The issue of transparency around the collection and use of online users’ personal data has hit the headlines recently, with several data collection practices now being directly challenged in court.
On the one hand, these developments are a further sign of a few more bricks falling from the wall of online tracking as we know it today. On the other, they cast a light on the extent to which our personal information is exposed and the legal structures that allegedly give permission to collect that data.
Depending on the outcome, they could ultimately push the online advertising industry closer to the EU’s General Data Protection Regulation (GDPR) laws’ endgame. In the meantime, however, they have also opened up a debate on the question: do you, as a consumer, really know where your data is going?
Before looking at this question, it is crucial to look at these recent developments across Europe.
The wall of online tracking is crumbling
After several significant, yet relatively low profile cases relating to the supposed breaches of GDPR laws (the Vectaury case is a good example), two recent developments illustrate how mainstream ad-tech entities are now starting to feel the heat.
Firstly, a well publicized lawsuit against Salesforce and Oracle over an alleged breach of GDPR laws is one of the biggest GDPR-related class action lawsuits to date. The Privacy Collective – a consumer privacy campaign group dedicated to pursuing collective action against the wrongful use of online users’ personal data – is accusing both Oracle and Salesforce of selling profiles created from the personal data they gathered from users to advertisers who use their services via the real-time bidding (RTB) process, without the knowledge or consent of users for such sharing.
In another soon-to-come case, the DPA (Belgian Data Protection Authority) is challenging the system as a whole. According to a DPA investigation, initiated after complaints made by several privacy advocates, the Transparency and Consent Framework (TCF), established and operated by the European branch of the Interactive Advertising Bureau (IAB Europe) was deemed not to be compliant with GDPR.
Misuse of third-party cookies and other trackers
Both cases described above are tightly related. The IAB Europe’s TCF is the most common program for reaching GDPR compliance, participated in by an overwhelming majority of the industry, whether publishers, platforms or tech providers. As expected, Oracle and Salesforce are both approved TCF vendors, and performed the accused violations while transacting the supposed consents throughout TCF-approved Consent Management Platforms (CMPs). If the courts rule the program was not in line with the fundamental principles of GDPR, it will be an ad-tech earthquake.
Among the different products that Oracle and Salesforce offer to brands and marketers, each also offers a Customer Data Platform (CDP) – a service that helps clients to directly address their existing consumers with personalized ads on third-party websites. At the center of The Privacy Collective’s complaint against Oracle and Salesforce is the alleged misuse of consumers’ personal data, which was obtained using cookies and other third-party trackers, made addressable via their CDPs.
Oracle and Salesforce
Since Oracle and Salesforce are both TCF members that have dedicated large resources to comply with this program, you might ask: how have they found themselves accused of infringing upon users’ privacy? The DPA’s investigation may shed some light on the matter.
According to the DPA’s report, “IAB Europe’s approach demonstrates that it neglects the risks that would impact on the rights and freedoms of data subjects.” The report also states the framework fails in providing data subjects with sufficient transparency regarding what information is collected and to whom it is made available, as well as failing to comply with principles of fairness and accountability. Thus, if the Dutch court and the DPA litigation chamber adopt the same approach towards the interpretation of the GDPR law, these two incidents are completely in line with each other.
This isn’t the first time that complaints have been aimed at the RTB system concerning GDPR, and this case is just a small nugget of a much wider issue in the industry. When major companies such as Oracle or Salesforce are accused of selling user profiles to other companies and transacting that via RTB, without the knowledge or consent of those users, one thing is clear: the ‘supply chain’ of data as it currently works in the RTB process is simply not transparent enough for what the user expects in 2020.
As a result, it’s impossible to think consumers are completely aware or clear about how their personal data is being used, shared and monetized by the web economy. So, let me ask you: do you, as a consumer, truly understand where your data is going?
Do you know where your data is going?
The short answer to this is probably no. Unless you have a concrete understanding of the ‘supply chain’ of data that fuels digital ads, it’s a simple fact that you would have very little or no understanding of the complexities of programmatic advertising. You wouldn’t be alone. Consumers still too often think they are only giving consent for a specific publisher or advertiser to make use of their personal data, as long as they are visiting that specific website.
They don’t understand the extent and degree to which their data is used and reused. This issue was supposed to be solved by GDPR, as it has set a higher bar of transparency towards users, but according to DPA, TCF doesn’t meet this bar within the existing framework.
TCF is certainly a step that can provide users with slightly more information in comparison to what they were used to in the age before GDPR. However, according to most of its critics, its main purpose was to preserve the existing mechanics of RTB to their different functions, being performed by hundreds of entities for a single ad request at the same time. As GDPR requires much more explicit user approval for such actions, to comply with the new rules in the real world would mean that the mechanics must change.
Change is on the horizon
Fortunately, change is already firmly on the way. We all know third-party cookies, the tool that underpins data-driven advertising, are already missing from several platforms (Safari, Firefox, users of privacy tools and others), and they will be completely ineffective in less than two years on Google Chrome. While third-party cookies may not be the only way to perform user tracking, these changes signal a wider trend. Crucially, this change has been driven by consumers’ desire to have more control over their personal data.
But what does this mean for programmatic advertising and the RTB process? The doomsayers are predicting the end of digital advertising as we know it, while the new era of privacy marshalled in by the phasing out of cookies and changing consumer sentiment is likely going to put a stop to cases like this.
A natural evolution for the industry – a revolution for consumers
Yet, what I see here is an opportunity. An opportunity to be more balanced. An opportunity to create a new standard and technology for online targeting, which not only gives users far more transparency and control over how their personal data is being used online but is also compatible with programmatic bidding.
So, whatever the outcome of the current lawsuits against IAB Europe, Salesforce, and Oracle, one thing is abundantly clear: now is the time for the community to wake up, recognize the opportunity, and adapt to the new era of privacy. To strike the right balance, we must empower users with tools that help them indicate their explicit preferences in a data-driven advertising environment, thus fulfilling the spirit of privacy legislation and allowing users to control how their data is being collected and used.