France’s data protection regulator is going public with its action plan – and targeted online advertising is to be a “priority topic.”
The Commission nationale de l’informatique et des libertés (CNIL) shared its 2019-2020 agenda in response to appeals from the public, privacy advocates and online marketing professionals looking for guidance on how to comply with the General Data Protection Regulation (GDPR).
Even more than a year out from the GDPR’s enforcement date, compliance remains a moving target.
The ePrivacy Regulation, which will eventually introduce new rules on the use of cookies, is still being debated by EU legislators. But when it’s ready, parts of the ePrivacy regs will take precedence over certain provisions in the GDPR, and that’s leaving the ad industry on shaky ground. For now, all they’ve got to go by are outdated guidelines based on the now-obsolete ePrivacy Directive.
AdExchanger previously reported on the CNIL’s plan to give publishers roughly a year to keep using outmoded scroll-based cookie notices while the agency works to update its cookie guidelines to match the spirit of GDPR, rather than waiting for the ePrivacy Regulation to replace the Directive (whenever the heck that’ll be).
The CNIL will meet with advertisers, ad tech intermediaries and publishers to brainstorm the details over the coming months, and looks to publish its recommendations for public comment by the end of the year or early 2020 at the latest.
The reprieve is an acknowledgement that companies need clearer instructions on how to comply.
But despite taking mercy on pubs and the ad tech companies who love to pixel them, the CNIL said it will continue to investigate complaints during the grace period and, if called for, conduct inspections to make sure that cookies aren’t being dropped before consent is collected. Companies will also be expected to comply with any obligations under GDPR that aren’t in flux, including those related to data security and giving consumers the ability to easily withdraw consent.
The CNIL’s intentions are in line with its counterpart in the United Kingdom, the Information Commissioner’s Office (ICO), which will start investigating the implications of RTB in July.
To date, at least seven complaints contending that RTB is illegal under GDPR have been brought in jurisdictions across Europe, including in the United Kingdom.
In mid June, the ICO issued a disparaging report on the practice of real-time bidding, noting that the “ad tech industry appears immature in its understanding of data protection requirements.”
It added that the IAB Europe’s Transparency and Consent Framework is “insufficient” under GDPR. But, like the CNIL, the ICO isn’t going to war with ad tech right now.
The ICO is planning to schedule meetings of its own with key stakeholders to gather more information and it might undertake an industry review in six months, depending on what it finds.
Even so, the ad tech industry would do well not to turn a blind eye to these rumblings. It’s not paranoia if they’re really out to get you.
“We expect data controllers in the ad tech industry to reevaluate their approach to privacy notices, use of personal data and the lawful bases they apply within the RTB ecosystem,” the ICO warned.
The CNIL did not respond in time for publication.