The Data Privacy & Tailored Risk Blog

What is the adtech industry’s legal justification for processing personal data? - PrivIQ

Written by Nick Eckert | Dec 18, 2018 5:00:00 AM


One of the more interesting books I’ve read in the last couple of years is Tim Wu’s The Attention Merchants, in which he traces how technology and advertising have always been close bedfellows.
While you might not think much about adtech and how it works, you most likely come into contact with adtech every day. Because of the GDPR it’s become more prominent, perhaps more annoying. Each of us is now more aware of it because of all the privacy notices and consents we must accept before accessing a website. But the reality is that adtech has been subtly influencing our behaviour for more than a decade – usually in a benign way by reminding you to book the holiday to Spain you were researching yesterday; sometimes in an annoying way by offering you 20% off on the shoes you just bought online yesterday; and sometimes even menacingly like the Cambridge Analytica scandal and conspiracy posts into social media feeds.
But it’s more pervasive than any of us think. If you’ve not yet read The New York Times’ recent piece about the data adtech firms collect and share about us from our phones, go read it immediately after this blog.

The Internet is built on adtech

Ad networks are able to serve up targeted ads because they collect personal data about sites visited, online searches made, and where you were when you last logged into an application.
Adtech networks share this data broadly with third parties, allowing companies to purchase targeted audience groups to which they can serve targeted ads. The goal is to serve relevant (occasionally even spookily so) ads which are more useful to us and, of course, to the company promoting its wares.
Undoubtedly, this personal information about each of us and our actions is valuable. And adtech works – targeted advertising is the currency that powers the Internet, but we are the fuel. One of the primary goals of the GDPR was to give some of this power – over our attention – back to us as individuals.

CNIL and the danger of consent

The French equivalent of the ICO – CNIL (Commission nationale de l’informatique et des Libertés) – just handed down a decision that may affect the adtech industry for years to come.
So CNIL’s decision, explained in this excellent article on TechCrunch, was related to Vectaury’s collecting geolocation data from individuals through mobile applications without proper consent and then sharing this information with third parties (again, if you’ve not read that New York Times story, please do). Let me explain: the firm was storing individuals’ locations and their MAC addresses (unique device identifiers) using code that they had running on their clients’ apps. As a result they knew where the individuals were and allowed their other clients to buy ads to display on the app based on the location of those individuals.
The issue is that the consent process was convoluted. It wasn’t clear to the users that, when they agreed to share their location with the app, the app would be sharing it with their adtech provider who was then sharing it with other third parties so they could buy advertising.
CNIL’s ruling basically stated that companies cannot bundle consent behind a single “I agree”. It lacks transparency and, in the end, individuals have no idea that by agreeing to be tracked by one app their data is being shared with thousands of other companies that can target them with relevant ads.
CNIL didn’t fine Vectaury in the end. Instead it ordered the company to delete all the data it held on individuals and stop processing data without consent.

The way forward – what to be aware of

Six months into the GDPR we’re only beginning to understand exactly how it’ll be implemented by the regulators. Geolocation harvesting, data sharing and consent appear to be the early battlegrounds. Vectaury actually used an IAB Europe template that bundled consent.
If you’re working with an adtech supplier doing geotargeting for ads or if you’re using consent for processing, you need to review your processes, do a DPIA and submit it to your supervisory authority before it comes knocking on your door.
There are some other interesting rulings that’ll be coming soon in relation to behavioural ads (the targeted ads you see when you surf the web). These behavioural ads also use bundled consent practices and the data collected is broadly distributed to third parties.
So while advertisers will scream about these changes, who knows, maybe a world where advertisers cannot share our data broadly isn’t such a bad thing. Only six months in and the GDPR is already beginning to drive real world change by tightening geolocation, or surveillance, advertising and reverting to targeting based on general locations rather than an individual’s specific location – unless of course the person is willing to share his or her data with thousands of companies.

START YOUR FREE TRIAL NOW