Browsing the internet has never really been free. Each time you visit a website, a silent auction for your eyeballs is conducted to show you an ad that effectively makes you pay with your personal information. Location, birthday, browsing data and more are broadcast to hundreds of vendors within a millisecond. The practice has flourished even in Europe, which has the world’s strictest privacy laws.
The reason: Internet users here click a special “consent” button on most sites; they’re everywhere and slightly annoying in a system designed two years ago by an ad association based in Brussels to help advertisers comply with Europe’s privacy laws. Now Belgium’s data protection authority, together with 27 European Union agencies, has officially ruled the tactic illegal. The data these buttons helped collect should also be deleted.
That is great news for privacy campaigners, assuming the decision is upheld in court upon the probable challenge by the ad group. It could spell an eventual end to companies sharing your personal data in these creepy auctions, or at least sharing less of it. But it also poses a brand new dilemma for advertisers already scrambling to deal with privacy changes from Apple Inc., and others in the pipeline from Alphabet Inc.’s Google.
Privacy advocates have argued for years that consent buttons give a pretense of legality to what is, effectively, a gateway to surveillance advertising. So-called real-time bidding for our personal data makes up most of Europe’s 64 billion-euro ($73 billion) ad market, according to the European arm of the Interactive Advertising Bureau, the trade body that made the consent tool.
Here’s an example of how the tool works: visit the main website for Formula 1 racing and you’ll see a pop-up with the title “Your choices regarding cookies on this site,” with some stark information about how F1 processes your personal data for ad targeting. You can choose to accept or manage your settings, and doing the latter brings up a long list of obscure companies with names like Yieldlove GmbH and Wizaly, who bid to show you ads based on a broadcast of your personal data.
Want to stop all that? You can click on a series of buttons to block them, but it’s time consuming and very confusing. That was part of the problem, according to the Belgians, who took up the case because IAB Europe is based there. An ad-tech company’s “legitimate” interest in profiling a person for an ad was outweighed by that person’s fundamental rights and freedom from having their data shared in online auctions.
Regulators had long complained that the consent buttons broke Europe’s General Data Protection Regulation law, but now there’s an official ruling. It paves the way for lawsuits against advertising companies who continue to use it, as well as more targeted enforcement by regulators. Activists have come straight out of the gate. The Irish Council for Civil Liberties and the Electronic Privacy Information Center in Washington D.C., two non-profit privacy groups, on Thursday demanded in an open letter to several of the world’s biggest advertisers, including Unilever Plc and Procter & Gamble Co., that they delete all personal data collected using the consent tool.
Unilever declined to comment. P&G didn’t respond to a request for comment.
“The problem is the system throws personal data around to a large numbers of companies,” says Johnny Ryan, a director with the Irish Council for Civil Liberties who co-filed the original complaint against the system.
IAB Europe, the ad association that developed the tool, called the ruling “wrong in law” and said it was considering all its legal options. It has six months to come up with an alternative system, but Ryan says the Belgians expressed skepticism in their 127-page ruling. 2 IAB Europe didn’t respond to a question about the likely acceptance of its new system.
Much remains unclear. For instance, do advertisers such as P&G, Unilever or Google really have to delete data they collected via the consent buttons? Garrett Johnson, a professor of marketing at Boston University’s Questrom School of Business who has studied the ruling, says they probably don’t.
Even so, the question adds to a growing pile of issues that are making online advertising a more legally arduous business, threatening to disrupt a model that has powered large swathes of the internet for years.
It also underscores how a global push for better privacy is finally prompting a sea change in how the online ad market functions. Last week, Meta Platforms Inc. said that privacy-related changes from Apple would knock $10 billion off Facebook’s revenue this year. Google is also planning to block user-tracking technology known as third-party cookies from its popular Chrome browser in 2023. And the state of California is preparing a law taking effect in 2023 that gives consumers new power to limit the sharing of personal information to advertisers.
This will be a painful transition for advertisers. It could also benefit larger firms like Google that have the resources to comply with complicated new rules. But consumers deserve a break from being stalked around the internet. A step toward respecting their privacy also nudges us towards a healthier Internet.
“The future looks to be far more privacy-centric,” says Christian Selchau-Hansen, chief executive of online marketing firm Formation Inc., which works with businesses on customer loyalty programs. “We’re in the beginning of this. The future looks to be one where people and consumers have much more control over their data. The practices around third-party data, collected sometimes without consent, those things are going to go away or will dramatically change.”
Bloomberg