDPR, and challenges the recent guidance on this issue from IAB Europe. 
This week, IAB Europe published a paper that advises website owners that tracking walls (i.e., modal dialogs that require people to give consent to be tracked in order to access a website) will be permissible under the GDPR. Our view is different.
Several months ago we provided feedback to the IAB of what we regarded as serious mistakes in a preliminary draft of this paper, which we believe will be very detrimental to publishers who follow the paper’s advice. As it appears that our feedback did not make it into the published version of the paper, we want to put our opinion on the record, so that publishers can take it in to account when deciding what course to follow under the GDPR.
We provide an analysis below, and have published our original feedback to the IAB here, for those who want to dig into it.
The GDPR forbids tracking walls.[1] This prohibition may seem curious to adtech colleagues working outside the European Union, who may view personal data as a valid payment for for online content and services. It must be borne in mind that many Europe’s nations have strong historical motivations, and have protected the right to privacy and the right to protection of one’s data as fundamental rights in the European Charter.[2] To understand how European regulators have viewed these rights in the context of tracking walls, consider the following, from the European Data Protection Supervisor:

“There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give that market the blessing of legislation. One cannot monetise and subject a fundamental right to a simple commercial transaction, even if it is the individual concerned by the data who is a party to the transaction.”[3]

We believe that publishers who implement tracking walls on their websites could shoulder significant risk of fines and legal action on behalf of the adtech companies that track users on their websites. As we show below, the defenses set forth in the IAB Europe paper are unlikely to convince a judge when the first publisher is sued for breaching the Regulation.
To be clear, we do believe that freely-given consent can help monetise a loyal minority of a publisher’s audience. But, to monetise the majority for whom personal data will not be available,[4] we must join together to build ads that work without personal data.[5] PageFair is partnering with publishers and adtech companies who share a commitment to building a safe adtech stack that is compliant with a strict interpretation of the regulations. This safe adtech can monetise the majority of the audience who will not freely consent to hundreds of 3rd party technology vendors, and interoperate with consent wherever it is available.

Errors in the IAB Europe paper

The IAB Europe paper advises websites that:

“Private companies are allowed to make access to their services conditional upon the consent of data subjects. The GDPR provides that account has to be taken of this when determining whether consent has been freely given, but does not prohibit the practice. Moreover, the ePrivacy Directive similarly explains that services may be made conditional on consent.”[6]

The following section details serious errors in this guidance. Here is a summary: the paper misreads Article 95 in the GDPR to mean that websites can ignore the GDPR’s prohibition on tracking walls, and that they can instead rely on a narrow allowance provided for in Recital 25 of the ePrivacy Directive. In a further misreading, the paper mistakenly suggests that Recital 25’s allowance can be applied to all website content. The problems with this are outlined below.
What the GDPR Article 95 says
The IAB Europe paper refers to Article 95 of the GDPR to say that “the ePrivacy Directive’s more specific rules prevail over the rules of the GDPR”. There are two important mistakes in this sentence. First, the actual text of the Article is:

“This Regulation shall not impose additional  obligations  on  natural  or  legal  persons  in  relation  to  processing  in connection  with  the  provision  of  publicly  available  electronic  communications  services  in  public  communication networks  in  the  Union  in  relation  to  matters  for  which  they  are  subject  to  specific  obligations  with  the  same  objective set  out  in  Directive  2002/58/EC.”[7]

The paper mistakenly reads this to mean that website owners can ignore the GDPR and refer instead to the ePrivacy Directive’s narrow allowance for tracking walls. This is wrong for two reasons.
First, Article 95 does not cover websites. Rather, it covers “electronic communications services”, which are defined in European telecommunications law as transmission services, not content. (In fact, the definition of electronic communications services explicitly excludes services “providing, or exercising editorial control over, content” such as websites).[8]
Second, the paper mistakenly suggests that Article 95 is applicable to Recital 25 in the ePrivacy Directive. As the next section shows, this is important because the paper mistakenly claims that Recital 25 of the ePrivacy Directive permits tracking walls. But Article 95 of the GDPR would only apply to Recital 25 of the ePrivacy Directive if “specific obligations” were defined in Recital 25 that the GDPR was now adding additional obligations to. This is not the case: Recital 25 does not impose obligations. In fact, if provides narrow allowances, which is quite the opposite.
What the ePrivacy Directive Recital 25 says
The paper makes several incorrect assumptions about Recital 25 in the ePrivacy Directive. It cites part of a sentence from Recital 25 to suggest that tracking walls are permissible for all websites:

“website content may still be made conditional on the well-informed acceptance of cookies”.

However, the complete sentence has a different meaning. Here is the full sentence:

“Access to specific website content[9] may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.”[10]

The complete sentence includes two important concepts that the paper does not address: “specific website content” and “legitimate purpose”.
This reference to “specific website content” in Recital 25, as European data protection authorities noted in 2013, means that “websites should not make conditional ‘general access’ to the site on acceptance of all cookies but can only limit certain content if the user does not consent to cookies”.[11]
Furthermore, limiting access to specific content is permissible only for a “legitimate purpose”. As Recital 25 notes, this relates to purposes such as to “facilitate the provision of information society services”. The term “information society services” is defined in European Law to mean services explicitly requested by users.[12] Clearly, ads that require tracking are not the service that the user has requested.

Conclusion

To summarise, we believe the paper currently misreads Article 95 in the GDPR, and incorrectly assumes that this article is applicable to Recital 25 of the ePrivacy Directive, which the paper then mistakenly concludes can be applied to all website content.
We suggest no bad faith on the part of IAB Europe, or on the part of the adtech companies that led its drafting process. Nevertheless, we fear that website owners may expose themselves to risk as a result of following the guidance in this paper.
[x_callout type=”center” title=”Perimeter: the regulatory firewall for online media and adtech. ” message=”Feature-rich adtech, even without personal data. Control user data and 3rd parties in websites + apps. Get robust consent.” button_text=”Learn more” href=”https://pagefair.com/perimeter”]

Notes

[1] See for example Recital 43, Regulation (EU) 2016/679 of The European Parliament and of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). “…Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance”. See also Recital 32 and 42.
[2] Article 7 and Article 8 of the Charter of Fundamental Rights of The European Union.
[3] Opinion 4/2017 on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content, European Data Protection Supervisor, 14 March 2017 (URL: https://edps.europa.eu/sites/edp/files/publication/17-03-14_opinion_digital_content_en.pdf).
[4] See “Europe Online: an experience driven by advertising”, GFK, 2017 (URL: https://www.iabeurope.eu/wp-content/uploads/2017/09/EuropeOnline_FINAL.pdf), p. 7 and “Research result: what percentage will consent to tracking for advertising?”, PageFair Insider, 12 September 2017 (URL: https://pagefair.com/blog/2017/new-research-how-many-consent-to-tracking/)..
[5] See for example “Frequency capping and ad campaign measurement under GDPR”, PageFair Insider, 7 November 2017 (URL: https://pagefair.com/blog/2017/gdpr-measurement1/).
[6] “Consent, Working Paper 03/2017”, IAB Europe, 28 November 2017, p. 4 (URL: https://www.iabeurope.eu/wp-content/uploads/2017/11/20171128-Working_Paper03_Consent.pdf).
[7] Article 95, General Data Protection Regulation.
[8] “Electronic communications service means a service normally provided for remuneration which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, but exclude services providing, or exercising editorial control over, content transmitted using electronic communications networks and services; it does not include information society services, as defined in Article 1 of Directive 98/34/EC, which do not consist wholly or mainly in the conveyance of signals on electronic communications networks”. Article 2, paragraph c, of Directive 2002/21/EC of The European Parliament and of The Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive).
[9] As the Article 29 Working Party’s Opinion of 2013 notes: “The emphasis on “specific website content” clarifies that websites should not make conditional “general access” to the site on acceptance of all cookies but can only limit certain content if the user does not consent to cookies (e.g.: for e-commerce websites, whose main purpose is to sell products, not accepting (non-functional) cookies should not prevent a user from buying products on this website).” Working Document 02/2013 providing guidance on obtaining consent for cookies, Article 29 Working Party, (URL: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf), p. 5.
[10] Recital 25, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[11] Working Document 02/2013 providing guidance on obtaining consent for cookies, Article 29 Working Party, (URL: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf), p. 5.
[12] “..any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. For the purposes of this definition: …  “at the individual request of a recipient of services” means that the service is provided through the transmission of data on individual request.” Article 1, paragraph 2 of Directive 98/48/EC of The European Parliament and of The Council of 20 July 1998 amending directive 98/34/EC laying down a procedure for the provision of information in the field of technical standards and regulations.

European Commission proposal will kill 3rd party cookies

The 3rd-party cookie – the lifeblood of online advertising – may be about to die. 
A proposal this month from the European Commission to reform the ePrivacy Directive (ePD) requires mandatory privacy options and educates users to distinguish between 1st and 3rd-parties in a way that will make 3rd-party cookies extinct.
[prompt type=”left” title=”Access the GDPR/ePR repository” message=”A repository of GDPR and ePrivacy Regulation explainers, official docs, and current status.” button_text=”Access Now” href=”https://pagefair.com/datapolicydocs/”]
The Commission’s proposal also applies beyond cookies. The proposed reform of the ePD will further add to the the disruption that Europe’s new regulatory regime for privacy – the GDPR – will wreak upon to the media and advertising landscape when it applies in May 2018.
dino-on-whiteCaveat: the proposal is subject to negotiation between the Commission, the European Parliament, and the Council of Ministers. Its text may change before it becomes a regulation across the European Union.

Mandatory and binding privacy settings 

Web browsers (and similar software) will be required to prompt users with a menu of privacy options when they are installed for the first time.[1] The menu options will range from an extreme ban on all cookies to acceptance of all cookies, and will include intermediate options such as “reject third-party cookies” or “only accept first-party cookies”.[2] This is mandatory – a user must select one option from the menu in order to continue with the installation.[3] And unlike previous initiatives such as the Do Not Track standard, the Commission says that user’s privacy menu choice will be “binding on, and enforceable against, any third-parties”.[4] This does not apply only to newly installed software, but also to browsers already in operation before the new rules are introduced. (These must be updated to comply no later than 25 August 2018).[5] 
In other words, at a point in 2018 there will be no browser installed in Europe that does not have legally binding privacy settings that have been selected by a user.

Users will distinguish between 1st and 3rd-parties

The Commission had previously considered forcing web browsers vendors to reject all 3rd-party cookies by default, and giving users the ability to opt in to 3rd-party cookies if they wished.[6] The approach adopted in its final proposal appears less severe than this privacy-by-default approach, but will probably have the same consequence. The mandatory menu will educate users in a way that will cause a widespread rejection of 3rd-party cookies.
There are several measures in the proposal that will cause users to distinguish between 1st and 3rd-party tracking.
First, web browsers will be required to present the privacy settings options to users in a manner that educates them about “the compilation of long-term records of individuals browsing histories and the use of such records to send targeted advertising”.[7] Few users could be expected to willingly opt in to this. The inclination to say no will be compounded by users’ dawning awareness of the data collected about them, the uses to which these data are put, and the extent to which these data are breached, that will result from transparency requirements in the General Data Protection Regulation.[8]
Second, the Commission Proposal requires web browsers to present the higher privacy settings in a manner that does not dissuade users from selecting them.[9] 
Third, users who select lower privacy settings at first installation of a web browser will have controls to allow them to apply privacy controls on specific websites if they wish,[10]  so there could be a gradual fall off.
Finally, The proposal requires that users who have consented to their data being processed are reminded every six months that they can withdraw their consent any time.[11]

Beyond cookies 

The proposal encompasses tracking measures beyond cookies. The Commission regards peoples’ devices, and data flows to and from those devices, as part of the private sphere.[12] As a result users’ prior consent is required for tracking cookies, hidden identifiers, and “other similar unwanted tracking tools can that enter end-user’s terminal without their knowledge in order to gain access to information, to store hidden information and to trace the activities of the user or to instigate certain technical operations or tasks…”.[13] Remote collection of data in order to identify and track users, such as device fingerprinting, is explicitly included among the proposal’s prohibitions.[14]

Where and how this applies, litigation and penalties. 

Once negotiated between the European Commission, the European Parliament, and the European Council, the overhaul of the ePrivacy Directive will be directly transposed into the national laws of every nation in the EU.
The EU is the world’s largest single market.It will impact much of the martech and adtech sector because businesses outside the EU that provide service to users in the EU will have to have a representative in the EU[16] who will be addressable by supervisory authorities.[17] However, beyond the EU the ePD may have less impact than the GDPR. Its territorial scope covers communications within the EU and services to end-users in the EU irrespective of where the processing occurs in the world.[15]
The range of fines for infringements is similar to the GDPR.[18] For example, failure to comply with an order from a supervisory authority will be subject to a fine of up to 20 million or 4% of global turnover.[19] 
There is also reason to anticipate litigation. As with the GDPR, end users can both complain to regulator and seek redress in court against an infringement,[20] and users have a right to receive compensation for damage.[21] Users can also take the regulator to court if unhappy with their action or inaction. Users can also mandate privacy organizations to lodge a complaint and to seek redress in court on their behalf (and Member States may decide that bodies can do so without users mandating it). Any other party that is adversely affected by infringements can bring legal proceedings.[22] 
In short, the proposed ePD has teeth.

Read next:
Europe’s new privacy regime will disrupt the adtech Lumascape


Timeline: what happens next?

  • Negotiation between Commission, Parliament and Council for an unknown duration. The Commission proposes that negotiations will be rapid, and that the ePD will apply on the same date as the GDPR on 25 May 2018.
  • Browsers installed prior to 25 May 2018 will have to require users to choose a privacy setting by 25 August 2018.
  • By 1 January 2018 the Commission will establish a monitoring programme to review the effectiveness of the ePD.
  • Three years after the application of the Regulation the Commission will evaluate its effectiveness.

[x_callout type=”center” title=”Perimeter: the regulatory firewall for online media and adtech. ” message=”Feature-rich adtech, even without personal data. Control user data and 3rd parties in websites + apps. Get robust consent.” button_text=”Learn more” href=”https://pagefair.com/perimeter”]

NOTES

[1] Proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM/2017/010 final – 2017/03 (COD), Recital 23 and 24 and Article 10 paragraphs 1 and 2.
[2] ibid., Recital 23.
[3] ibid., Article 10 paragraph 2.
[4] ibid., Recital 22.
[5] ibid., Article 10 paragraph 3.
[6] See Article 10 paragraphs 1 and 2 of a leaked draft of the proposal, available from Politico’s website. The leaked draft included a requirement that “all components of terminal equipment and all software that permits electronic communications on the market will be configured to refuse third-parties from storing or processing data on the terminal equipment of the end-user by default, and will prevent third-parties from using the equipment’s processing capabilities”
[7] Proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM/2017/010 final – 2017/03 (COD), Recital 24.
[8] See related PageFair Insider post “Europe’s new privacy regime will disrupt the adtech Lumascape”, see also Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, Recitals 39, 58, 60-63, and Article 13 paras. 1-2, and Article 13 and Article 14
[9] Proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM/2017/010 final – 2017/03 (COD), Recital 24.
[10]  ibid., Recital 24.
[11] ibid., Article 9 paragraph 3.
[12] ibid., Recital 20.
[13] ibid., Recital 20.
[14] ibid., Recital 20.
[15] ibid., Recital 9 and Article 3.
[16] ibid., Article 3 paragraph 2 and 3.
[17] ibid., Article 3 paragraph 4.
[18] Member States have to determine penalties for infringements of Articles 12,13,14 and 17 (see ibid. Article 23 paragraph 4 and Article 24). Fines of 10 €M or 2% of total global annual turnover (see ibid. Article 23 paragraph 2), whichever is higher, apply to infringements of Article 8, Article 10, Article 15, Article 16. Fines of 20 €M or 4% of total global annual turnover apply to infringements of the principle of confidentiality of communications, permitted processing of electronic communications data, and time limits for erasure (see ibid. Article 23 paragraph 3).
[19] ibid., Article 23 paragraph 4.
[20] ibid., Article 21 paragraph 1.
[21] ibid., Article 22.
[22] ibid., Article 21 paragraph 2.