Home Data-Driven Thinking GDPR And The Confounding Question Of ‘Legitimate Interest’
OPINION: Data-Driven Thinking

GDPR And The Confounding Question Of ‘Legitimate Interest’

By AdExchanger

SHARE:

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Eric Berry, CEO at TripleLift.

The General Data Protection Regulation (GDPR) is going into force in late May and could either devastate the programmatic ecosystem in Europe, along with the publisher business, or it could be a non-event or perhaps somewhere in between.

A regulation that threatens to upend several multibillion-euro businesses should be clear and prescriptive in its guidance – but the GDPR is decidedly not.

Article 6 of the GDPR states that a data controller may only process data lawfully if, among other things, it has legitimate interest or consent. Processing effectively means doing anything with the user’s data, down to even having a pseudonymous persistent cookie. Determining when there is legitimate interest is the 20 million-euro (or 4% of global turnover) question. There are special carve-outs for employers, state interests, etc. that I will ignore and instead focus on ad tech.

Legitimate interest may be the legal basis for processing user data if the interests of the user do not override the interest of the controller when considering the reasonable expectations of the user and their relationship with the controller, according to the GDPR. The determination of legitimate interest requires “careful assessment” of these reasonable expectations and the context of data collection.

Running afoul of the GDPR can put a company out of business. Yet divining the intent of the legislators who drafted the GDPR when determining legitimate interest is an art.

How should a company interpret what the reasonable expectations of a user are? Who is this user, and what level of understanding does he or she have about cookies, tracking, advertising and commerce on the internet? Is this the sort of user who would be shocked to understand how ad tech has operated for the past 15 years, or should they be assumed to have come to terms with this as part of the reasonable expectations? And how does any of this balance with the controller’s interest?

Preventing fraud, ensuring network security, reporting criminal acts and performing administrative tasks such as transmitting employee data are all explicitly defined as legitimate interests. There is also a callout that “[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Direct marketing is likely limited only to mail or email, and cookie- or ID-based digital marketing would not be included.

The most relevant guidance on legitimate interest was issued from outside the GDPR. In 2014, the Article 29 Data Protection Working Party issued an opinion noting that a data controller may indeed have a legitimate interest in understanding customer preferences in order to better target products and services to meet their needs. Yet the opinion also states that profiling a user based on their overall activity is such a significant intrusion of their privacy that the potentially legitimate interest would be overridden.

More broadly, the opinion clarifies that the more sensitive the data, the more it balances in favor of the user, with the test being made generally against an average individual. But technical safeguards that enhance privacy or anonymity may tip the balance in favor of the controller.

While this adds color to the GDPR, it is not clear what is actually permitted.

Can you store cross-domain cookie IDs? Can you track a user’s clicks or ad impressions for different advertisers? Can you create a likelihood for receptiveness to a given brand based on past performance? Can you keep track of how long a cookie has been in place for a user? Probably, but a question with such an existential impact on so many companies should be answered definitively – as opposed to everyone hoping that someone else will be the example made.

Further confounding this issue is the question of enforcement.

The data protection agency (DPA) in the various EU member countries collaborated on the Article 29 Working Party guidance. The DPA in each country is the entity charged with enforcing the legislation when it goes into force.

That said, these are not homogenous entities – each DPA is run within national boundaries by the officials that constitute that agency in the country. The norms of officials change by country, meaning not only is the legislation itself unclear but enforcement is not guaranteed to be consistent. One may assume, for example, that the balance of reasonable user expectations versus the legitimate interests of the data controller in Germany – a nation known for its strict privacy views – would differ from those of the UK.

It is probably not the European regulators’ goal for the web to be either unusable through a slew of consent popups or non-monetizable by destroying overnight the programmatic and data ecosystems responsible for most monetization.

Yet the GDPR was drafted for a reason. Certainly, companies that rely purely on the bid stream or similar mechanisms to create profiles will need to refine their models. And perhaps the GDPR was designed explicitly to prevent Google and Facebook from continuing this behavior and thus limit their dominance.

It is dubious that the GDPR will be effective in this regard given that Google will continue to be where users search and Facebook will continue to be where they spend time. Both, however, will see their ability to track users via profiling diminished – Google via analytics, AdSense and other profiling, and Facebook via tracking users through Like buttons across the web.

Beyond that, however, can other types of companies effectively continue business as usual through the legitimate interest “loophole” – perhaps by adding some nominal technical anonymization and complying with provisions for opt-out or DPO? It is the question that Europe’s publishing ecosystem depends on, but it has no clear answer and may not be enforced consistently.

Follow Eric Berry (@ezberry), TripleLift (@triplelifthq) and AdExchanger (@adexchanger) on Twitter.

Must Read

Gaming

Unity And Index Exchange Unite Behind Gaming Data In Non-Gaming Channels

For the first time, Unity’s gaming audiences will be available for ad targeting outside the Unity platform, with Index Exchange using Unity’s data to curate web and CTV inventory.

AI

Brand-Trained Agents Can Give Marketers A Fuller View Of Their Customers

Agentic commerce company Envive builds on-site agents for brands like footwear company Clove, painting a clearer picture of what their customers are looking for.

CTV

Don’t Worry About Netflix – It’s Doing Fine Without Warner Bros. Discovery

Paramount might have outlasted and outbid Netflix in the competition to acquire Warner Bros. Discovery, but Netflix is not overly fussed about the loss.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
CTV

Paramount’s Upfront Pitch Is About Three Things

Paramount is merging the ad tech stacks behind Paramount+ and Pluto TV, releasing a new performance product, offering more control over ad placements and introducing dynamic ad insertion in live sports.

Marketers

Hard Truths For Retail Media At The IAB Connected Commerce Summit

The IAB’s Connected Commerce event in New York City this week felt to me like the retail media industry’s first sit-down explanation to a child who is now a “big kid” and must act accordingly.

Platforms

Meta Is Launching An Easy Button For CAPI

Meta is simplifying its CAPI setup and teaching its pixel new tricks, including adding an AI-powered feature that automatically pulls in data from an advertiser’s website.

Popular

  1. Frans Vermeulen, Co-Founder & President, Swivel
    OPINION: On TV & Video

    Why CTV Is Becoming The First Real Test Of Agentic Advertising

    CTV never fit cleanly into campaign execution models built for RTB-based trading. Whether agentic AI solutions can simplify the complicated CTV landscape for publishers will be their first real test case.

  2. Seattle, WA USA - circa February 2023: Close up view of Liquid Death sparkling water for sale inside a grocery store
    Measurement

    Liquid Death Lets Incrementality Decide What Tactics To Kill And What To Keep

    Behind its edgy marketing, Liquid Death faces a familiar CPG problem: Most sales happen at the register, where media measurement goes to die.

  3. programmatic transparency

    The Tech Lab’s New Programmatic Governance Council Is So Over All The Ad Tech Drama

    A new IAB Tech Lab group is working on ground rules for the very unruly $200 billion programmatic ad market. Godspeed!

  4. The periscopes have eyes.
    Data Privacy Roundup

    Why A 1967 Privacy Law Is Powering A New Wave Of Ad Tech Lawsuits

    If you want to see a privacy lawyer who works in ad tech roll their eyes and heave a deep sigh, then speak aloud this acronym: “CIPA.”

  5. Don Marti, Principal, Aloodo LLC
    OPINION: Data-Driven Thinking

    What Happens When The Attribution Cartel Meets Advertising’s Halo Effect?

    A proposed standard under discussion at W3C aims to redefine how ad effectiveness is measured across the web. This proposal would centralize measurement of ad effectiveness under the control of Google, Apple and Meta.