2. 1. What the new European rules (the GDPR and the ePR) are.
(a)Global impact and risk
2.The three big challenges for online media & advertising.
3.Outlook
(a) Adtech data players.
(b) Google.
(c) Facebook.
(d) Publishers.
Contents
slide 1
3. General Data Protection
Regulation (GDPR)
ePrivacy Regulation (ePR)
Area of focus
Protection of personal data
(Article 8 of the EU Charter of
Fundamental Rights)
Respect for private life and
communications (Article 7 of
the EU Charter of Fundamental
Rights)
Current status
Has entered in to force, and will
soon be applied.
Currently being negotiated
between lawmaking institutions.
Date of
application
25 May 2018 25 May 2018 (or later)
Geographic
impact
Global
European Economic Area
(may widen) slide 2
4. 513+ million people
• Processing data by, or for,
an EU business.
• Businesses that offer
services to, or sell to, or
monitor and profile users
in the EU.
European Economic Area
Geographic scope
slide 3
5. for infringements relating to the consent of a child, processing that does not require
identification, data protection by design, the tasks of the data protection officer, and
certification
for infringements related to the legal basis for processing, consent, and processing of sensitive
data (including profiling), notification about users rights and the processing of their data, the
rights of users (e.g. data rectification, erasure, portability, etc.), transfers of data outside of the
EU, and failure to comply with a supervisory authority’s order to cease processing or to suspend
a data flow
2% of total worldwide annual turnover
(or €10M, whichever is higher)
4% of total worldwide annual turnover
(or €20M, whichever is higher)
plus court actions by data subjects and their representatives.
Penalties
slide 4
6. 3 Big Challenges
1. Risk: Not getting consent
2. Risk: Data leakage
3. Risk: Data portability
slide 5
7. “any information relating to an identified or
identifiable natural person ('data subject'); an
identifiable natural person is one who can be
identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person…”
-GDPR, Article 4
“Personal data”
slide 6
8. “Single customer view”
Indirectly identifiable:
Netflix users’ TV & movies
Directly identifiable:
IP addresses, where ISP
can identify the subscriber
slide 7
11. ///
Visitor Site SSP DSP DMP Brand
$
“Demand side”“Supply side”
Ad Exchange
slide 10
12. ///
Visitor Site SSP Ad Exchange DSP DMP
serve page
request page
request bid
request segment
ad request
cookie to SSP
deliver ad
sync
deliver segment
sync
Ad request
Brand
$
store data
“Demand side”“Supply side”
slide 11
15. 1. Any one of the 100s of parties
receiving data from an ad exchange can
share onward with further parties.
2. The ad unit may contain JavaScript
that summons unauthorized trackers.
The Daily Bugle
ADVERTISEMENT
?
2 FORMS OF DATA LEAKAGE
slide 14
16. • It must be specific and informed.
Can not be buried in “Terms & Conditions”.
• Consent can not be disruptive. Must be
obtained freely, without detriment. (Consent
Walls may or may not be permissible)
•Who or what type of party is receiving the data
•What are the purposes of processing, and legal basis
for that
•How long are the data stored (or what criteria
determine duration)
•If this giving that data is part of a contract what are
the consequences of not providing data
•If the data are being transferred to a third country,
what safeguards or binding corporate rules are in
place?
•In cases of automated decision-making, including
profiling, what logic is applied and what is the
significance of the outcomes.
You must tell the user:
Consent
GDPR & ePrivacy Regulation:
Businesses must obtain consent to use
personal data.
slide 15
17. We would like to share your browsing
habits on our site with Brand Name and
their analytics partners, to understand
what offers may be of interest to you.
These data will be deleted
after 6 months. You can withdraw
permission at any time in My Data.
Learn more?
Pop-up Dialog
OKNo
Purpose of processing,
and notification of
profiling.
Article 13, para 1, c, and para 2, f.
Duration
Article 13, para 2, a.
Text links to tool for
withdrawing consent.
Article 7, paragraph 3.
Text links to tool to
complain to supervisory
authority, and to access,
correct, and transfer
data, etc.
Article 13, para 2, b, c, and d.
Can say no
Recital 42.
Details of recipients and
categories of recipients.
Text links to contact
details of the
controller and their
data protection officer.
Article 13, para 1, a, b, and e.
A (probably non-compliant) GDPR CONSENT REQUEST
Scenario: a website requests consent to share data with a brand for product offers
slide 16
18. We would like to share your browsing
habits on our site with Brand Name and
their analytics partners, to understand
what offers may be of interest to you.
These data will be deleted
after 6 months. You can withdraw
permission at any time in My Data.
Learn more?
Pop-up Dialog
OKNo
Thinking of yourself as a visitor to websites,
what would you select if shown this message?
79%
21%
slide 17
19. Please allow your browsing habits on our
sites to be shared with
Open ID participants
We will then be able to identify offers that
are more interesting to you, and process
business transactions with our partners.
(Alternatively, we will use generic ads,
which might be less interesting to you.)
You can cancel at any time by clicking
the icon on any ad.
Learn more about your data.
Help us keep Example.com profitable
OKNo OK
6 months 12 months
[Ad exchange]
[Ad exchange]
[DMP]
[DMP]
[DSP]
[DSP]
[Verification vendor]
i
i
i
i
i
i
i
[Consortium] and its participants
Each
controller.
and
categories of
processors.
Might GDPR consent requests actually look like this?
slide 18
20. 3%
3%32%65%
46% 51%
64%13%
Do you believe that users will opt-in to tracking for the
purposes of advertising?
No Yes, if denied access to the site otherwise Yes
1st party tracking on
a website
3rd party tracking on
a website
Tracking by any
party, anywhere on
the web
23%
0% 100% 200%
Can not deny access
because of GDPR
Article 7
slide 19
21. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
Step 8.
Assets load
from CDN
Step 9.
Agency ad server
loads verification
vendor
ADVERTISERS
website.com
AD
DMP
DMP
DMP
DMP
DMP
DMP
DMP
DMP
DMP
DMP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
W
inningbid
DSP
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Verification
javascript
Agency
ad server
Verification
vendor
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Channel of data leakage
Personal data
Legend
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
CDN
Money
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Risk
slide 20
22. “Controller” “Processor” “Processor” “Processor”
Contract Contract Contract
Contracts required that determine the following:
• the nature of processing and its duration,
• the obligations of the “controller”,
• and a guarantee that the “processor” handles the data only as
dictated by documented instructions from the controller
GDPR requires a new chain of accountability
Risk
slide 21
23. Holding first-party personal data that are now non-compliant
Buying personal data (directly or indirectly identifiable) from other sources to augment
profiles
Buying behavioural ads online, which currently requires the sharing of personal data with
countless partners.
BROKER
3
2
1
Risk (brands)
slide 22
24. All potentially liable!
The Courts
Multiple controllers and processors “involved in the same processing”
can each be held liable for damages awarded in a case.
A person can complain to the regulator, and at the same time go to court. And
can take the regulator to court for inaction.
Supervisory Authority ///
///
Visitor Site SSP Ad Exchange DSP DMP Brand
$Risk
slide 23
25. Risk: user can move data to a
competitors platform
slide 24
27. Needs “opt-in”
consent, but
user has little
incentive to
agree
4
Needs “opt-in”
consent, and
may get it
3
Can show an
“opt-out”
before using
data
2
Out of scope
of Regulation if
business is
modified
1
Already out of
scope of the
Regulation
0
PageFair GDPR disruption scale (digital advertising)
5
Needs “opt-in”
consent, but is
unable to
communicate
with users
slide 26
28. 5 Needs “opt-in” consent, but is unable to
communicate with users
4 Needs “opt-in” consent, but user has little
incentive to agree
• Facebook Audience Network
• WhatsApp advertising (see assumption 1)
3 Needs “opt-in” consent, and may get it
2 Can show an “opt-out” before using data
• NewsFeed ads (based only on personal data with no “special” personal data (e.g.
ethnicity, political opinion, religious or philosophical beliefs, sexual orientation),
unless marked “public” or visible to “friends of friends” (see assumptions 1 and 2)
• Instagram ads (see assumption 1)
1 Out of scope of the regulation, if business
is modified.
0 Already out of scope of the regulation.
Assumption 2. GDPR Article 6, paragraph 4, c, indicates a higher bar for “special categories of personal data” that reveal race, ethnicity, political opinion, religious or philosophical beliefs, trade union membership,
or related to a data subject’s sex life or sexual orientation. However, this does not apply if the data have been “manifestly made public by the data subject” (GDPR, Article 9, paragraph 2, (e)). This may mean that the
publicity settings that a user places on their post will prevent or enable those posts to be mined for advertising.
GDPR scale: FACEBOOK
Assumption 1. That the use of personal data to target advertising will be accepted as a “compatible” purpose with the original purpose for which personal data were shared by users, under GDPR Article 6,
paragraph 4. GDPR Recital 61 says that if the further processing is compatible then the company must alert the data subject that it is using their data for this further purpose before it starts processing. GDPR
Article 21, paragraph 2 and 3 say that the data subject must be alerted about their right to object to their data being used for direct marketing, and can do so at any time. GDPR Recital 70 says this alert should be
presented clearly and separately from any other information. However, the Article 29 Working Party’s opinion on purpose limitation notes that among the various things that the compatibility assessment must
consider are “the impact of the further processing on the data subjects”.
slide 27
29. Assumption 1
… the Article 29 Working Party’s opinion on purpose
limitation notes that among the various things that the
compatibility assessment must consider are “the
impact of the further processing on the data subjects”.
slide 28
30. Until this week, when we asked Facebook about it,
the world’s largest social network enabled advertisers
to direct their pitches to the news feeds of almost
2,300 people who expressed interest in the topics of
“Jew hater,” “How to burn jews,” or, “History of ‘why
jews ruin the world.’”
To test if these ad categories were real, we paid $30
to target those groups with three “promoted posts” —
in which a ProPublica article or post was displayed in
their news feeds. Facebook approved all three ads
within 15 minutes.
“Facebook Enabled Advertisers to Reach 'Jew Haters’”, ProPublica , 14 September 2017
slide 29
31. Sen. Mark Warner, the top Democrat
on the Senate Intelligence Committee,
has said the ads Facebook has
disclosed to date represent just the "tip
of the iceberg" of Russians' full
election interference via social media.
Warner and his fellow Senators have
criticized both Facebook and Twitter for
the limited scope of their findings.
"Facebook gives Russian-linked ads to Congress", CNN, 1 October 2017
slide 30
32. 5 Needs “opt-in” consent, but is unable to
communicate with users
4 Needs “opt-in” consent, but user has little
incentive to agree
• Most personalized AdWords ads on Google properties including Search,
Youtube, Maps, and the Google Network (including “remarketing”,“affinity
audiences” , “in-market audiences”, “demographic targeting”, "similar
audiences”, “Floodlight” cross-device tracking), “customer match”,
“remarketing” (see assumption 1)
• Gmail ads
• Programmatic services (DoubleClick)
3 Needs “opt-in” consent, and may get it
2 Can show an “opt-out” before using data • Location targeting in Maps (see assumption 2)
1 Out of scope of the regulation, if business
is modified.
• AdWords (if all personalized features are removed) on Google properties
including Search, Youtube, Maps
0 Already out of scope of the regulation. • “Placement-targeted” ads on Google properties.
Assumption 1. That the average user does not “sign in” to Google Search or Chrome. If, however, users did sign in then Google may be able to further process their data for other purposes.
GDPR scale: GOOGLE
Assumption 2. That the use of personal data to target advertising will be accepted as a “compatible” purpose with the original purpose for which personal data were shared by users, under GDPR Article 6,
paragraph 4. GDPR Recital 61 says that if the further processing is compatible then the company must alert the data subject that it is using their data for this further purpose before it starts processing. GDPR
Article 21, paragraph 2 and 3 say that the data subject must be alerted about their right to object to their data being used for direct marketing, and can do so at any time. GDPR Recital 70 says this alert should be
presented clearly and separately from any other information. However, the Article 29 Working Party’s opinion on purpose limitation notes that among the various things that the compatibility assessment must
consider are “the impact of the further processing on the data subjects”.
slide 31
35. PLAN “A”:
SEEK CONSENT (AND
END DATA LEAKAGE).
PEOPLE WILL OPT-IN TO TRACKING FOR ADS?
BUT... HOW CONFIDENT ARE YOU THAT
slide 34
36. Not at all
How confident are you
that the average user
will click ‘OK’ to share
data with other
companies?
0% 100% 200%
To a small degree Moderately Highly Very highly
How concerned are you
about your online
behaviour being
tracked?
5% 7%
21% 35% 32%
32% 32% 21% 12%
4%
slide 35
38. Ads (Ethical Data)Ads (Conventional Data)
Fossil Fuel
Fossil Fuel
Classic Cars
Renewable Energy
Personal data
Ads (Conventional Data)
Personal data with consent
and enforceable protection
Non-personal data
N20
C02 HYPER PREMIUM,
SMALL MARKET
//
Regulatory disincentive
OLD INDUSTRY
Regulatory incentive
NEW CLEAN INDUSTRY
+
+
slide 37
39. (a) Advertising technology and data businesses face
enormous disruption.
(b) Parts of Google will be disrupted.
(c) Parts of Facebook will be disrupted.
(d) Publishers face short term difficulty, but have the
potential to transform their position.
(e) Adtech needs to shift to non-personal data, but most
adtech companies are fixated on getting consent for
personal data.
Summary
slide 38