One month on, establishing user consent for tracking technologies is proving difficult for the online ad industry to master
Online publishers and ad exchanges are taking differing routes to compliance with the newly introduced General Data Protection Regulation (GDPR), with consumer groups finding that many publishers are continuing to serve personalised ads without obtaining consent.
Compliance within the ad industry is also being made more complex due to Google’s delay in joining a consortium formed to grapple with GDPR issues, potentially leaving publishers and others open to fines.
Media consultancy Oko Digital found that as of early June, one-third of 75 major websites presented no notice about personalised ads.
Dutch consumer advocacy organisation Consumentenbond, likewise, found that half of the 150 websites it reviewed began tracking users before establishing consent.
Informed, explicit consent to the use of personal data is a central pillar of the GDPR, but as yet there is no consensus on what that means.
And some major publishers are taking a different route, arguing that their collection of tracking data is justified under a GDPR provision that allows it for “legitimate” business purposes.
Fraud prevention and marketing can fit the definition, provided the privacy effect on individuals is limited, reasonably expected and likely to be accepted, regulators have said.
“Axel Springer takes the view that the use of certain tracking technologies in Germany continues to be allowed without prior consent – as long as users can opt out and provided there is a legitimate interest,” Axel Springer told Reuters.
Axel Springer is not seeking consent for targeted ads on its properties.
The UK Information Commissioner’s Office said consent must be “unambiguous, freely given, fully informed and involve a clear affirmative action in order to be valid under GDPR”.
Europe’s online display advertising market is worth $22 billion (£17bn), a major part of the $200bn global online ad industry.
The compliance issues are a major issue because websites and apps can charge advertisers as much as 10 times more if ads can be delivered according to data such as a user’s browsing history or exact physical location.
Google and advertising technology companies have told publishers of ad-supported websites that it’s their responsibility to obtain consent from users for the collection of their data for advertising purposes.
But while many websites are now asking for consent, it isn’t clear what effect, if any, users’ choices are having on the way their data is collected and used.
The situation is all the more chaotic because Google’s DoubleClick Bid Manager (DBM) doesn’t yet support consent software rolled out by adtech companies a month before the GDPR took effect, and won’t do so until August.
Spike in complaints
As a result, adtech firms can collect consent data from websites, but can’t yet submit it to DBM, which is used by major brands to buy ad inventory.
To get around the problem, large ad exchanges such as AppNexus and Rubicon Project have said they will only offer ad space on DBM if they’ve received consent from a user. In turn, those exchanges have informed websites that it’s their responsibility to block ads from DBM if they can’t guarantee users’ consent, Reuters reported, citing letters sent to sites.
And yet, AppNexus and Rubicon Project didn’t offer significantly less ad space on DBM after making the consent-only guarantee, two industry executives told Reuters. That’s in spite of at least 10 percent of European users withholding their consent when given the choice, the executives said.
AppNexus said it had stopped providing ads to European users from about 100 publishers.
Data protection authorities, which have been deluged with data protection complaints since the GDPR’s introduction on 25 May, have not yet delivered rulings on any specific cases.
The new law exposes companies to fines of 4 percent of global turnover or 20m euros (£18m), whichever is greater, in the case of serious breaches.