Choice architecture. Nudging. Manipulation. Whatever you call it, asking users to consent to tracking cookies that can be used for targeted advertising is far from straightforward. On 2 February 2022, the Belgian Data Protection Authority issued a momentous ruling that could make them a thing of the past. Tech journalist Jennifer Baker speaks to renowned privacy guru Pat Walshe about the ruling and the wider implications.
Let’s start with the basics. Cookies are not just delicious snacks, they are also small, micro-sized pieces of software that can be installed on a user’s device to tell a website certain things. That could be what you have put into your shopping basket or what address your purchases should be delivered to – essential cookies – or it could be other personal information about you, your preferences and the sites you visit – tracking cookies.
Under EU law, website operators can only place these cookies if they have “legitimate interest” to collect personal information or if the user has consented.
To help website publishers gather that consent, the Interactive Advertising Bureau Europe (IAB) established the Transparency & Consent Framework (TCF), and it has been in widespread use in the digital advertising industry. However in it’s landmark decision, the Belgian Data Protection Authority (DPA) found its application to be unlawful.
The knock-on effect of this could be enormous and have a huge impact on the majority of players in the online adtech ecosystem.
“I think it's quite monumental,” said Pat Walshe. “I think the Belgian data protection authority should be congratulated for such an in-depth and detailed analysis – 127 pages!” Walshe is an independent consultant and founder of the advocacy organization Privacy Matters. His research has revealed the so-called “dark patterns” used by many internet service providers to get users to consent to the collection of their personal data (see this 2019 report on the practices of Amazon, Netflix and Spotify for the Trans Atlantic Consumer Dialogue and the Heinrich-Böll-Stiftung).
“This data vampire-infested process has never been lawful”
“I think it is momentous because it's saying what a lot of us have said for many, many years that actually this whole process – this data vampire-infested process – has never been lawful. For example, I looked at Wired – the Condé Nast publication – and, my goodness, you could have a computer science degree or a law degree, and you'd still struggle to understand what was being asked of you. It was just dark patterns again,” said Walshe, explaining that he found 1300 ad server and tracking requests from companies that want to advertise to users based on their personal preferences. “I mean, how on earth is an ordinary individual supposed to understand this?”
The system to deliver much of online advertising is called real-time bidding (RTB). RTB allows would-be advertisers to bid for a predetermined advertising space, such as a banner advert on a website or a splash screen in an app, in real-time.
“Real-time bidding is a very complex ecosystem,” explained Walshe. “And I think the Belgian DPA ruling clarifies very well the different parties involved. In a nutshell, real time bidding is a system that knows certain things about you – it can be just demographic, that you're female, between a particular age, that you're online right now – and it asks thousands of entities out there, would you like the opportunity to present an advert? Then it would be down to the highest bidder, essentially, you're in an auction. And that involves passing quite detailed information between multiple parties. I think the Belgian decision on that was very good in identifying the unlawfulness of that, because a lot of that allegedly relied on consent. And how on earth could you consent?”
But is it possible to do real-time bidding in a privacy respecting way? Walshe thinks not: “I do not believe it is. Can you imagine any person that says, "sure, place me in an auction and let me be subject to the highest bidder based on all of this information?" I can't imagine anybody ever saying that.”
“People worry about what these things mean,” he continued. “And some people end up just pressing OK because they can't understand anything. So I'm sorry if any of those parties think they've got consent, they haven't and they haven't got a legal basis or a legitimate interest.”
But why did it take the Belgian DPA to smash open a global problem, asked Walshe. Plenty of other data protection authorities across the EU could have done so. It’s possible – though unlikely – they were waiting for the proposed Digital Services Act (DSA) to become law. The proposed legislation could greatly restrict behavioural advertising as it aims to tackle harmful content online and make platforms accountable for algorithmic distribution. The Belgian DPA decision was based on the General Data Protection Regulation (GDPR).
U.S. House Democrats propose bill to ban targeted ads
The U.S. too is concerned about the practice. In late January, Democratic lawmakers in the U.S. House of Representatives introduced the Banning Surveillance Advertising Act (BSAA), which would outright prohibit advertisers from targeting ads to consumers with a few exceptions, including contextual targeting or broad-based geotargeting.
Naturally, the adtech industry is not impressed. “This terrible bill would disenfranchise businesses that advertise on the Internet,” said IAB CEO David Cohen in a statement.
But Walshe thinks we need to look for alternative models. “I don't believe advertising funds the web, I think it's an important element, but it doesn't fund the web. And I don't think the web or online media will die without advertising,” he said. “I'm not against advertising at all, but I am against behaviourally based advertising. That happens on a basis where people simply cannot understand or be aware of everything that is happening. So I'm hoping the Transparency and Consent Framework will fall.”
Walshe is not alone in hoping for this. Because the content being served to people might not simply be adverts for everyday products, but scams or disinformation or other harmful content.
Jeff Chester, Executive Directorof the U.S.-based Center for Digital Democracy, sounded the alarm in a blogpost: “We should not allow powerful commercial interests to determine the evolving structure of our online lives. The digital data industry has no serious track record of protecting the public. Indeed, it was the failure of regulators to rein in this industry over the years that led to the current crisis – the growth of hate speech, the explosion of disinformation, and the highly concentrated control over online communications and commerce.”
The Belgian DPA fined the IAB (which is appealing the decision) just €250,000, but regardless of the eventual outcome of the case, it is a clear indicator of which way the wind is blowing.
The interview was held on 23 February.