May 25 is here and let’s pretend that companies up and down the digital supply chain are ready for the General Data Protection Regulation enforcement deadline.
Good. Now it’s time to start fretting about ePrivacy.
Many in the advertising industry have treated ePrivacy almost as an afterthought in the frenzied lead-up to the GDPR enforcement date. But ePrivacy has the potential to make bigger waves than GDPR.
Also known as the EU Cookie Directive, ePrivacy is a set of rules that aim to protect the confidentiality of electronic communications and govern cookie requirements in Europe. The best-known manifestations of ePrivacy are the pervasive cookie banners at the bottom of European websites.
EU lawmakers have been toiling for nearly a year to update ePrivacy and bring it into line with GDPR so that there’s one standard pan-European legal approach to privacy. There have been multiple drafts and revisions so far but nothing finalized yet.
The new ePrivacy regs, when they’re finally complete, are meant to complement GDPR with more clarity, especially on how to handle cookie processing. But if a situation arises that either regulation could cover, ePrivacy takes precedence.
The original plan was to have the new ePrivacy regs ready in time for GDPR’s debutante ball on May 25, but the process has been held up by a debate over legitimate interest, which isn’t included in the most recent ePrivacy draft, as a legal basis to process data for direct marketing.
It’s unlikely ePrivacy will be finished before the end of the year.
Under GDPR, controllers and third parties can claim legitimate interest if they need to process data to run their business as long as that doesn’t infringe on a data subject’s rights.
But without legitimate interest in ePrivacy, businesses would have only one legal basis for processing data – and that’s obtaining affirmative consent.
It’s been a constant back and forth between those of the opinion that ePrivacy is too strict and those who don’t think it’s strict enough, said Jochen Schlosser, chief strategy officer at Adform. The lack of guidance from regulators and authorities on the point illustrates that they’ve “significantly underestimated the complexity of the data ecosystem as they tried to find a ‘one to rule them all’ approach,” he said.
It may all be a moot point, though, said Johnny Ryan, former head of ecosystem at PageFair. Third-party ad tech vendors are dreaming if they think legitimate interest will hold up as a viable legal basis for programmatic.
While legitimate interest may cover some forms of direct marketing – say a local grocer who mails a circular with special offers to its regular customers – even if the lobbyists prevail in convincing lawmakers to include it as a provision in the final draft, it’s not going to pass muster as a justification for targeting and ad tracking, Ryan said.
To establish legitimate interest, businesses have to conduct a balancing test in which they weigh their own interests against the rights and expectations of data subjects.
“Since there is no protection of personal data of any standard in programmatic advertising, it fails the test,” Ryan said. “Lobbying to have legitimate interest included in the ePrivacy regulation is irrelevant.”
Although some companies are keeping their head in the sand, others are preparing for a world in which legitimate interest either doesn’t exist or won’t fly as a legal basis for data processing.
“We as an industry can spend days and months thinking about the ‘what if,’ but we are already moving to build frameworks and technology to work in consent-only environments,” Schlosser said.
Adform is one of nearly 60 registered consent management platforms participating in the IAB’s GDPR transparency and consent framework, which allows advertisers and publishers to collect and share consent with multiple ad tech partners. Although some, such as the publisher trade group Digital Content Next, call the initiative a “non-starter” that won’t hold up under the law, ad tech vendors are optimistic.
“The companies supporting these initiatives are clearly committed and have put solutions in place,” Schlosser said. “To what degree they will be used and already suffice, that needs to be decided, and hopefully soon.”
But even if legitimate interest doesn’t make its way into the ePrivacy regulation in the end, brands, pubs and vendors will have less to worry about if they just follow the golden rule, said Alisa Bergman, chief privacy officer at Adobe.
“If you’re customer-driven, you should be fine,” she said. “‘Don’t surprise the customer.’ ‘Do what you say and say what you do.’ If you follow those principles, you’ll align with GDPR and you’ll align with ePrivacy.”