The General Data Protection Regulation (GDPR) and the ePrivacy Regulation (ePR) pose particular challenges for publishers, brands, and adtech companies. These goes beyond the normal gap analysis and security overhaul that other businesses must undertake to comply with the new rules. Online advertising and media businesses' ability to function online depends on the outcome of three deep challenges.
Obtaining consent to process an internet user’s personal data.
Despite some lingering debate to the contrary, businesses will need consent from internet users to use their personal data for online behavioural advertising. This poses a UX challenge. Businesses asking for consent must relay detailed information to users about how their data will be treated (see more below).
What a user must be informed about under GDPR.
• Who is collecting the data, and how to contact them or their European representative.
• What the personal information are being used for, and the legal basis of the data processing.
• The “legitimate interest” of the user of the data (This refers to a legal basis that may be used by direct marketing companies).
• With whom the data will be shared.
• Whether the controller intends to transfer data to a third country, and if so has the European Commission deemed this country’s protections adequate or what alternative safeguards or rules are in place.
• The duration of storage, or the criteria used to determine duration.
• That the user has the right to request rectification to mistakes in this personal information.
• That the user has the right to withdraw consent.
• How the user can lodge a complaint with the supervisory authority.
• What the consequences of not giving consent might be.
• In cases of automated decision-making, including profiling, what the logic of this process is, and what the significance of the outcomes may be.
Yet, the consent request must also be concise and “not unnecessarily disruptive” of user experience. In addition, user permissions must be carefully handled and audited, and the various data rights enshrined in the GDPR must be provided for.
Stop personal data leaking during online ad transactions.
Solving Deep Challenge #1 and obtaining the consent of a data subject is not sufficient, however, because there are two points of data leakage in the online ad system that break the rules. This poses enormous risks to all parties in the online behavioural advertising system.
Leakage point A: sharing personal data to solicit bids
Every time an ad is shown, an advertising exchange sends personal data about the website visitor (this is the person who is about to see the ad) to hundreds of its partners. Most of these partners are prospective advertisers, and the data they receive in the milliseconds before an ad is shown informs their decision about whether the visitor is a suitable target for their advertising, and whether they should bid money so that their ad might be shown to be shown to the person visiting the web page. This all happens in milliseconds. [See video]
The competition between these bids is supposed to select the highest price for the ad, and make advertising more discriminating. A recent refinement of this technology is “header bidding”, in which a website visitor’s personal data are not shared among hundreds of companies by a single advertising exchange, but among thousands of companies by several exchanges. Personal data are broadcast so widely, among so large a number of businesses, that it would be difficult to conclude the required contractual relationships among them, or to be assured that all recipients will treat the data properly.
Leakage point B: unauthorised collection via insecure advertising units
Online ads can include executable code. This can be benign, perhaps rendering a simple HTML5 animation. Or it can be leaky, loading further code that lets unexpected companies track users. Auditing ad code for data leakage is unlikely to be foolproof, as the code might be updated after auditing. Meanwhile, any malicious tracking code that has sneaked in can borrow from the malvertising playbook to lie dormant in testing environments, and only activate after it is launched into the wild.
There may be no way to guarantee that personal data are not being leaked to unauthorised third parties without introducing PageFair-style server side rendering.
Most users will be unknowable.
Today, the majority of online advertising is targeted by the widespread sharing of personal data. But soon it is likely that this will be the exception. Consent is required. Few people will give it, and what consent is given will be piecemeal.
As we have written previously, people favour convenience over privacy. There are three reasons why this may change.
First, privacy may become a convenience in Europe. The draft ePrivacy Regulation requires that devices and browsers must present users with a choice of what degree of tracking they will accept - and makes the choice enforceable. Assuming this survives in the final regulation text then it is likely that most users in Europe will not choose tracking. Perhaps only a small percentage will opt back in for their data to be widely used.
Second, users are going to learn how businesses in online advertising handle their personal information. As noted above, the GDPR requires that an exhaustive level of detail be provided to users on how their personal information is used by every party that wants to use it. It also envisages iconography to concisely communicate data use, risks, and rights in plain language.
Third, the Regulation introduces a new focus on security that will contribute to user fears. All parties that handle data are now required to protect personal information from misuse and leakage. In addition, data controllers have to tell users when their personal data have been stolen in a data breach. The practice of covering up data breaches will end, and users will learn how often their data are exposed.
These developments mean that internet users will be confronted with the extent to which their behaviour across the web is tracked, how these data are used, and how often they are stolen. The result will be a wave of paranoia about personal information. And at the same time that this occurs, users will have the new right under the ePR to opt out of tracking from the outset, and under the GDPR will have the ability to withdraw any consent they give for tracking at any time, as easily as they gave it.
Therefore, consenting, trackable users will be the exception. They will probably be accessible only through a subset of trusted publishers, and sold as a premium audience. This niche audience will take time to build, and great effort to retain. And the average internet user will be untracked and unknown.
Our conclusion is that the most important challenge of Europe’s new data rules is not how to get consent. Nor is it how to audit these permissions once given. The most important challenge is how to target advertising online without using personal data, because consent may be unobtainable more often than not. This is among PageFair's core areas of focus today. If you agree, or disagree, and want to discuss please hit reply and share your thoughts with us.
1. We are designing a mechanism to obtain consent, and to audit it. This will enable campaigns to operate with mixed states of consent.
2. We are developing technology to neutralize personal data leakage from the online advertising system. This will protect all parties involved in an advertising campaign from legal risk.
3. We are making a new technology to intelligently target advertising where personal data are not available.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)  OJ L119/1, Recitals 39, 58, 60-63, and Article 13 paras. 1-2, and Article 13 and Article 14.
 ibid., Recital 32 and 58, Article 12, paragraph 1.
 This may be aided by new iconography envisaged by the European Commission, which is intended to concisely communicate data use, risks, and rights in plain language. See ibid., Article 12, para. 7, and Article 70, para. 1, (r). Industry bodies should take the opportunity to contribute to this iconography.
 A data subject now has the right to access, correct, or delete their personal data, to object to automated decision making based on these data, and to move these data to another service. (ibid., Article 15 to Article 21.) In addition, the Regulation requires that it must be as easy for a data subject to withdraw consent as it was to give it at any time.
 The issue is not one of informing the user necessarily, since Article 13, paragraph 1, e, allows one to inform the user of the “categories of recipients of the personal data”. The issue is that the data controller must have contracts in place with data processors that guarantee that the processor handles the personal data only in the manner dictated by the controller. See ibid., Article 28, paras. 2, 3 and 4, and Article 29. While this is already required in the current Data Protection Directive (See (95/46/EC) 1995, Article 17, para. 3.), the GDPR backed this up with new sanctions, and requires that these contracts define the nature and duration of processing (GDPR, Article 28, para. 3). Similar agreements must also be in place when one processor engages another (ibid., Article 28, para. 4), and a processor can only do so with express permission from the controller (ibid., Article 28, para. 2).
 Rapporteur's draft report on the proposal for a regulation of the European concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC, June 2017, Recital 22 and 23, Article 9, paragraph 2, Article 10, paragraph 1 and 2.
 GDPR, Article 12, para. 7, and Article 70, para. 1, (r).
 ibid., Article 32.
 ibid., Article 33 and Article 34.
 ibid., Article 7, para. 3, and Article 21, paras. 1 and 2.
More like this
According to figures provided by Ipsos in its "Favorability Study", almost 50 per cent of Americans come out in favour of the press, which has been heavily criticised by incumbent President Donald Trump during and before taking office in January of this year.16th Oct 2017 Insight News
In this week's Media Voices podcast, the University of Oregon's Carolyn S. Chambers professor in journalism Damian Radcliffe takes us through his latest report into local journalism in the Pacific Northwest.16th Oct 2017 Insight News
Magnetic’s New Influencer Ecosystem research topped the FIPP Insight Awards presented at the annual FIPP Insight Awards presented at the FIPP World Congress in London on 11 October 2017. Gold award winners included Magazine Networks Australia’s Passion Response Study and Time Inc. UK’s Live the Passion research.11th Oct 2017 Insight News
Annie Granatstein, head of WP BrandStudio at the Washington Post, knows how to run a native ad team and how to turn a profit. Here, she pours out some of her important knowledge on selling native advertising.8th Oct 2017 Insight News
Magazines are a shortcut to quality and continues to deliver top results for advertisers, according to Linda Thomas Brooks, CEO at MPA, USA, said during a keynote on the second day of the FIPP World Congress in London (11 October) last week.16th Oct 2017 Features
Digital editions have been around for a long time, going all the way back to the late 90's. But in 2010 when the iPad hit the digital runway, publishers jumped on the tablet bandwagon faster than they could shout, “Hallelujah!”. The struggling publishing industry had found itself a saviour.16th Oct 2017 Opinion
“No other industry predicted its own doom as much as print media. The magazine is not dying, but it may be killing itself.”10th Oct 2017 Features
“Smart repackaging” and "content swarming" are the main ways that Hearst UK’s titles are trying to reach a greater audience - and it’s working, according to Betsy Fast. Betsy, who recently moved from Hearst US to become Executive Director of Digital Editorial Strategy at Hearst UK, shared her insights from the stage on day two of the 41st FIPP World Congress (11 October).13th Oct 2017 Features
Ralph Büchi, Chief Operating Officer (COO) of the Ringier Group and CEO of Ringier Axel Springer Switzerland, has been elected as the new Chairman of FIPP – the network for global media. The chairmanship of the international magazine media association was passed to Büchi after Erwin Fidelis Reisch, president & CEO of Alfons W. Gentner Verlag completed his term as FIPP chairman.11th Oct 2017 FIPP News
Visit our Youtube channelFIND OUT MORE
FIPP newsletters allow you to keep up with industry trends, research, training and events across the worldFIND OUT MORE
Get global coverage of your launches, company news and innovationsFIND OUT MORE
What’s happening now, what’s coming next