"Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Alan Chapell, president at Chapell & Associates.
When the ad tech world started thinking about GDPR enforcement in late 2017 or early 2018, most were fairly confident that EU supervisory authorities would not rain down lightning bolts right out of the gate.
Rather, we figured that there’d be a smattering of relatively minor enforcement decisions in the fall to winter of 2018, but that we would not have a meaty enforcement action until Q1 of 2019. I think it was safe to say that the odds-on favorite for the first major enforcement action would likely be against Facebook or Google.
While I agree that this news is not great for ad tech, we might draw some comfort from the fact that this was a fairly predictable outcome.
The implications: Let’s not get ahead of ourselves
Some hot takes in the news predicted that this enforcement action would mark the end of the $50 billion dollar targeted advertising industry in the EU. We may eventually look back on this case as a watershed moment our industry. However, I’d be careful about overstating the implications for several reasons.
First, the CNIL is just one EU supervisory authority. This case is really only applicable to the French marketplace. I’ll admit that the CNIL is influential, but there are other regulators who will eventually need to weigh in before we are able to state that the CNIL truly represents the collective sentiment of all EU supervisory authorities. We’ve already seen the Austrian Data Protection Authority (DPA) take a very different position on “tracking walls” and consent than the CNIL or the UK’s Information Commissioner’s Office.
Second, this case is less about targeted ads and more about the breadth and depth of Google’s data collection practices. The CNIL argues that Google collects so much data under so many scenarios that it would be impossible for a data subject to manifest consent. (More on that below.) As such, this case is much more relevant to the practices of multiconsumer touchpoint platforms such as Facebook, Amazon and perhaps even Apple – and much less relevant to programmatic advertising platforms, which don’t collect anywhere near that scale of data.
And finally, this case doesn’t necessarily implicate legitimate interest. The CNIL is not taking a position on legitimate interest, except to state that, in the CNIL’s opinion, Google does not adequately describe the circumstances under which it may use legitimate interest as its legal basis. I don’t think one can say that the CNIL is opining here on the use of legitimate interest for targeted advertising. I’m not here to either praise or bury legitimate interest, but I certainly don’t think that this case rules out its use for marketing purposes.
Limited capacity for consent?
The CNIL’s primary argument here seems to be that Google collects so much information that it would nearly be impossible for any reasonable data subject to be in position to fully understand what they are consenting to. I’m not trying to hate on Google here, but I do think the CNIL is raising an important point – and perhaps the most important privacy question of the day. Namely, is it possible to reach a point where the scope of data being collected exceeds the ability of a reasonable person to manifest a valid consent? I don’t pretend to have the answer to this question, but I’ll just state the obvious: It might be helpful for all stakeholders to be able to answer these questions sooner rather than later.
All that said, one can also make this argument in contexts outside of privacy. For example, how many of us read every word in the terms of service prior to accepting its terms? Are those contractual terms any more or less important than data protection terms? Probably not. If few read and/or understood those terms, does that mean any consent obtained via those terms should also be considered invalid? I don’t know.
What comes next?
I’d imagine that Google has planned for this, and I’m anticipating that Google will appeal this decision all the way to the EU Court of Justice if necessary.
Meanwhile, I think it’s reasonable that other supervisory authorities will want to weigh in on this subject in the near term. Perhaps they do this with fines, or maybe by offering guidance documents. But as I stated, I’d be careful about touting this decision as the law of the land across the EU, at least until after Germany and Ireland weigh in.
What steps should we take?
I’m not trying to provide legal advice, but I can say that the most prudent course of action is to ensure that an ad tech company’s practices fall in the top quartile of industry practices. The goal here is to mitigate against any regulatory actions by making your company a less attractive target.
With that in mind, perhaps the best advice here is for companies to:
Review their privacy-related disclosures: Are they clear? Do they accurately represent current data flows? Are all partners listed out in a single place that is reasonably easy to find?
Update their data protection impact assessments (DPIAs): Similarly, companies probably should consider regularly updating their DPIAs. When the Swedish DPAs recently opened an inquiry into Google’s practices, they specifically requested to see Google’s DPIAs.
Evaluate the ROI of continuing to operate in the EU: I’m working under the assumption that any ad tech company operating in the EU is aware that bracing for the possibility of a regulatory action in excess of $1 million is simply the cost of doing business in the EU. That said, it probably doesn’t hurt to periodically re-assess the ROI and risk analysis for remaining in the EU marketplace.