Regulators continue to tighten the data-privacy screws on the media and advertising industry.
Last week, it was the European Union Court of Justice’s turn to strike a blow. The Luxembourg-based court ruled that using pre-ticked consent boxes in order to drop cookies is not legally valid under the General Data Protection Regulation. Instead, businesses must have “active consent” from consumers.
“Ad tech isn’t gifted some divine right to handle data differently to a bank or any other entity that consumers interact with,” said Andrew Morsy, managing director of international for contextual targeting vendor Peer 39, formerly owned by Sizmek. “But the natural buoyancy that comes from venture capitalists and Silicon Valley, drives this belief that we will make it work. But I think we’re going to see lot of companies fall foul of this.”
There’s a whole load of legal mumbo-jumbo around GDPR and other data privacy laws, often with different terms used to describe what’s essentially a pre-existing technique. So, for those wanting to understand more about the court’s ruling, here’s a primer.
WTF is active consent?
Simply put it means that people have to manually opt-in to receive communications from a publisher or brand, whether it’s in the form of email marketing or ad targeting. In doing so, they are actively giving their consent to have their data used for whatever purpose the publisher or brand has told them they need it for. It doesn’t need to even be highly personal data — just any data belonging to that individual. In order to do so, they need to be properly informed of what they’re consenting to — another sticky point.
Part of the problem currently is that there is such an array of different consent messages, each with a varying degree of information for the consumer on why their data is required and for what purposes. For instance, publishers that are heavily reliant on programmatic advertising revenue have hundreds of ad tech partners that are involved in those transactions. Given ad tech companies aren’t exactly consumer household brands (bar Google), it’s not likely any consumer will really understand what they’re giving their consent for, and to whom. They’ll either click blindly through in order to get to the content they want, or be put off entirely and bounce.
This active consent sounds straight forward, why is that a big deal?
Until now, a massive number of websites — whether traditional publishers or brand marketers — have been working on the basis of “implied consent.” Many have relied on pre-ticked boxes in order to ensure their ability to monetize their pages, or communicate with customers via email newsletters or other marketing means, aren’t decimated. This is likely to cause some scrambling. “They will have been claw marks in the wall from marketers this week, as these [pre-checked box] practices help them scale,” added Morsy.
So who is this bad news for?
Everyone that has gone for a default opt-out, so a pre-ticked box.
What prompted this additional CJEU ruling?
The court was asked to review a case put to it by the German Federal Court of Justice regarding a German lottery site called Planet49, which had used a pre-ticked box for a promotional game. The CJEU assessed the case and decided that users must have given their active (and informed) consent before a business can drop cookies on them for tracking purposes. The business must also declare detail on the duration of how long their cookies would be stored.
Many believe the CJEU’s decision, compounded with noise U.K. data protection regulator the Information Commissioner’s Office has made, will push everyone into risk-management mode. Many brand marketers have begun to put aside crisis budgets for 2020, in case they’re fined under GDPR, according to ad tech sources with marketing clients. “We anticipate that the CJEU’s decision on Planet49 will send shockwaves through the industry and push any laggards to take privacy – particularly as they relate to cookies – seriously,” said Gabe Morazan, privacy expert at digital experience platform Crownpeak.
Doesn’t sound like an easy fix.
It’s not. The technological underpinnings of how ads are bought, sold and tracked on the open web are highly complex and involve hundreds of thousands of middlemen. That alone is enough to make the consent-request system a user experience nightmare. Ad tech vendors have predicted more “progressive consent” processes will pop up, where users need to click through to several other pages if they choose to know more, rather than being overloaded with information upfront. On the flip side, if more businesses had tried to uphold the principles of what GDPR was set out for, then it wouldn’t seem such an uphill battle now.
“It is baffling witnessing the amount of effort put in trying to defy gravity and scraping the bottom of the barrel, rather than using that energy to develop new strategies and solutions, starting from the opportunities that GDPR is opening to publishers,” said Alessandro de Zanche, independent publishing consultant.