New GDPR Ruling In France Could Dramatically Re-shape Online Advertising
from the not-going-with-the-consent-flow dept
The EU’s General Data Protection Regulation only came into force in May of this year. Since then, privacy regulators across the EU have been trying to work out what it means in practice. As Techdirt has reported, some of the judgments that have emerged were pretty bad. A new GDPR ruling from France has just appeared that looks likely to have a major impact on how online advertising works in the EU, and therefore probably further afield, given the global nature of the Internet.
The original decision in French is rather dense, although it does include the use of the delightful word “mobinaute”, which is apparently the French term for someone accessing the Internet on a mobile device. If you’d like to read something in English, Techcrunch has a long and clear explanation. There’s also a good, shorter take from Johnny Ryan of the browser company Brave, which is particularly interesting for reasons I’ll explain below.
First, the facts of the case. The small French company Vectaury gathers personal information, including geolocation, about millions of users of thousands of mobile apps on behalf of the companies that created them. It analyzes the data to create user profiles that companies might want to advertise to:
We continuously analyse, classify and enrich hundreds of thousands of profiles in order to offer you big data predictive models and actionable audience segments at any time. Our geo-profiling algorithm relies on a framework of more than 80 million points of interest around the world, grouped into 450 categories.
Vectaury sells access to those profiles using a standard industry technique known as “real-time bidding” (RTB). This really does happen in real-time: advertisers can bid to display their ads on Web pages as they are loading on a user’s mobile. The key benefit is that it allows ads to be tightly targeted to audiences that are more likely to respond to them. However, to do this, personal information has to be sent to many potential advertisers so that they can submit their (automated) bids.
That’s a problem under the GDPR, since users are supposed to give their consent before personal data is transmitted to companies in this way. To get around that problem, the industry has developed what are known as consent management platforms (CMP). In theory, these allow users to pick and choose exactly what kind of information is sent to which advertisers. But in practice they usually amount to a top-level button marked “I accept”, which everyone clicks on because it’s too much effort going through the subsidiary pages that lie underneath. The top-level acceptance grants permission to all the bundled advertisers, hidden in lower levels of the CMP, to use personal data as they wish.
When the French data protection authority CNIL carried out an on-site inspection of Vectaury, it found the company was holding the personal data of 67.6 million people. However, it did not accept that Vectaury had been given meaningful permission to use that data through the use of the bundled permission system. In a trail-blazing decision, CNIL said that Vectaury couldn’t simply point to contracts that required its partners to ask users for permission to share personal data: Vectaury had to be able to show that it had checked it really did have permission from everyone whose data it had acquired.
That ruling is not just a big problem for Vectaury — it’s hard to see how it could possibly confirm consent for the 67.6 million people whose data it holds. It’s also a problem for the online advertising industry in Europe, which uses a framework for GDPR “consent flow” that has been created by industry trade association and standards body, IAB Europe. Vectaury’s system is essentially the same as IAB Europe’s, so it would seem that the latest ruling by the French data protection authority also calls into question the industry standard technique for obtaining consent that is vital for the RTB process. Without that “consent flow”, it is not possible to share personal data so that automated real-time bids can be submitted.
If that interpretation is correct, it would mean that RTB as currently practiced in the EU will no longer be allowed. In fact, the RTB system was already under threat because of a GDPR complaint filed a couple of months ago with the Irish Data Protection Commissioner and the UK Information Commissioner, which notes:
Every time a person visits a website and is shown a “behavioural” ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies. Advertising technology companies broadcast these data widely in order to solicit potential advertisers’ bids for the attention of the specific individual visiting the website.
A data breach occurs because this broadcast, known as an “bid request” in the online industry, fails to protect these intimate data against unauthorized access. Under the GDPR this is unlawful.
The three complainants are Jim Killock, Executive Director of the Open Rights Group, Michael Veale of University College London, and Johnny Ryan of Brave, mentioned above. His blog post about the new French GDPR ruling concludes:
This is the latest in a series of decisions published by CNIL against adtech companies. … What marks this decision apart are the broad implications for RTB, and for the IAB consent framework.
It could also be a problem for Google, which relies on a similar approach for its own real-time ad bidding system. The potential implications of the CNIL ruling across the EU are a further indication of the massive long-term impact the GDPR will have on the Internet, perhaps in multiple and unexpected ways.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: advertising, france, gdpr, online advertising, privacy, real time bidding
Companies: vectuary
Comments on “New GDPR Ruling In France Could Dramatically Re-shape Online Advertising”
While I think overall the GDPR is a bad law, I won’t be crying any tears over problems it causes for the advertising industry. Laws like the GDPR are a direct result of careless use and abuse of personal data by corporate advertisers.
Re: Re:
“I won’t be crying any tears over problems it causes for the advertising industry. “
The question then becomes how much it will cause problems for every other industry. The knock-on effects could be significant in unexpected ways.
I wouldn’t shed tears for anyone 100% dependent on ad revenue gained by illicit means, but the problems here shouldn’t be underestimated.
“Laws like the GDPR are a direct result of careless use and abuse of personal data by corporate advertisers.”
…and poorly conceived and drawn out laws are the cause of even greater problems.
Re: Re: Re:
Re: Re: Re: Re:
“The GDPR is based on experience with an earlier data protection directive, drafted to fix its flaws”
That may have been the intention, but that’s not what’s happened in reality.
“It is “data brokers” and “data hoarders” that fear the consequences of the GDPR.”
Not from where I’m sitting, where I can see both how horribly it’s been implemented, how poorly it’s been communicated and how many unintended consequences are upcoming because of that.
Believe me, I’m seeing how it’s being dealt with in multiple industries that have nothing to do with data hoarding, and it’s not pretty.
Re: Re: Re:2 Re:
Could you give some (anonymized) examples? There has been some overreacting to the directive.
Re: Re: Re:3 Re:
“There has been some overreacting to the directive.”
Well, frankly, that’s my point.
You claimed that “It is “data brokers” and “data hoarders” that fear the consequences of the GDPR.”. Yet, we can see immediately that even companies that didn’t have to comply with the regulations in the first place were scrambling and overreacting to it when it came into force – and that was after a 2 year grace period to get things in order before it became effective.
That doesn’t seem like a straightforward set of regulation drafted to fix a previous set to me. There’s huge levels of confusion still, and those will inevitably lead to unintended consequences. The exact reactions in my experience range from stalling useful projects to hoping that the company’s too small to be noticed, but there’s plenty of ways for things to go in different ways than intended.
Re: Re: Re:4 Re:
I note we agree on the overreacting and I’ll give you that early government communication about the directive has been bad. If you add misinformation spread by lobbyists and stakeholders it isn’t strange at all to see confusion.
Is that caused by the directive or caused by the communication of the directive? I’ve followed the communications of the Data Protection Supervisors and they provide useful guidance on implementation of the directive.
The more cool-headed companies realized that if they already worked according to the earlier EU data protection guideline it was easy to become GDPR compliant.
Re: Re: Re:5 Re:
“Is that caused by the directive or caused by the communication of the directive?”
Both, really. Some of the legislation was confusing without specific guidance (and in my view, some had no business being there at all), while the overall communication was poor in my experience. I’ve dealt with a number of large companies who either didn’t seem to be aware that it would affect them as recently as the start of the year, or who had clearly not understood the level of changes to systems and process that would be required.
“The more cool-headed companies realized that if they already worked according to the earlier EU data protection guideline it was easy to become GDPR compliant.”
For some companies, not for others. Which is where the unintended consequences I referred to earlier come in. I’m not sure of where these consequences will be or how severe, but it will have consequences beyond the intended ones.
Again, it wasn’t an impossible task for most businesses when approached with proper guidance and level heads, only that it’s not the “data brokers” who are scared and/or will be affected.
The GDPR is going dark
Personally, I think this is an excellent result. But, lets put this in context …
The GDPR is a response to surveillance capitalism, in the same way that pervasive encryption is a response to massive network monitoring (aka government surveillance).
cf. RFC7258 https://tools.ietf.org/html/rfc7258
A few different items to be addressed
The advertisers have a bunch of issues to overcome, in three main categories.
a) The process used to obtain consent, both for new users and for existing users who need to have new consent documented to overcome the current deficiencies. The big issue with the existing model seems to be that the consent wasn’t specific enough to satisfy the court, and the record-keeping was inadequate.
b) the process to filter advertisements needs to account for users who have not made a decision on consent for certain ads/apps, and users who have explicitly denied access under the new consent model.
c) the data model to connect a) and b) needs to be efficient enough to pre-filter bids and display winning ads in real-time. An advertiser that wins a bid where it then turns out that the user has refused (or refuses at the time of display) consent is a lost opportunity for advertiser, app and broker.
Of course, the advertisers and brokers will probably choose option d): tie the issue up in court for a few more years, paper over the existing design with meaningless cosmetic changes, and hope the political winds change.
I am a little concerned that this ruling is somewhat ambiguous.
Advertisers need to get consent to share this information. This advertiser got consent, but the court is (after the fact) saying that the consent is not good enough. I do not read French all that well, but I could not figure out what “good enough” amounts to.
Vague laws like this just seem to get directed at companies and people that the government does not like, and that is never a good thing.
Re: informed consent
In EUrope there already is some jurisprudence on what are proper ways to obtain “informed consent”. There also is jurisprudence on how one should register that consent was obtained. (Registration requirements are light, but there is a significant bar to pass regarding to the information provided.)
And as data processor the information broker is responsible for obtaining informed consent. Even if it has contracts with the providers of the information (the websites), it still has the responsibility to ensure that those websites display a proper consent form.
It seems that this broker failed on two fronts: registration that consent was obtained and verifying the quality of the provided information. (If any was provided at all)
Yes, the GDPR is a tough law for “data brokers” and intentionally so. For other businesses it requires that they take reasonable privacy protections.
Spaghetti consent
No, iet is esy for Vectuary to solve this problem. They just add a Y/N flag to their API that the partner must set to Y to use the API. The flag will be labelled the “ConsentObtainedFlag” and the partner will be required to set it to Y only if “consent has been obtained” and if the partner does not set it to Y, then the API will reject the request. Vectuary will just point to all those Y flags, which they will record, as proof that consent was confirmed.
Now, of course the partners will also have API’s and those will also have a ConsentObtainedFlag. And, of course, the contracts will all say none of these is ever supposed to be set to Y unless affirmative consent has been obtained that the citizen gave to read one article in a blog, 3 years before.
But now CNIL gets the fun of tracing all those Y’s back through shell companies and contractual relationships, across country and legal boundaries, through hundreds and hundreds of relationships, some of which will be circular, to determine its origin.
Maybe the origin is hardcoded Y, in which case Vectuary says simply that the originator violated the terms of their API. Or not. Because maybe it leads back to a consent someone actually has on record, in which case CNIL has the fun of figuring out if the consent really covered Vectuary API.
Good luck CNIL.
Re: Spaghetti consent
The GDPR says that Vectuary (given its line of business) has to keep records showing that consent was obtained. That could be a simple database record saying “yes to form [xxx] on [date] from [ip]”. If there is no such registration, Vectuaty has to suffer the consequences.
CNIL might want to track some of those records back, to check whether there’s any reality behind it (and have Vectuary and its contract partners suffer for fraudulent behaviour). Vectuary is provessing the data and thus responsible for obtaining proper consent.
Consent?
The problem is that the kind of "consent" the advertising industry gets is similar to the kind of "consent" that revenge porn sites get. They let third parties submit personal information about other people so long as they claim to have such consent from the victim (i.e. "advertising target") but purposely do not verify it.
Ad targeting is a huge flop
I might be a little more sympathetic to the ad networks if I could see any evidence that the mountain of incredibly detailed data they have collected on users combined with the bandwidth, time, and other resource costs (especially battery) that the real time ad system consumes actually had a net benefit for users.
How many petabytes of bandwidth have been consumed by ads? How many years of time have been spent while the page load is slowed by the ad process? How many megawatts of electricity have been spent animating a monkey we’re supposed to punch?
Despite Google and Facebook and others collecting information about every area of my life (online and off) and tracking everything I do, I still get shitty, useless ads. IMHO, we all give up far too much to a handful of people in California to get almost nothing in return.
I hope the next time Democrats get control of the US government, they make holding data on users be an incredibly expensive and dangerous thing to do. Data breaches should lead to bankrupt companies and jailed executives.
Free Stuff
Privacy
PICK ONE.
Re: Re:
You think privacy is something only the rich deserve?
Re: Re:
Ever considered delivering ads based on the page they’re being loaded into, instead of the user they’re being delivered to? This covers the vast majority of cases, and can be implemented in a minimum-knowledge way through keyword tagging (the page sends tags describing what it’s about as part of the request to the ad server, and the server takes those tags into account as part of the RTB process), without the need to retain vast quantities of tracking data (or really, any identifiable data about users whatsoever).
(It’s also quite similar to what’s done for things like advertisements as part of search results, where the advertisers bid on search keywords.)
Re: Re: Re:
I like the model: advertise based on what’s on the page.
But…how would that play out in practice for non-niche sites, that is those that are unlike techdirt… meaning twitter, facebook, or even CNN??
User-targeted content is also antithetical to the idea of a commons, that is, all comers see the same thing. It is a big part of how echo chambers get created.
Me, I think there needs to be something of a cutout and much better disclosure. I can’t exactly give my informed consent to share my identity with 500 advertisers. I don’t really want to even share it with CNN. OTOH, assuming I have shared it with CNN, I think they should be able to hold an auction for advertising based on a few known, anonymized, and disclosed characteristics.
Likewise, I am not too happy if my browser gets the ad from anywhere except from cnn.com. And I would like to see whatever it is being advertised to everyone.
Heya, Mike, can we get an update on “Lies, damned lies, and audience metrics”?
Re: Re:
It would be so nice if this were true. Unfortunately it’s not even close and it’s as bad or potentially worse when you pay through the nose for goods or services as when you get it for free.
Not only is there nothing stopping companies from charging you directly and also reusing or selling your data, there isn’t even a way for you to find out who is better or worse about it.
Re: Re:
false dichotomy
false dichotomy
pick one
Re: Re:
Let’s see… here you are commenting on a website for free with no hints as to your identity or background.
I call bullshit, with a side of failing to make a point.
Re: Re:
Do you really think that services you pay for don’t also store and trade in personal data and other breaches of privacy? My, my, how naive and ignorant you seem to be of how everything works in the real world.
But, hey, thanks for implicitly granting permission for this site that you use for free to violate your privacy if they decide they want to 😉
…and awesome for the rest of us. About time the GDPR does something right!
Re: Re:
Considering if you actually asked those people whether they consented or not they would all say they think they were roofied.
EXCELLENT.