Online Advertising: Where Does Your Data Really Go?


The issue of transparency around the collection and use of personal data from online users has recently made headlines, with several data collection practices now being directly challenged in court.

On the one hand, these developments are yet another sign that a few more bricks are falling from the wall of online tracking as we know it today. On the other hand, they shed light on the extent to which our personal information is exposed and the legal structures that would allegedly allow the collection of such data.

Depending on the outcome, they could ultimately push the online advertising industry closer to the end of the game for EU General Data Protection Regulation (GDPR) laws. In the meantime, they have also opened up a debate on the question: do you really know, as a consumer, where your data is going?

Before addressing this issue, it is crucial to examine these recent developments across Europe.

The wall of online tracking is crumbling

After several important, but relatively low-profile cases related to alleged violations of GDPR laws (the Vectaury case is a good example), two recent developments illustrate how traditional ad-tech entities are now starting to feel the heat.

First, a well-publicized lawsuit against Salesforce and Oracle for alleged GDPR violation is one of the largest GDPR-related class actions to date. The Privacy Collective – a consumer privacy campaign group dedicated to pursuing collective action against the misuse of users’ personal data online – accuses both Oracle and Salesforce of selling profiles created from the personal data they have collected from users to advertisers who use their services through the real-time auction (RTB) process, without the knowledge or consent of users for such sharing.

In another case to come, the DPA (Belgian Data Protection Authority) is questioning the system as a whole. According to a DPA investigation, launched following complaints from several privacy advocates, the Transparency and Consent Framework (TCF), established and managed by the European branch of the Interactive Advertising Bureau (IAB Europe) has been deemed non-compliant with the GDPR.

Misuse of third-party cookies and other tracers

The two cases described above are closely related. The IAB Europe TCF is the most common program for achieving GDPR compliance, involving an overwhelming majority of the industry, be it publishers, platforms or technology providers. As expected, both Oracle and Salesforce are TCF Approved Vendors and committed the alleged violations while transferring the alleged consents through the TCF Approved Consent Management Platforms (CMP). If the courts rule that the program did not comply with core GDPR principles, it will be an ad-tech earthquake.

Of the different products that Oracle and Salesforce offer to brands and marketers, each also offers a Customer Data Platform (CDP) – a service that helps customers reach directly to their existing consumers with advertisements. personalized on third party websites. At the center of The Privacy Collective’s complaint against Oracle and Salesforce is the alleged misuse of consumer personal data, which was obtained using cookies and other third-party trackers, made addressable through their CDPs.

Considering that Oracle and Salesforce are both members of the TCF who have devoted significant resources to complying with this program, you might wonder: how did they end up being accused of invading user privacy? The DPA’s investigation may shed some light on the matter.

According to the DPA report, “IAB Europe’s approach shows that it neglects the risks that would have an impact on the rights and freedoms of the people concerned. The report also states that the framework fails to provide data subjects with sufficient transparency about the information collected and to whom it is made available, as well as failing to comply with the principles of fairness and accountability. Thus, if the Dutch court and the DPA litigation chamber adopt the same approach vis-à-vis the interpretation of the GDPR law, these two incidents are perfectly in line with each other.

This isn’t the first time complaints have been made against RTB regarding GDPR, and this case is just a small nugget of a much larger problem in the industry. When large companies like Oracle or Salesforce are accused of selling user profiles to other companies and transacting through RTB, without the knowledge or consent of those users, one thing becomes clear: the data ‘supply chain’ as it currently operates in the RTB process is simply not transparent enough for what the user expects in 2020.

As a result, it is impossible to think that consumers are fully aware or clear about how their personal data is used, shared and monetized by the web economy. So let me ask you: as a consumer, do you really understand where your data is going?

Do you know where your data is going?

The short answer to this question is probably no. Unless you have a concrete understanding of the ‘supply chain’ of data that powers digital ads, it’s a simple fact that you would have very little or no understanding of the complexities of programmatic advertising. You wouldn’t be alone. Consumers still too often think that they only allow a specific publisher or advertiser to use their personal data, as long as they visit that specific website. They do not understand to what extent and to what extent their data is used and reused. This issue was supposed to be addressed by the GDPR, as it set a higher transparency bar towards users, but according to DPA, the TCF does not meet this bar in the existing framework.

The TCF is certainly a step that can provide users with a bit more information than what they were used to before GDPR. However, according to most of its critics, its main goal was to preserve RTB’s existing mechanisms in their various functions, being executed by hundreds of entities for a single ad request at the same time. Since GDPR requires much more explicit user approval for such actions, complying with the new rules in the real world would mean the mechanics must change.

Change is on the horizon

Fortunately, the change is already well underway. We all know that third-party cookies, the tool behind data-driven advertising, are already missing from several platforms (Safari, Firefox, privacy tool users and others), and they will be completely ineffective in less. two years on Google Chrome. . While third-party cookies aren’t the only way to track users, these changes signal a broader trend. Above all, this change was driven by the desire of consumers to have more control over their personal data.

But what does this mean for programmatic advertising and the RTB process? Doomsday prophets predict the end of digital advertising as we know it, as the new era of privacy driven by the phasing out of cookies and shifting consumer sentiment is likely to put an end to cases like this one.

A natural evolution for the industry – a revolution for consumers

Yet what I see here is an opportunity. The opportunity to be more balanced. An opportunity to create a new standard and technology for online targeting, which not only gives users much more transparency and control over how their personal data is used online, but is also compatible with programmatic auctions.

So, whatever the outcome of the pending lawsuits against IAB Europe, Salesforce and Oracle, one thing is crystal clear: now is the time for the community to wake up, recognize the opportunity and adapt to the new one. era of confidentiality. To strike the right balance, we need to equip users with tools that help them state their explicit preferences in a data-driven advertising environment, thus upholding the spirit of privacy laws and allowing users to control how whose data is collected and used.

Rotem Dar, Director of Media Operations, eye