Interviews, insight & analysis on digital media & marketing

When it comes to online advertising, do you know where your data goes?

By Rotem Dar, Director of Media Operations, eyeo 

The issue of transparency around the collection and use of online users’ personal data has hit the headlines recently, with several data collection practices now being directly challenged in court.

On the one hand, these developments are a further sign of a few more bricks falling from the wall of online tracking as we know it today. On the other, they cast a light on the extent to which our personal information is exposed and the legal structures that allegedly give permission to collect that data.

Depending on the outcome, they could ultimately push the online advertising industry closer to the EU’s General Data Protection Regulation (GDPR) laws’ endgame. In the meantime, however, they have also opened up a debate on the question: do you, as a consumer, really know where your data is going? 

Before looking at this question, it is crucial to look at these recent developments across Europe.

The wall of online tracking is crumbling

After several significant cases relating to the supposed breaches of GDPR laws, two recent developments illustrate how mainstream ad-tech entities are now starting to feel the heat.

The first is a well-publicised lawsuit against Salesforce and Oracle over an alleged breach of GDPR laws. The Privacy Collective, a consumer privacy campaign group, is accusing both Oracle and Salesforce of selling profiles created from the personal data they gathered from users to advertisers who use their services via the real-time bidding (RTB) process, without the knowledge or consent of users for such sharing.

In another case, the DPA (Belgian Data Protection Authority) is challenging the system as a whole. According to a DPA investigation, initiated after complaints made by several privacy advocates, the Transparency and Consent Framework (TCF), established and operated by the European branch of the Interactive Advertising Bureau (IAB Europe) was deemed not to be compliant with GDPR.

Misuse of third-party cookies and other trackers

Both cases described above are tightly related. The IAB Europe’s TCF is the most common program for reaching GDPR compliance. As expected, Oracle and Salesforce are both approved TCF vendors, and performed the accused violations while transacting the supposed consents throughout TCF approved Consent Management Platforms (CMPs). If the courts rule the program was not in line with the fundamental principles of GDPR, it will be an adtech earthquake.

Oracle and Salesforce also offer brands and marketers a Customer Data Platform (CDP) – a service that helps clients to directly address their existing consumers with personalised ads on third-party websites. At the center of The Privacy Collective’s complaint against Oracle and Salesforce is the alleged misuse of consumers’ personal data, which was obtained using cookies and other third-party trackers, made addressable via their CDPs.

Since Oracle and Salesforce are both TCF members how have they found themselves accused of infringing upon users’ privacy?

According to the DPA’s report, “IAB Europe’s approach demonstrates that it neglects the risks that would impact on the rights and freedoms of data subjects”. The report also states the framework fails in providing data subjects with sufficient transparency regarding what information is collected and to whom it is made available. Thus, if the Dutch court and the DPA Litigation Chamber will adopt the same approach towards the interpretation of the GDPR law, these two incidents are completely in line with each other.

This isn’t the first time that complaints have been aimed at the RTB system concerning GDPR. When major companies such as Oracle or Salesforce are accused of selling user profiles to other companies and transacting that via RTB, without the knowledge or consent of users, one thing is clear: the ‘supply chain’ of data as it currently works in the RTB process is simply not transparent enough for what the user expects in 2020.

It’s impossible to think consumers are completely aware or clear about how their personal data is being used, shared and monetised. So, let me ask you: do you, as a consumer, truly understand where your data is going?

Do you know where your data is?

The short answer is probably no. It’s a simple fact that the average user will have very little understanding of the complexities of programmatic advertising. Consumers still too often think they are only giving consent for a specific publisher or advertiser to make use of their personal data, as long as they are visiting that specific website. They don’t understand the extent and degree to which their data is used and reused. This issue was supposed to be solved by GDPR but according to DPA, TCF doesn’t meet this bar within the existing framework.

TCF is certainly a step that can provide users with slightly more information in comparison to what they were used to in the age before GDPR. However, according to most of its critics, its main purpose was to preserve the existing mechanics of RTB to their different functions, being performed by hundreds of entities for a single ad request at the same time. As GDPR requires more explicit user approval for such actions, in practice, to comply with the new rules these mechanics must change.

Change is on the horizon

Fortunately, change is on the way. We all know third-party cookies are already missing from several platforms and they will be completely ineffective in less than two years on Google Chrome. While third-party cookies may not be the only way to perform user tracking, these changes signal a wider trend. Crucially, this change has been driven by consumers’ desire to have more control over their personal data.

But what does this mean for programmatic advertising and the RTB process? The doomsayers are predicting the end of digital advertising as we know it, while the new era of privacy marshalled in by the phasing out of cookies and changing consumer sentiment is likely going to put a stop to cases like this.

A natural evolution for the industry – a revolution for consumers

Yet, what I see here is an opportunity. An opportunity to be more balanced. An opportunity to create a new standard and technology for online targeting, which not only gives users far more transparency and control over how their personal data is being used online but is also compatible with programmatic bidding.

So, whatever the outcome of the current lawsuits against IAB Europe, Salesforce and Oracle, one thing is abundantly clear: now is the time for the community to wake up, recognise the opportunity and adapt to the new era of privacy. To strike the right balance, we must empower users with tools that help them indicate their explicit preferences in a data-driven advertising environment, thus fulfilling the spirit of privacy legislation and allowing users to control how their data is being collected and used.