How a small French privacy ruling could remake adtech for good
A ruling in late October against a little known French adtech firm that popped up on the national data watchdog’s website earlier this month, is causing ripples of excitement to run through privacy watchers in Europe who believe it signals the beginning of the end for creepy online ads. The excitement is palpable. Impressively so, […]
A ruling in late October against a little known French adtech firm that popped up on the national data watchdogâs website earlier this month, is causing ripples of excitement to run through privacy watchers in Europe who believe it signals the beginning of the end for creepy online ads.
The excitement is palpable.
Impressively so, given the dry CNIL decision against mobile âdemand side platformâ, Vectaury, was only published in the regulatorâs native dense French legalese.
Digital advertising trade press AdExchanger picked up on the decision yesterday.
Hereâs the killer paragraph from CNILâs ruling â translated into ârough Englishâ by my TC colleague Romain Dillet:
The requirement based on the article 7 above-mentioned isnât fulfilled with a contractual clause that guarantees validly collected initial consent. The company VECTAURY should be able to show, for all data that it is processing, the validity of the expressed consent.
In plainer English this is being interpreted by data experts as the regulator stating that consent to processing personal data cannot be gained through a framework arrangement which bundles a number of uses behind a single âI agreeâ button that, when clicked, passes consent to partners via a contractual relationship.
CNILâs decision suggests that bundling consent to partner processing in a contract is not, in and of itself, valid consent under the European Unionâs General Data Protection Regulation (GDPR) framework.
Consent under this regime must be specific, informed and freely given. It says as much in the text of GDPR.
But now, on top of that, the CNILâs ruling suggests a data controller has to be able to demonstrate the validity of the consent â so cannot simply tuck consent inside a contractual âcarpet bagâ that gets passed around to everyone else in their chain as soon as the user clicks âI agreeâ.
This is important because many widely used digital advertising consent frameworks rolled out to websites in Europe this year â in claimed compliance with GDPR â are using a contractual route to obtain consent, and bundling partner processing behind often hideously labyrinthine consent flows.
The experience for web users in the EU right now is not great. But it could be leading to a much better Internet down the road.
Whereâs the consent for partner processing?
Even on a surface level the current crop of confusing consent mazes look problematic.
But the CNIL ruling suggests there are deeper and more structural problems lurking and embedded within. And as regulators dig in and start to unpick adtech contradictions it could force a change of mindset across the entire ecosystem.
As ever, when talking about consent and online ads the overarching point to remember is that no consumer given a genuine full disclosure about whatâs being done with their personal data in the name of behavioral advertising would freely consent to personal details being hawked and traded across the web just so a bunch of third parties can bag a profit share.
This is why, despite GDPR being in force (since May 25), there is still so many tortuously confusing âconsent flowsâ in play.
The long-standing online T&Cs trick of obfuscating and socially engineering consent remains an unfortunately standard playbook. But, less than six months into GDPR weâre still very much in a âphoney warâ phase. More regulatory rulings are needed to lay down the rules by actually enforcing the law.
And CNILâs recent activity suggests more to come.
In the Vectaury case, the mobile ad firm used a template framework for its consent flow that had been created by industry trade association and standards body, IAB Europe.
It did make some of its own choices, using its own wording on an initial consent screen and pre-ticking the purposes (another big GDPR no-no). But the bundling of data purposes behind a single opt in/out button is the core IAB Europe design. So CNILâs ruling suggests there could be trouble ahead for other users of the template.
IAB Europeâs CEO, Townsend Feehan, told us itâs working on a statement reaction to the CNIL decision but suggested Vectaury fell foul of the regulator because it may not have implemented the âTransparency & Consent Framework-compliantâ consent management platform (CMP) framework â as itâs tortuously known â correctly.
So either âthe âCMPâ that they implemented did not align to our Policies, or choices they could have made in the implementation of their CMP that would have facilitated compliance with the GDPR were not madeâ, she suggested to us via email.
Though that sidesteps the contractual crux point thatâs really exciting privacy advocates â and making them point to the CNIL as having slammed the first of many unbolted doors.
The French watchdog has made a handful of other decisions in recent months also involving geolocation-harvesting adtech firms, and also for processing data without consent.
So regulatory activity on the GDPR+adtech front has been ticking up.
Its decision to publish these rulings suggests it has wider concerns about the scale and privacy risks of current programmatic ad practices in the mobile space than can be attached to any single player.
So the suggestion is that just publishing the rulings looks intended to put the industry on noticeâŠ
Meanwhile adtech giant Google has also made itself unpopular with publisher âpartnersâ over its approach to GDPR by forcing them to collect consent on its behalf. And in May a group of European and international publishers complained that Google was imposing unfair terms on them.
The CNIL decision could sharpen that complaint too â raising questions over whether audits of publishers that Google said it would carry out will be enough for the arrangement to pass regulatory muster.
For a demand-side platform like Vectaury, which was acting on behalf of more than 32,000 partner mobile apps with user eyeballs to trade for ad cash, achieving GDPR compliance would mean either asking users for genuine consent and/or having a very large number of contracts that itâs doing actual due diligence on.
Yet Google is orders of magnitude more massive of course.
The Vectaury file gives us a fascinating little glimpse into adtech âbusiness as usualâ. Business which also wasnât, in the regulatorâs view, legal.
The firm was harvesting a bunch of personal data (including peopleâs location and device IDs) on its partnersâ mobile users via an SDK embedded in their apps, and receiving bids for these usersâ eyeballs via another standard piece of the programmatic advertising pipe â ad exchanges and supply side platforms â which also get passed personal data so they can broadcast it widely via the online ad worldâs real time bidding (RTB) system. Thatâs to solicit potential advertisersâ bids for the attention of the individual app user⊠The wider the personal data gets spread, the more potential ad bids.
That scale is how programmatic works. It also looks horrible from a GDPR âprivacy by design and defaultâ standpoint.
The sprawling process of programmatic explains the very long list of âpartnersâ nested non-transparently behind the average publisherâs online consent flow. The industry, as it is shaped now, literally trades on personal data.
So if the consent rug itâs been squatting on for years suddenly gets ripped out from underneath it there would need to be radical reshaping of ad targeting practices to avoid trampling on EU citizensâ fundamental right.
GDPRâs really big change was supersized fines. So ignoring the law would get very expensive.
Oh hai real time bidding!
In Vectauryâs case CNIL discovered the company was holding the personal data of a staggering 67.6 million people when it conducted an on-site inspection of the company in April 2018.
That already sounds like A LOT of data for a small mobile adtech player. Yet it might actually have been a tiny fraction of the personal data the company was routinely handling â given that Vectauryâs own website claims 70% of collected data is not stored.
In the decision there was no fine but CNIL ordered the firm to delete all data it had not already deleted (having judged collection illegal given consent was not valid); and to stop processing data without consent.
But given the personal-data-based hinge of current-gen programmatic adtech that essentially looks like an order to go out of business. (Or at least out of that business.)
And now we come to another interesting GDPR adtech complaint thatâs not yet been ruled on by the two DPAs in question (Ireland and the UK) â but which looks even more compelling in light of the CNIL Vectaury decision because it picks at the adtech scab even more daringly.
Filed last month with the Irish Data Protection Commission and the UKâs ICO, this adtech complaint â the work of three individuals, Johnny Ryan of private web browser Brave; Jim Killock, exec director of digital and civil rights group, the Open Rights Group; and University College London data protection researcher, Michael Veale â targets the RTB system itself.
Hereâs how Ryan, Killock and Veale summarized the complaint when they announced it last month:
Every time a person visits a website and is shown a âbehaviouralâ ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies. Advertising technology companies broadcast these data widely in order to solicit potential advertisersâ bids for the attention of the specific individual visiting the website.
A data breach occurs because this broadcast, known as an âbid requestâ in the online industry, fails to protect these intimate data against unauthorized access. Under the GDPR this is unlawful.
The GDPR, Article 5, paragraph 1, point f, requires that personal data be âprocessed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.â If you can not protect data in this way, then the GDPR says you can not process the data.
Ryan tells TechCrunch that the crux of the complaint is not related to the legal basis of the data sharing but rather focuses on the processing itself â arguing âthat it itself is not adequately secure⊠that theyâre arenât adequate controlsâ.
Though he says thereâs a consent element too, and so sees the CNIL ruling bolstering the RTB complaint. (On that keep in mind that CNIL judged Vectaury should not have been holding the RTB data of 67.6M people because it did not have valid consent.)
âWe do pick up on the issue of consent in the complaint. And this particular CNIL decision has a bearing on both of those issues,â he argues. âIt demonstrates in a concrete example that involved investigators going into physical premises and checking the machines â it demonstrates that even one small company was receiving tens of millions of peopleâs personal data in this illegal way.
âSo the breach is very real. And it demonstrates that itâs not unreasonable to suggest that the consent is meaningless in any case.â
Reaching for a handy visual explainer, he continues: âIf I leave a briefcase full of personal data in the middle of Charing Cross station at 11am and itâs really busy thatâs a breach. That would have been a breach back in the 1970s. If my business model is to drive up to Charing Cross station with a dump-truck and dump briefcases onto the street at 11am in the full knowledge that my business partners will all scramble around and try and grab them â and then to turn up at 11.01am and do the same thing. And then 11.02am. And every microsecond in between. Thatâs still a fucking data breach!
âIt doesnât matter if you think youâve consent or anything else. You have to [comply with GDPR Article 5, paragraph 1, point f] in order to even be able to ask for a legal basis. There are plenty of other problems but thatâs the biggest one that we highlighted. Thatâs our reason for saying this is a breach.â
âNow what CNIL has said is this company, Vectaury, was processing personal data that it did not lawfully have â and it got them through RTB,â he adds, spelling the point out. âSo back to the GDPR â GDPR is saying you canât process data in a way that doesnât ensure protection against unauthorized or unlawful processing.â
In other words, RTB as a funnel for processing personal data looks to be on inherently shaky ground because itâs inherently putting all this personal data out there and at riskâŠ
Whatâs bad for data brokersâŠ
In another loop back, Ryan says the regulators have been in touch since their RTB complaint was filed to invite them to submit more information.
He says the CNIL Vectaury decision will be incorporated into further submissions, predicting: âThis is going to be bounced around multiple regulators.â
The trio is keen to generate extra bounce by working with NGOs to enlist other individuals to file similar complaints in other EU Member States â to make the action a pan-European push, just like programmatic advertising itself.
âWe now have the opportunity to connect our complaint with the excellent work that Privacy International has done, showing where these data end up, and with the excellent work that CNIL has done showing exactly how this actually applies. And this decision from CNIL takes, essentially my report that went with our complaint and shows exactly how that applies in the real world,â he continues.
âI was writing in the abstract â CNIL has now made a decision that is very much not in the abstract, itâs in the real world affecting millions of people⊠This will be a European-wide complaint.â
But what does programmatic advertising that doesnât entail trading on peopleâs grubbily obtained personal data actually look like? If there were no personal data in bid requests Ryan believes quite a few things would happen. Such as, for e.g., the demise of clickbait.
âThere would be no way to take your TechCrunch audience and buy it cheaper on some shitty website. There would be no more of that arbitrage stuff. Clickbait would die! All that nasty stuff would go away,â he suggests.
(And, well, full disclosure: We are TechCrunch â so we can confirm that does sound really great to us!)
He also reckons ad values would go up. Which would also be good news for publishers. (âBecause the only place you could buy the TechCrunch audience would be on TechCrunch â thatâs a really big deal!â)
He even suggests ad fraud might shrink because the incentives would shift. Or at least they could so long as the âworthyâ publishers that are able to survive in the new ad world order donât end up being complicit with bot fraud anyway.
As it stands, publishers are being screwed between the twin plates of the dominant adtech plaforms (Google and Facebook), where they are having to give up a majority of their ad revenue â leaving the media industry with a shrinking slice of ad revenues (that can be as lean as ~30%).
That then has a knock on impact on funding newsrooms and quality journalism. And, well, on the wider web too â given all the weird incentives that operate in todayâs big tech social media platform dominated Internet.
While a privacy-sucking programmatic monster is something only shadowy background data brokers that lack any meaningful relationships with the people whose data theyâre feeding the beast could truly love.
And, well, Google and Facebook.
Ryanâs view is that the reason an adtech duopoly exists boils down to the âaudience leakageâ being enabled by RTB. Leakage which, in his view, also isnât compliant with EU privacy laws.
He reckons the fix for this problem is equally simple: Keep doing RTB but without any personal data.
A real-time ad bidding system thatâs been stripped of personal data does not mean no targeted ads. It could still support ad targeting based on real-time factors such as an approximate location (say to a city region) and/or generic and aggregated data.
Crucially it would not use unique identifiers that enable linking ad bids to a individualâs entire digital footprint and bid request history â as is the case now. Which essentially translates into: RIP privacy rights.
Ryan argues that RTB without personal data would still offer plenty of âvalueâ to advertisers â who could still reach people based on general locations and via real-time interests. (Itâs a model that sounds much like what privacy search engine DuckDuckGo is doing, and also been growing.)
The really big problem, though, is turning the behavioral ad tanker around. Given that the ecosystem is embedded, even as the duopoly milks it.
Thatâs also why Ryan is so hopeful now, though, having parsed the CNIL decision.
His reading is regulators will play a decisive role in pushing the ad industryâs trigger â and force through much-needed change in their targeting behavior.
âUnless the entire industry moves together, no one can be the first to remove personal data from bid requests but if the regulators step in in a big way⊠and say youâre all going to go out of business if you keep putting personal data into bid requests then everyone will come together â like the music industry was forced to eventually, under Steve Jobs,â he argues. âEveryone can together decide on a new short term disadvantageous but long term highly advantageous change.â
Of course such a radical reshaping is not going to happen overnight. Regulatory triggers tend to be slow motion unfoldings at the best of times. You also have to factor in the inexorable legal challenges.
But look closely and youâll see both momentum massing behind privacy â and regulatory writing on the wall.
âAre we going to see programmatic forced to be non-personal and therefore better for every single citizen of the world (except, say, if they work for a data broker),â adds Ryan, posing his own concluding question.âWill that massive change, which will help society and the web⊠will that change happen before Christmas? No. But itâs worth working on. And itâs going to take some time
âIt could be two years from now that we have the finality. But a finality there will be. Detroit was only able to fight against regulation for so long. It does come.â
Whoâd have though âtaking back controlâ could ever sound so good?