In response to the new regulation, Shine stated: “European citizens have a right to protect themselves from being tracked, profiled and targeted by ad tech. Lobbying efforts by the advertising industry were successful in obfuscating these fundamental rights.”
While Shine often trades blows with ad industry trade groups, in this case it finds itself on the same side as the IAB.
“The purported modernization of [the 1995 EU law on consumer data and privacy] has put digital publishers in a much more challenging place,” said IAB Europe CEO Townsend Feehan. “The legal basis for data use relevant in the commercial context (i.e., for advertising) is actually narrower than it was in the 1995 law. And the definition of personal data appears to be much broader.”
It will take years to assess how BEREC’s laws will impact online advertising. However, the language and positioning is more aggressive than in previous years.
For instance, the EU has tightened restrictions around the scope of the audience data publishers can collect and track. Now, the permissions publishers get from individual readers only cover data necessary for maintaining the online service. So user data can be collected if it’s contributing to network security or to malware prevention, but “the examples of what constitutes legitimate usage don’t look relevant for advertising,” said Feehan.
Third parties that work with sites purely on monetization and don’t have any customer-facing relationships of their own (like DSPs, SSPs and publisher vendors) have under the 1995 law fallen into a “legitimate interest” loophole for applying user data on behalf of publishers, “which now looks like it’s going to be more problematic,” she said.
The legalese used to define regulations also makes it difficult to form concrete responses.
“Consent is presumed not to be freely given,” wrote BEREC in one of the potentially impactful policy changes, “if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”
The IAB interprets the above guidance to mean publishers and pub vendors can process personal data only if it’s “necessary in order for the publisher to provide access to the website,” and advertising no longer qualifies as necessary.
There’s still time and opportunity to influence the language of the policy before it becomes established law, but “the environment right now feels very averse,” said Feehan.
In other words, the forces driving executive action from the EU (most notably, popular opinion) are trending in the wrong direction for the IAB and online advertisers.
As Frederik Borgesius, a researcher at the Institute for Information Law in Amsterdam, previously told AdExchanger, European standards on privacy and data are “very different than the self-regulated world [such as in the United States], with industry trade groups working out the parameters of what’s acceptable.”
Feehan acknowledged the longstanding European consensus on privacy – dating back to laws enacted after World War II that forbid demographic tracking – and said more recent geopolitical tensions play a role as well.
“The Snowden disclosures allowed EU parliaments to amalgamate US businesses with the NSA and more sinister kinds of tracking … since there’s data going between them,” she said.
This has created a very challenging policy environment.
“And between now and 2018 (when the law is formalized), the working group putting together these data standards will only have more authority to shape the law and enforcement,” she said.