Disruption in AdTech: where are we and what next?

Kolvin Stone
Kolvin Stone (partner)
Ben Nolan
Ben Nolan (associate)

The AdTech industry is facing the biggest overhaul since its inception, which inevitably will have an impact on the wider web ecosystem as so many services and content are funded via advertising revenue.

AdTech is currently heavily premised on the concept of delivering personalised ads to users. This is achieved through the use of technologies such as cookies and mobile advertising identifiers.

The impact of the GDPR and similarly inspired regulations, the tightening grip of regulators and, in some ways even more significantly, the recent action by two of the industry’s biggest players, Apple and Google, have left the industry in a state of flux.

We discuss recent developments below and look at what’s next for more privacy friendly AdTech.

New regulations and regulatory action

Following GDPR, new privacy laws are being developed in jurisdictions across the globe and many of these specifically regulate online advertising. Notably, in the US, California has introduced the CCPA and CRPA and similar privacy laws are expected in various other US states in the near future. Further changes to the ePrivacy landscape are also coming to the EU soon.

In the UK, regulatory action is on the cards, with the ICO currently investigating the AdTech industry. It is expected that industry participants will need to make significant changes to their practices following the conclusion of the ICO’s investigation and expected enforcement action.

Apple’s new operating system

In April, Apple rolled out a new operating system, iOS 14.5, which prevents mobile applications from using IDFAs (unique advertising IDs attributed to iPhones) and other device identifiers to track users’ app and internet browsing activities for marketing purposes, unless the user has provided consent to such tracking.

This change affects iPhone users worldwide and early statistics suggests a large proportion of users are taking advantage of the option to opt-out of being tracked.

Google Chrome and the Removal of the Third-Party Cookie

At the browser level, Google has announced that it will block all third party cookies in early 2022 (all other major browser providers have already phased out these cookies).

Third-party cookies have traditionally been relied on to track users’ internet browsing activities across websites to build up a profile of that user.  This information is then shared within the AdTech ecosystem to ensure that businesses are able to deliver targeted ads to users.

However, there are almost insurmountable challenges with using third party cookies lawfully for tracking and advertising given the challenges to meet the high standards of transparency and consent required from privacy regulations like the GDPR.

This is the context in which Google has decided to phase third party cookies.

What next for AdTech?

Although it is too soon to say for sure what these changes will mean for companies in the AdTech space, we have set out some likely consequences below:

  • Cookie-less advertising – businesses are developing advertising strategies that do not rely on cookies. For example, Google has begun trialling its proposed alternative, “Federated Learning of Cohorts”, where ads are delivered to categories of users (rather than specific individuals).
  • First party data advertising – based on information collected directly from the user or via interactions with your site or App.
  • Resurgence of contextual advertising? – this type of advertising, which fell out of favour following the rise of behavioural advertising, displays ads to users relating to the content of the page being viewed, rather than being targeted at specific users.
  • Incentives to sharing data? – it is possible that some businesses may offer incentives to customers who agree to their data being used for advertising purposes.

What does this mean?

If your business model is based on Ad revenue, you need to review whether your Ad partners are using third party cookies.  There will likely be legal risk with using third party cookies.  In addition, now is the time to consider using more privacy friendly AdTech models.

 

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.

Do B2B companies not based in the EU need to comply with the GDPR?

Kolvin Stone
Kolvin Stone (partner)

I’ve long questioned the extraterritorial scope of the EU General Data Protection Regulation and if non-EU based organizations that engage solely in business-to-business activities fall under the GDPR.

The GDPR is at best ambiguous on this issue, and the guidance published to date from the regulators is unhelpful.

This issue has been brought into focus because of Brexit and the numerous inquiries I’ve received about whether U.K. B2B companies (with no physical presence in the EU) need to appoint an EU representative (and comply with the GDPR more generally in the EU).

The point has been raised by the privacy activist organization founded by Max Schrems (NOYB – European Center for Digital Rights), which stated in its submission in December 2020 on the European Commission’s proposed new standard contractual clauses that further guidance is needed to clarify the scope of the requirement to appoint an EU representative.

What is the issue in a nutshell?

Article 3(2)(a) of the GDPR states controllers and processors not based in the EU are subject to the GDPR where they process personal data of individuals in the EU in the course of offering goods or services to those individuals.

So, a U.K.-based clothing retailer selling items to an individual in France needs to comply with the GDPR. Makes sense as the retailer could be collecting a fair amount of information about the individual, including name, address, payment information and possibly some profile data.

But what happens if the U.K.-based retailer is selling to a company and only collecting business contact details in that context? It is not offering goods to an individual but a company. Does that mean the GDPR does not apply?

Interpretation of Article 3(2)(a)

On a literal reading of Article 3(2)(a), the answer must be yes. The B2B retailer is not offering goods to an individual.  The European Data Protection Board has published guidance to help clarify the scope of Article 3(2)(a) and all of the examples relate to business to consumer scenarios. Not helpful at all.

The EDPB could have taken the opportunity to make clear that Article 3(2)(a) also applies to B2B scenarios, and individuals should be read as individuals acting on behalf of companies. It did not do this, and I’m not sure why.

Is that an implicit recognition that Article 3(2)(a) may not apply to B2B scenarios? It would be somewhat of an anomaly that personal information collected in the context of B2B transaction is subject to the GDPR if you have an establishment in the EU but out of scope where you are not in the EU. And what about protecting the privacy rights of individuals at companies that are clearly entitled to protection?

Unfair advantage

It would create somewhat of an unfair advantage where you sell into the EU but are based outside of it. The GDPR and the extraterritoriality provisions were intended to level the playing field to ensure non-EU based technology businesses were also subject to the GDPR when active in the EU. Recognizing this, it is hard to justify an interpretation that excludes B2B transactions for non-EU based businesses.

There is no getting away from the fact that Article 3(2)(a) only refers to individuals and the EDPB guidance highlights B2C transactions.

While it seems odd to distinguish between B2B and B2C in this way, this distinction is well established (even if controversial) in the U.K. where B2B (e.g., corporate email accounts) communications are excluded from the scope of Privacy and Electronic Communications Act 2002. Only B2C (e.g., private email accounts) communications require opt-in consent. There are then forms for having different standards depending on whether the processing of personal data is in the context of B2B or B2C transactions.

Purposive and pragmatic interpretation

For my part, while Article 3(2)(a) is ambiguous, I’ve always worked on the basis that non-EU based organizations that engage solely in B2B activities are within the scope of the GDPR, although I have often had clients query this and highlight the fact that they are not selling to individuals.

With Brexit having occurred, clarity is important as U.K. businesses need to know as a matter of urgency the scope of their obligations as there is a real cost to having to appoint an EU representative.

The U.K. Information Commissioner’s Office has no clear official position on this issue and there are mixed messages on whether an EU representative is needed when the activities are pure B2B.

Scope for a UK approach

In September, the U.K. government published a consultation document on a new National Data Strategy with laudable goals to “build a world-leading data economy” with laws that are “not too burdensome” and “a data regime that is neither unnecessarily complex nor vague.”

In this context, is there scope for the U.K. to develop a different and more business-friendly interpretation of the GDPR? The U.K. courts and lawyers have historically taken a more literal approach to interpretation as compared to the EU courts and lawyers. Hence, my EU peers do not necessarily see the same issue with Article 3(2)(a). If the U.K. developed a more literal interpretation to Article 3(2)(a), that may reduce some regulatory friction to trade with the U.K. It would mean non-U.K.-based B2B businesses would not need to have a U.K. representative.

That, though, does not help the many U.K.-based businesses that are asking whether they now need to appoint an EU representative. Clarity from regulators would be extremely welcome.

 

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.

Cookies and the new ePrivacy Regulation

Nigel Miller (partner)

Why is it important?

While many people may not care too much about cookies, there are a number of reasons why they are important for website owners.

First, you cannot drop a cookie without prior consent. As a result of the changes already brought in by the GDPR since May 2018, it is no longer possible to reply on implied consent for cookies (for example, deemed consent by continuing to browse the website) as the standard for consent under the GDPR is much higher and requires a specific opt-in.

Second, the issue of cookies is high on regulator’s (the ICO) agenda. While many of us suffer from “cookie notice fatigue”, and just click through to get rid of the annoying banners, there has been an increasing number of complaints about cookies to the ICO, nearly 2,000 in the past year.

Third, the ICO is also currently investigating the Adtech sector which is largely driven by cookies. While many cookies are innocuous, others are highly privacy invasive and are involved in systematic monitoring and tracking browsing across devices, device fingerprinting and online behavioural advertising. The intrusive nature of the technology makes this a priority area for the regulators. In response to this, the hugely complex adtech industry will likely be required to adapt and provide much higher levels of transparency.

Fourth, because of the GDPR level fines; there is nothing like the eye-watering fines that can be issued under the GDPR, and have been issued in relation to cookies notably by the French regulator to Google and Amazon, to get this issue high up the corporate agenda (eg CNIL – €100m Google, €35m Amazon).

And finally, the law is developing with a new ePrivacy regulation on the horizon, which we look at below.

What is the current law?

The current law is based on the EU ePrivacy Directive of 2002. In the UK, this was implemented by the Privacy and Electronic Communications Regulations, fondly known as “PECR”.

Actually, the law does not refer to “cookies” as such; the regulation is technology neutral and covers a range of cookie-like technologies. The key point is that PECR covers any technology that can “access” or “store” data on the user device – this includes smartphones, smart TVs and other devices. It can also include technologies like tracking pixel gifs, often used to track if marketing emails have been opened which can provide valuable analytics.

The key requirement under PECR is that, where you deploy a cookie, you must:

  • provide the user with clear and comprehensive information about the purposes of the cookie; and
  • get the consent of the user.

There are a couple of exceptions to this, the most important one being that you do not need consent for cookies that are “strictly necessary” for the service requested by the user.

So, cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, as opposed to the user’s, will still require consent.

For example, cookies used to authenticate a user, to remember items in a shopping cart, or to remember language or other user preferences are regarded as “strictly necessary”, but cookies for analytics purposes, and advertising cookies are non-essential and need consent.

Even where consent is not a requirement, users must still be informed of the use of cookies through means of a cookie banner and policy.

PECR v GDPR

An important thing to bear in mind is that consent for cookies is needed, whether or not the cookie data involves any “personal data”.  If it does involve personal data, such as device ID, username, browsing details etc, then that will be subject to the GDPR as well as PECR.

Under the GDPR, you need a legal basis for processing personal data. Typically, for marketing, this could be either consent or legitimate interests. However, where cookies are deployed and processing of personal data is involved, then PECR trumps the GDPR. This means that, if consent is required under PECR, then consent is also the appropriate legal basis for processing personal data under the GDPR.

There is some debate about this in the adtech sector where it is argued that, while consent is needed for the cookie, “legitimate interests” could be used as the legal basis for any subsequent processing of the data. The regulator does not agree with this, but the actual legal position is not settled.

So, what do we need to do?

The first thing to do would be to carry out a cookie audit to make sure you know exactly what cookies are in use, and the purpose and duration of each. In this audit:

  • Identify any of the cookies that are “strictly necessary”, and so don’t need consent.
  • Identify any 3rd party cookies – in the case of 3rd party cookies, such as Google analytics or affiliate networks, while it is the third party that requires the consent as it is their cookie, in practice the third party requires that the site owner gets the consent on their behalf.
  • Review the consent mechanism you have on the site to make sure it is compliant – everyone seems to do this differently, and some ways are more compliant than others.
  • Review / update your cookie policy – to make sure that it meets the transparency requirement, and importantly that it is consistent with the cookies actually in use. There is no one-size-fits all for this as the policy needs to be specific to the cookies you have implemented and the purposes of those cookies.
  • Finally, you may need to carry out a data protection impact assessment under the GDPR – if the cookies involve personal data and are used for profiling for marketing or other purposes, then you may need to carry out a DPIA. Even if this is not strictly required, it can be good practice to do so to ensure that any risks are identified and any appropriate measure implemented to mitigate those risks.

How to get consent?

The consent required under PECR follows the GDPR standard, meaning it must be freely given, specific, informed, and an unambiguous indication of the end user’s wishes through a clear affirmative action. There are a few key points to bear in mind:

  • As above, there is no need to get consent for “strictly necessary” cookies. And there is no need therefore for a pre-ticked box for these cookies.
  • Where consent is needed, do not use pre-ticked boxes; this would not be a valid consent, as consent has to be signified by a positive step such as ticking the box.
  • This is important – do not set cookies before you get the opt-in, so you may need to do some technical work on the site to make sure that this is the case.
  • Provide clear and comprehensive information. This is because, if the information is not clear and comprehensive then, as well as breaching the transparency requirement, it will undermine the consent as it will not be a “fully informed” consent.
  • Do not bundle multiple consents into one; ideally, there would granular consents for each cookie, or at least each category.
  • There should also be an “Accept All” and a “Reject All” button.
  • Provide an option for users to revisit consents that they have given.

The new ePrivacy Regulation

A new ePrivacy Regulation has been on the horizon since the GDPR came into force but has been batted back and forth in Europe since 2017 without agreement being reached.  However, the text was finally agreed in February 2021 and it is now going to the European Parliament.

The objective of the ePrivacy Regulation is to update the ePrivacy Directive – which is nearly 20 years old – and to bring it into line with GDPR.  It aligns with the substantial fines possible under the GDPR, whereas at the moment fines under PECR are limited to £0.5m. The ePrivacy Regulation also allows for individuals to bring claims which could involve class action claims.

Also, like the GDPR, the regulation provides for extraterritorial application, so it will apply to businesses outside the EU insofar as it relates to end users in the EU. However, unlike the GDPR, it does not require that EU users are specifically targeted — the extraterritorial application is triggered as soon as users in the EU are implicated regardless of whether there was an intention to direct activities at the EU market.

So far as the cookie requirement is concerned:

  • There is still a need for affirmative consent, except in a number of circumstances which are a little broader than at present, and will include cookies for the purpose of audience measuring (e.g., web analytics) and for IT security purposes.
  • The regulation also allows for consent to be given by selecting technical settings in the browser, for example by having a whitelist of sites which the user consents to dropping cookies. But browsers will need to develop to facilitate this.
  • Also, users who have given consent must be reminded every 12 months of their right to withdraw consent.

Once the ePrivacy Regulation is finalised there will be a two year transition period before it comes into force.

As regards the UK, following Brexit, the ePrivacy Regulation will not automatically extend to the UK, but the UK may amend PECR to align it to the ePrivacy Regulation, especially in so far as the Regulation is more business-friendly and provides additional exceptions to the cookie rule. Also, because of the extraterritorial application of the Regulation, it will effectively apply to all UK businesses as regards end users in the EU.

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.

Happy Data Privacy Day 2021!

Annually on 28 January, Data Privacy Day (or, if you prefer, Data Protection Day) is an “international effort to create awareness about the importance of respecting privacy, safeguarding data and enabling trust”.

We take the opportunity to highlight a number of key current issues with data protection.

  1. The EU / UK Trade Agreement: Three myths busted – Privacy and data protection
    Still reeling from the Brexit deal done on Christmas eve? The media (and social media in particular) are myth-ridden. Here, we consider and bust some myths related to privacy and data protection.
  2. Post-Brexit – data transfers
    As the UK and the EU reached a deal on Brexit, we provide a high level summary of the position on data transfers as from 1 January 2021.
  3. New – Standard Contractual Clauses
    Standard Contractual Clauses (SCCs) are the most commonly used mechanism to authorise transfers of personal data from the UK / EEA. We take a look at the proposed new SCCs and find some interesting developments.
  4. New guidance for international transfers post-Schrems II
    In July 2020, the European Court of Justice  thoroughly shook up the international data transfer regime when handing down its decision in the Schrems II case. We look at the European Data Protection Board guidance on handling cross-border data transfers post-Schrems.
  5. AI and data protection – uncomfortable bedfellows? 
    Artificial intelligence (AI) has been around for a long time. However, it is only fairly recently that we have seen its use spread into our daily lives. With the gradual uptake of AI, one might wonder what the GDPR has to say on the matter. We look at some of the key data protection issues.
  6. ICO resumes investigation into Adtech 
    On 22 January 2021 the ICO announced that it was resuming its investigation into the AdTech sector. The ICO’s initial views were that RTB is unlawful. It can be expected that the ICO will issue assessment notices to specific companies in the coming months.  We look at the key issues.
  7. Lessons learned from BA, Marriott and Ticketmaster fines
    The Information Commissioner’s Office (ICO) recently fined British Airways (BA), Marriott International (Marriott), Ticketmaster £20 million, £18.4 million and £1.25m respectively for failures to keep customers’ personal data secure.  We look at lessons to be learned.
  8. Covid-19 and WFH – can you monitor your employees under GDPR?
    The pandemic has resulted in a seismic shift in the number of employees working from home. A question which often arises is: can employers use technology to monitor employees work patterns? We set out some of the key data protection considerations.
  9. Six data protection steps for returning to the workplace
    As lockdown restrictions may ease in the coming weeks / months, we look at the key steps organisations need to consider in relation to the use of personal information.
  10. Do you need to register under the Data Protection Act?
    One of the most-read items on our website! Maybe it’s because it could save you from a fine up to £4,350.  While that’s not in the same league as GDPR fines generally, it’s easily avoided by making sure your ICO registration is up to date.

Contact us

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.

Post-Brexit – data transfers

Nigel Miller (partner)

As the UK and the EU have now reached a deal on Brexit, what’s the position on data transfers as from 1 January 2021?

Here’s a high-level summary:

Transfers from UK to EEA – these will be subject to UK GDPR. The UK government has confirmed that such transfers are not restricted and so can continue as before without the need for any transfer tool to be put in place.

Transfers from UK to third countries outside the EEA – the position remains similar to the current GDPR rules. Although the UK will in due course make its own adequacy decisions, for the time being existing EU adequacy decisions and the EU approved standard contractual clauses will continue to be recognised.

Transfers from EEA to UK from 1 January 2021 the UK is a “third country” so far as EU GDPR is concerned; therefore, transfers from EEA to UK will be restricted transfers. The UK was seeking an “adequacy decision” from the European Commission as part of the Brexit deal to permit such transfers to continue without the need for a transfer tool to be put in place. A joint declaration published alongside the deal makes clear that the EU will undertake this adequacy assessment. However, an adequacy decision was not part of the deal. Pending this, a temporary arrangement has been agreed to allow data to continue to be transferred from the EEA to the UK for the next four months (extendable to six months).

Given this temporary arrangement, thankfully it is not necessary for organisations involved in such transfers to rush to put in place standard contractual clauses or another transfer tool as from 1 January. However, this will need to be kept under careful review in Q1 and Q2 2021.

Transfers to the US which relied on Privacy Shield – as a result of the Schrems II decision in July 2020, which invalidated the Privacy Shield arrangement, another transfer tool needs to be put in place, such as standard contractual clauses. But see next point.

Using standard contractual clauses – as well as transfers which have become restricted transfers as a result of Brexit, all restricted transfers will need to be reviewed in 2021 with the implementation of the proposed new standard contractual clauses issued by the European Commission in November 2020 – see https://idatalaw.com/2020/11/20/new-standard-contractual-clauses/

In addition to the above, following Schrems II, in order to rely on standard contractual clauses organisations must carry out a “transfer impact assessment” to determine whether the clauses guarantee an equivalent level of protection for the transferred data as applies under GDPR; if implementation of SCCs alone would not guarantee an equivalent level of protection, then “supplementary measures” need to be put in place to ensure such a level of protection – see further https://idatalaw.com/2020/11/20/new-guidance-for-international-transfers-post-schrems-ii/

Putting aside international transfers for a moment, we wish you all the best for a healthy and successful 2021!