Publishers and actors of the Ad Tech sector targeting the EU currently face one of the biggest challenges they have ever encountered, one that may require them to change profoundly their model. Namely? Unambiguous positive consent.
- Some background
- The new paradigm
- Consent is needed
- The risks of implicitness and conditionality
- How to get positive consent?
- The notion of unambiguous positive action
- The notion of conditionality
Publishers (both online and offline) have traditionally been able to provide their readers with free contents by selling advertising space. Initially, the best way for an advertiser to reach its potential customers was to select the publisher in view of their audience.
In the Internet age, this practice has been complemented by a new tendency which quickly became a massive trend: collecting data about the users in order to build profiles allowing serving them targeted advertising, thus increasing the impact of a campaign. Not all users would see their ads, only the potentially interested ones: for the same number of impressions, you get more clicks, leads or actions.
To achieve this, publishers would allow third parties to collect personal data from their websites and/or to track their users for example thanks to cookies, usually without informing much the users about it. This is the story up until 2016.
The new paradigm
In April 2016, a new European legislation was adopted which happened to be a game-changer. The so-called “General Data Protection Regulation” – which everyone has heard about - is EU-wide and even exceeds this territorial scope for companies targeting the EU. Its sanctions rise up to 20 million euros or 4% of a company global turnover. Publishers, advertisers and their intermediaries all share the responsibility and may be found liable under its obligations.
Thus, the first wave of panic washed over the industry.
Consent is needed
Moving on to the next step, the EU is currently discussing the future rules that will add to the General Data Protection Regulation in the sector of electronic communications. Sanctions would also rise up to 20 million euros or 4% of a company global turnover. Once adopted, the “ePrivacy Regulation” will require obtaining and demonstrating consent of the users to have cookies implemented and to be served with targeted advertising.
Actually, this requirement for consent is not new in the European sector of electronic communications, since consent is already required to implement cookies and to send commercial e-mails: what really changes is its definition.
The risks of implicitness and conditionality
It is now defined under the GDPR as any “freely given, specific, informed and unambiguous indication of the data subject's wishes, by a statement or by a clear affirmative action“. This obligation to demonstrate a clear affirmative action apparently rules out any kind of tacit or implicit consent which happened to be a classic strategy on Internet, roughly “If you know what we do and you access our service, well, it means that you agree”.
On the other hand, who would make a positive action to accept cookies and targeted advertising, especially if by doing nothing you can access the service without them?
The EU Parliament indeed amended in October 2017 the ePrivacy proposal to explicitly ban so-called tracking walls by stating: “No user shall be denied access to any information society service or functionality, regardless of whether this service is remunerated or not, on grounds that he or she has not given his or her consent”. Should this amendment eventually disappear in the final version, it remains that consent must be freely given to be valid, so that any compelled positive action – for example because service is conditional to consent - will at the end of the day amount to no action at all.
Now the second wave of panic strikes in as this could mean a serious knock for certain actors.
How to get positive consent?
In January 2018, DIDOMI sent a letter to the Working Party 29 asking it to specify its draft guidelines on consent. We did it because we considered that both the notions of unambiguous positive action and conditionality were insufficiently clear, so that any wrong interpretation of said notions by an actor would put it at risk of being fined.
The notion of unambiguous positive action
The draft guidelines initially excluded “scrolling a website” or “merely proceeding with the website” as constituting an unambiguous positive action. It was therefore unclear whether or not obtaining information followed by a click on a website - as authorized by the previous interpretations of the Working Party and the CNIL – could still constitute a valid consent. The last version of the guidelines on consent published in April now states that “merely continuing the ordinary use of a website is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation”.
This basically means that this (and any other kind of acceptance through navigation) will not be allowed anymore:
The notion of conditionality
The draft guidelines indicated that requiring consent to provide a service is not a problem if there is an alternative allowing having the service delivered by the same provider without consenting to the use of personal data for additional purposes. It specified “However, both services need to be genuinely equivalent including no further costs”.
We therefore asked the WP 29 if “providing a service including further costs may be a legitimate alternative to the same service including consenting to the use of personal data" where such use of personal data brings a remuneration which is essential to the provision of the service (like this is the case for most providers of free contents online). The last version of the guidelines on consent published in April eventually removed the words “including no further costs”.
In other words, something like the pop up below could possibly be fine, where consent to additional purposes would decrease the quantity of advertisement or the subscription to be paid. Of course, advertisement and subscription must remain reasonable if the consent is refused, otherwise they would be considered as detrimental and could invalidate the consent.
This is most likely where the EU wants the Ad Tech industry to go: not towards bankruptcy, but towards transparency and active choices of the persons.
Want to find out more? Get in touch with Didomi.