Could GDPR Enforcement Affect Your Online Marketing Efforts?

Founder of Apple, Steve Jobs, once remarked, “Privacy means people know what they’re signing up for, in plain language, and repeatedly. I believe people are smart. Some people want to share more than other people do. Ask them.” 

Europe’s General Data Protection Regulation (GDPR) agrees with him—it has a specific and strict requirement for consent. But amidst the evolving online advertising and marketing landscape, things can sometimes get a bit blurry. 

Shifting consumer privacy concerns and marketing technology innovation have created an advertising battleground. Now, marketers are always trying new tricks to profile, track, and place customized advertisements in front of audiences. 

But a decision from a leading regulatory body for the GDPR—the Belgian Data Protection Authority (APD)—could help clear things up on what’s allowed. 

In this article, we break down the recent statement from the APD and the major changes it brings to online advertising. Through our dedicated privacy practice, Schellman stays up-to-date with the fast-paced world of privacy legislation. This is big news. 

Though it’ll primarily impact Europeans, global changes will follow and soon international companies will also no longer be able to use certain marketing technologies. 

This will be a positive for privacy, but for those of you involved in online marketing, you should start preparing for a big shift. Read on to ensure you have the latest understanding of how these findings may affect your company’s marketing practices. 

How Does Online Advertising Work?

First, let’s delve into the details of online advertising and the decision’s impact on programmatic advertising. Here’s an oversimplification as to how it works:

  • The online advertising ecosystem is made up of a complex chain that includes:
    • Publishers: Organizations that own the ad space (website).
    • Advertisers: Organizations that want to use the ad space to reach an audience. A.K.A., you.
    • Ad Exchanges: A digital marketplace where advertisers and publishers can buy and sell space for ads through real-time auctions. These exchanges are the intermediary between advertisers and publishers. They facilitate the bidding process, data processing, and optimization.
    • Data Management Platforms (or unseen middlemen): An endless rolodex of consumer data as gleaned from online interaction.
  • When a consumer clicks on a website, their data is sent to the ad exchange.
  • Through “real-time bidding” within the exchange, advertisers can win the space to instantly place their targeted ads. They’re able to customize ads as influenced by their data management platform.

Also involved in this complex chain:

  • Sell-Side Platforms: They connect publishers to ad exchanges and provide available advertising space, or “inventory.”
  • Demand-Side Platforms: They enable media and advertisers to optimize purchases.

These marketing processes require a lot of personal data, and are mostly “unseen,” using software and data storage to allow an advertiser or company to follow you across the web. It’s why, when you are browsing the internet, you’re followed by customized ads based on your interests and recent browsing history. 

Understanding Consent Management in Programmatic Advertising

Now to how all this affects privacy, GDPR, and the future of online marketing. 

Part of this real-time, programmatic advertising process involves a consent management framework. Known as the “Transparency and Consent Framework” (TCF), it was issued by the Interactive Advertising Bureau (IAB).

(The IAB works alongside publishers to promote the growth of advertising on the Internet.)

TCF’s function is to capture a consumer’s preferences and personal information. It stores that information in a cookie and encodes it into a string of characters that is then sent throughout the advertising ecosystem to different companies and users. 

Per the Irish Council for Civil Liberties, the TCF is on 80% of the European internet. Over 1,000 companies use it, including Amazon, Google, and Microsoft. 

Does the TCF Violate GDPR?

Given the adoption rate, the TCF may seem popular, but the Belgian Data Protection Authority (APD) recently deemed that it violates GDPR. The ADP stated that the advertising process enabled by the TCF creates risks to personal data being processed, including risks to:

  • Profiling and automated decision making;
  • Large scale processing of special categories of personal data; and
  • The analysis of behavioral data and location data. 

The APD’s main point is that TCF does not consider the fundamental rights and freedoms of data subjects—i.e., everyday consumers. 

Per the GDPR, to process personal data lawfully, one must have a legal basis. There are several different use cases including consent and legitimate interests, and this is where TCF fell into hot water. 

Getting a consumer’s consent is hard and requires asking the user for permission to process their data. (You’ve probably seen this online when you’re asked to click a check box confirming your preferences regarding cookies, or marketing.) 

However, through the real-time bidding process and the use of the TCF, organizations have shifted to processing personal data based upon legitimate interest. This is a different threshold that allows a company to process a user’s data within a reasonable fashion, rather than asking them for permission explicitly.

The Information Commissioner’s Office (ICO), the U.K.’s data protection authority, states that an organization can only rely on a legitimate interest legal basis for processing personal data where the organization would use that data in ways that the user would “reasonably expect” and the use of data would have a minimal privacy impact.

 Of course, this is not the case. Because it’s a less stringent use case than consent, it’s easier to misappropriate, which is exactly what the ADP has concluded companies are doing. They’ve been claiming legitimate interest to process a user’s data in any way they want. Not only that, but they’ve been communicating that interpretation “up the chain” to other parties involved.

When used in this unintended way, an organization can overrule a user’s preference. Such misuse has led to mismanagement and overreaches of the use of personal data.

In fact, in certain situations, an organization using particular technical settings could identify previous websites someone has visited and infer sensitive information about that user. That sensitive data—which could include political opinions or even religious and health-related matters—leveraged through the TCF is protected under the GDPR. 

Therefore, the Belgian Data Protection Authority’s conclusion is clear. The TCF process violates the GDPR because it:

  • Fails to ensure personal data are kept secure and confidential (Article 5(1)f, and 32 GDPR).
  • Fails to properly request consent and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by online tracking-based "Real-Time Bidding" advertising (Article 5(1)a, and Article 6 GDPR).
  • Fails to provide transparency about what will happen to people’s data (Article 12, 13, and 14 GDPR).
  • Fails to implement measures to ensure that data processing is performed in accordance with the GDPR (Article 24 GDPR).
  • Fails to respect the requirement for “data protection by design” (Article 25 GDPR). 

What Happens to the TCF Now?

As such, the APD has fined the IAB an administrative fine of €250,000. They’ve given the organization six months to complete compliance measures or they will fine the IAB an additional penalty of €5,000 per day. Not only that but the IAB must:

  • Implement “technical and organisational measures to prevent consent from being ticked by default and to prevent automatic authorisation of participating vendors relying on legitimate interest for their processing activities.”
  • Ensure that participating organizations meet the requirements of the GDPR.
  • Update current processes and documentation. That includes updating records of processing activities, appointing a Data Protection Officer, and performing Data Protection Impact Assessments. 

These major stipulations will affect 80% of the European Internet. But the ripple effect will surely spread to online advertising no matter where you are. 

Next Steps for Privacy Regulations

Marketing in the EU won’t be the only thing in flux in the near future. Privacy regulations will continue to develop all over the world in an attempt to protect consumers amidst an increasingly digital landscape.

While we wait for further developments to the TCF—and perhaps further regulation of online advertising—it’s important that you too stay prepared to protect the privacy of users, even if official regulations remain in progress.

To help with that—and to learn more about GDPR in particular—read our content:

About the Author

James Hunter

James Hunter is a Senior Associate with Schellman & Company, LLC. Prior to joining Schellman in 2021, James worked as an Associate in Internal Audit for three years. James is a Certified Information Privacy Professional.

More Content by James Hunter
Previous Video
The Cost of a GDPR Assessment
The Cost of a GDPR Assessment

Next Video
GDPR and Compliance
GDPR and Compliance