New GDPR Ruling In France Could Dramatically Re-shape Online Advertising
from the not-going-with-the-consent-flow dept
The EU's General Data Protection Regulation only came into force in May of this year. Since then, privacy regulators across the EU have been trying to work out what it means in practice. As Techdirt has reported, some of the judgments that have emerged were pretty bad. A new GDPR ruling from France has just appeared that looks likely to have a major impact on how online advertising works in the EU, and therefore probably further afield, given the global nature of the Internet.
The original decision in French is rather dense, although it does include the use of the delightful word "mobinaute", which is apparently the French term for someone accessing the Internet on a mobile device. If you'd like to read something in English, Techcrunch has a long and clear explanation. There's also a good, shorter take from Johnny Ryan of the browser company Brave, which is particularly interesting for reasons I'll explain below.
First, the facts of the case. The small French company Vectaury gathers personal information, including geolocation, about millions of users of thousands of mobile apps on behalf of the companies that created them. It analyzes the data to create user profiles that companies might want to advertise to:
We continuously analyse, classify and enrich hundreds of thousands of profiles in order to offer you big data predictive models and actionable audience segments at any time. Our geo-profiling algorithm relies on a framework of more than 80 million points of interest around the world, grouped into 450 categories.
Vectaury sells access to those profiles using a standard industry technique known as "real-time bidding" (RTB). This really does happen in real-time: advertisers can bid to display their ads on Web pages as they are loading on a user's mobile. The key benefit is that it allows ads to be tightly targeted to audiences that are more likely to respond to them. However, to do this, personal information has to be sent to many potential advertisers so that they can submit their (automated) bids.
That's a problem under the GDPR, since users are supposed to give their consent before personal data is transmitted to companies in this way. To get around that problem, the industry has developed what are known as consent management platforms (CMP). In theory, these allow users to pick and choose exactly what kind of information is sent to which advertisers. But in practice they usually amount to a top-level button marked "I accept", which everyone clicks on because it's too much effort going through the subsidiary pages that lie underneath. The top-level acceptance grants permission to all the bundled advertisers, hidden in lower levels of the CMP, to use personal data as they wish.
When the French data protection authority CNIL carried out an on-site inspection of Vectaury, it found the company was holding the personal data of 67.6 million people. However, it did not accept that Vectaury had been given meaningful permission to use that data through the use of the bundled permission system. In a trail-blazing decision, CNIL said that Vectaury couldn't simply point to contracts that required its partners to ask users for permission to share personal data: Vectaury had to be able to show that it had checked it really did have permission from everyone whose data it had acquired.
That ruling is not just a big problem for Vectaury -- it's hard to see how it could possibly confirm consent for the 67.6 million people whose data it holds. It's also a problem for the online advertising industry in Europe, which uses a framework for GDPR "consent flow" that has been created by industry trade association and standards body, IAB Europe. Vectaury's system is essentially the same as IAB Europe's, so it would seem that the latest ruling by the French data protection authority also calls into question the industry standard technique for obtaining consent that is vital for the RTB process. Without that "consent flow", it is not possible to share personal data so that automated real-time bids can be submitted.
If that interpretation is correct, it would mean that RTB as currently practiced in the EU will no longer be allowed. In fact, the RTB system was already under threat because of a GDPR complaint filed a couple of months ago with the Irish Data Protection Commissioner and the UK Information Commissioner, which notes:
Every time a person visits a website and is shown a "behavioural" ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies. Advertising technology companies broadcast these data widely in order to solicit potential advertisers' bids for the attention of the specific individual visiting the website.
A data breach occurs because this broadcast, known as an "bid request" in the online industry, fails to protect these intimate data against unauthorized access. Under the GDPR this is unlawful.
The three complainants are Jim Killock, Executive Director of the Open Rights Group, Michael Veale of University College London, and Johnny Ryan of Brave, mentioned above. His blog post about the new French GDPR ruling concludes:
This is the latest in a series of decisions published by CNIL against adtech companies. ... What marks this decision apart are the broad implications for RTB, and for the IAB consent framework.
It could also be a problem for Google, which relies on a similar approach for its own real-time ad bidding system. The potential implications of the CNIL ruling across the EU are a further indication of the massive long-term impact the GDPR will have on the Internet, perhaps in multiple and unexpected ways.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: advertising, france, gdpr, online advertising, privacy, real time bidding
Companies: vectuary
Reader Comments
The First Word
“...and awesome for the rest of us. About time the GDPR does something right!
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
The question then becomes how much it will cause problems for every other industry. The knock-on effects could be significant in unexpected ways.
I wouldn't shed tears for anyone 100% dependent on ad revenue gained by illicit means, but the problems here shouldn't be underestimated.
"Laws like the GDPR are a direct result of careless use and abuse of personal data by corporate advertisers."
...and poorly conceived and drawn out laws are the cause of even greater problems.
[ link to this | view in chronology ]
Re: Re:
> ...and poorly conceived and drawn out laws are the cause of even greater problems.
The GDPR is based on experience with an earlier data protection directive, drafted to fix its flaws. Biggest difference is that fines for non-compliance have increased. Overall this directive makes clear that ordinary businesses should care about privacy and personal data. It is "data brokers" and "data hoarders" that fear the consequences of the GDPR.
[ link to this | view in chronology ]
Re: Re: Re:
That may have been the intention, but that's not what's happened in reality.
"It is "data brokers" and "data hoarders" that fear the consequences of the GDPR."
Not from where I'm sitting, where I can see both how horribly it's been implemented, how poorly it's been communicated and how many unintended consequences are upcoming because of that.
Believe me, I'm seeing how it's being dealt with in multiple industries that have nothing to do with data hoarding, and it's not pretty.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Could you give some (anonymized) examples? There has been some overreacting to the directive.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Well, frankly, that's my point.
You claimed that "It is "data brokers" and "data hoarders" that fear the consequences of the GDPR.". Yet, we can see immediately that even companies that didn't have to comply with the regulations in the first place were scrambling and overreacting to it when it came into force - and that was after a 2 year grace period to get things in order before it became effective.
That doesn't seem like a straightforward set of regulation drafted to fix a previous set to me. There's huge levels of confusion still, and those will inevitably lead to unintended consequences. The exact reactions in my experience range from stalling useful projects to hoping that the company's too small to be noticed, but there's plenty of ways for things to go in different ways than intended.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Is that caused by the directive or caused by the communication of the directive? I've followed the communications of the Data Protection Supervisors and they provide useful guidance on implementation of the directive.
The more cool-headed companies realized that if they already worked according to the earlier EU data protection guideline it was easy to become GDPR compliant.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Both, really. Some of the legislation was confusing without specific guidance (and in my view, some had no business being there at all), while the overall communication was poor in my experience. I've dealt with a number of large companies who either didn't seem to be aware that it would affect them as recently as the start of the year, or who had clearly not understood the level of changes to systems and process that would be required.
"The more cool-headed companies realized that if they already worked according to the earlier EU data protection guideline it was easy to become GDPR compliant."
For some companies, not for others. Which is where the unintended consequences I referred to earlier come in. I'm not sure of where these consequences will be or how severe, but it will have consequences beyond the intended ones.
Again, it wasn't an impossible task for most businesses when approached with proper guidance and level heads, only that it's not the "data brokers" who are scared and/or will be affected.
[ link to this | view in chronology ]
The GDPR is going dark
The GDPR is a response to surveillance capitalism, in the same way that pervasive encryption is a response to massive network monitoring (aka government surveillance).
cf. RFC7258 https://tools.ietf.org/html/rfc7258
[ link to this | view in chronology ]
A few different items to be addressed
a) The process used to obtain consent, both for new users and for existing users who need to have new consent documented to overcome the current deficiencies. The big issue with the existing model seems to be that the consent wasn't specific enough to satisfy the court, and the record-keeping was inadequate.
b) the process to filter advertisements needs to account for users who have not made a decision on consent for certain ads/apps, and users who have explicitly denied access under the new consent model.
c) the data model to connect a) and b) needs to be efficient enough to pre-filter bids and display winning ads in real-time. An advertiser that wins a bid where it then turns out that the user has refused (or refuses at the time of display) consent is a lost opportunity for advertiser, app and broker.
Of course, the advertisers and brokers will probably choose option d): tie the issue up in court for a few more years, paper over the existing design with meaningless cosmetic changes, and hope the political winds change.
[ link to this | view in chronology ]
Advertisers need to get consent to share this information. This advertiser got consent, but the court is (after the fact) saying that the consent is not good enough. I do not read French all that well, but I could not figure out what "good enough" amounts to.
Vague laws like this just seem to get directed at companies and people that the government does not like, and that is never a good thing.
[ link to this | view in chronology ]
Re: informed consent
And as data processor the information broker is responsible for obtaining informed consent. Even if it has contracts with the providers of the information (the websites), it still has the responsibility to ensure that those websites display a proper consent form.
It seems that this broker failed on two fronts: registration that consent was obtained and verifying the quality of the provided information. (If any was provided at all)
Yes, the GDPR is a tough law for "data brokers" and intentionally so. For other businesses it requires that they take reasonable privacy protections.
[ link to this | view in chronology ]
Spaghetti consent
Now, of course the partners will also have API's and those will also have a ConsentObtainedFlag. And, of course, the contracts will all say none of these is ever supposed to be set to Y unless affirmative consent has been obtained that the citizen gave to read one article in a blog, 3 years before.
But now CNIL gets the fun of tracing all those Y's back through shell companies and contractual relationships, across country and legal boundaries, through hundreds and hundreds of relationships, some of which will be circular, to determine its origin.
Maybe the origin is hardcoded Y, in which case Vectuary says simply that the originator violated the terms of their API. Or not. Because maybe it leads back to a consent someone actually has on record, in which case CNIL has the fun of figuring out if the consent really covered Vectuary API.
Good luck CNIL.
[ link to this | view in chronology ]
Re: Spaghetti consent
CNIL might want to track some of those records back, to check whether there's any reality behind it (and have Vectuary and its contract partners suffer for fraudulent behaviour). Vectuary is provessing the data and thus responsible for obtaining proper consent.
[ link to this | view in chronology ]
Consent?
The problem is that the kind of "consent" the advertising industry gets is similar to the kind of "consent" that revenge porn sites get. They let third parties submit personal information about other people so long as they claim to have such consent from the victim (i.e. "advertising target") but purposely do not verify it.
[ link to this | view in chronology ]
Ad targeting is a huge flop
How many petabytes of bandwidth have been consumed by ads? How many years of time have been spent while the page load is slowed by the ad process? How many megawatts of electricity have been spent animating a monkey we're supposed to punch?
Despite Google and Facebook and others collecting information about every area of my life (online and off) and tracking everything I do, I still get shitty, useless ads. IMHO, we all give up far too much to a handful of people in California to get almost nothing in return.
I hope the next time Democrats get control of the US government, they make holding data on users be an incredibly expensive and dangerous thing to do. Data breaches should lead to bankrupt companies and jailed executives.
[ link to this | view in chronology ]
Privacy
PICK ONE.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Ever considered delivering ads based on the page they're being loaded into, instead of the user they're being delivered to? This covers the vast majority of cases, and can be implemented in a minimum-knowledge way through keyword tagging (the page sends tags describing what it's about as part of the request to the ad server, and the server takes those tags into account as part of the RTB process), without the need to retain vast quantities of tracking data (or really, any identifiable data about users whatsoever).
(It's also quite similar to what's done for things like advertisements as part of search results, where the advertisers bid on search keywords.)
[ link to this | view in chronology ]
Re: Re:
But...how would that play out in practice for non-niche sites, that is those that are *unlike* techdirt... meaning twitter, facebook, or even CNN??
User-targeted content is also antithetical to the idea of a commons, that is, all comers see the same thing. It is a big part of how echo chambers get created.
Me, I think there needs to be something of a cutout and much better disclosure. I can't exactly give my informed consent to share my identity with 500 advertisers. I don't really want to even share it with CNN. OTOH, assuming I have shared it with CNN, I think they should be able to hold an auction for advertising based on a few known, anonymized, and *disclosed* characteristics.
Likewise, I am not too happy if my browser gets the ad from anywhere except from cnn.com. And I would like to see whatever it is being advertised to *everyone*.
Heya, Mike, can we get an update on "Lies, damned lies, and audience metrics"?
[ link to this | view in chronology ]
Re:
Not only is there nothing stopping companies from charging you directly and also reusing or selling your data, there isn't even a way for you to find out who is better or worse about it.
[ link to this | view in chronology ]
Re:
false dichotomy
pick one
[ link to this | view in chronology ]
Re:
I call bullshit, with a side of failing to make a point.
[ link to this | view in chronology ]
Re:
But, hey, thanks for implicitly granting permission for this site that you use for free to violate your privacy if they decide they want to ;)
[ link to this | view in chronology ]
...and awesome for the rest of us. About time the GDPR does something right!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]