Forget GDPR. Publishers could be in for an even rougher time with the looming ePrivacy Regulation, which will clamp down on how cookies are used for ad targeting, with potentially far-reaching impact for the way digital advertising has operated for over 20 years.
Under the current ePrivacy law proposals publishers and any site owners would need informed consent in order to use any form of cookie. (Under GDPR, there are six different legal bases, albeit two that are used mostly in advertising: legitimate interest and consent.)
An earlier draft also specified that consumers would determine their consent settings via the browsers they used, not publishers directly, making browsers the so-called gatekeepers of consent. That latter part has been deleted in the various revisions, yet numerous European publisher trade bodies, including the European Publishers Council, have stressed their concern that it will be reintroduced.
On Oct. 18, the EPC, along with nine other European publisher and advertiser trade bodies including the European Newspaper Publishers’ Association, European Magazine Media Association and Federation of European Direct and Interactive Marketing, wrote a letter of appeal to the current European Council Presidency (Finland) to appeal the current text. Their argument: The current form could seriously damage publisher advertising revenue, while benefiting the major tech platforms whose product sets make it already very easy for people to stay logged in.
“[EPrivacy Regulation] puts the future financial viability of independent, advertising-funded media at risk,” the trade bodies wrote.
On Oct. 22, European Union member states will vote on whether or not they agree on the current, revised version of the law. Should they do so, that may speed up the law’s ratification earlier than suspected, according to Angela Mills Wade, executive director of the European Publishers Council. “It’s looking, alarmingly, like it is speeding up,” she said.
Despite the efforts publishers have gone to, and continue to go to, in order to scale consumer log-ins, that remains a tough task, added Mills Wade. Google and Facebook have broad product sets that make it far easier for consumers to remain logged in permanently.
“It is very problematic,” said Mills Wade. “Research has shown there is huge resistance from consumers when it comes to being asked and re-asked to log in [or give permission for data to be used.] That would make it very difficult to get the right consent and specificity of the data to track for the advertisers while actually favoring the logged-in platforms. [EPrivacy Regulation] is completely disproportionate and mad.”
The publisher and advertiser trade bodies have also appealed to the European Presidency to not overcomplicate the user consent process for a media and ad landscape still grappling with GDPR compliance.
GDPR fines and additional warnings have slowly trickled out. Last week, Spanish data protection authority fined Spanish airline Vueling €30,000 ($33,000) for violating cookie consent stipulations under GDPR for not making it clear enough how a user could opt-out, and for assuming they had opted in while not actually having actively done so. A few weeks ago the European Union Court of Justice stated that the use of pre-ticked consent boxes was a big no-no.
The fines themselves are less of an issue compared to the costs of full compliance. For instance, companies told to change how they collect user data will need to start from scratch, incurring technology and compliance costs, including vendor reviews and process changes. It will also mean starting all over with seeking user consent.
“No consumer will understand the degrees of gray involved in [GDPR] compliance,” said Rowly Bourne, founder of ad tech vendor Rezonence. “They will be annoyed at having to opt-in again.”
There are multiple examples of sites that use the same technique as Vueling. While U.K. regulator ICO hasn’t yet issued a fine for any similar violation, it has gone to recent lengths to appeal to brand marketers not to be responsible for bankrolling ad tech vendors that aren’t compliant, and in doing so perpetuating the issue.
“We’re being told by the ICO: don’t be the least non-compliant,” he added. “By that, they mean they are making their way through the more serious cases first, but that they will get to all of them in time. If you’re slightly higher up the beach and all seems sunny at the moment, that doesn’t mean they won’t come for you.”