Browsing the internet has never really been free. Each time you visit a website, a silent auction for your eyeballs is conducted to show you an ad that effectively makes you pay with your personal information. Location, birthday, browsing data and more are broadcast to hundreds of vendors within a millisecond. The practice has flourished even in Europe, which has the world’s strictest privacy laws.
The reason: Internet users here click a special “consent†button on most sites; they’re everywhere and slightly annoying in a system designed two years ago by an ad association based in Brussels to help advertisers comply with Europe’s privacy laws. Now Belgium’s data protection authority, together with 27 European Union agencies, has officially ruled the tactic illegal. The data these buttons helped collect should also be deleted.
That is great news for privacy campaigners, assuming the decision is upheld in court upon the probable challenge by the ad group. It could spell an eventual end to companies sharing your personal data in these creepy auctions, or at least sharing less of it. But it also poses a brand new dilemma for advertisers already scrambling to deal with privacy changes from Apple Inc, and others in the pipeline from Alphabet Inc’s Google.
Privacy advocates have argued for years that consent buttons give a pretense of legality to what is, effectively, a gateway to surveillance advertising. So-called real-time bidding for our personal data makes up most of Europe’s 64 billion-euro ($73 billion) ad market, according to the European arm of the Interactive Advertising Bureau, the trade body that made the consent tool.
Here’s an example of how the tool works: visit the main website for Formula 1 racing and you’ll see a pop-up with the title “Your choices regarding cookies on this site,†with some stark information about how F1 processes your personal data for ad targeting. You can choose to accept or manage your settings, and doing the latter brings up a long list of obscure companies with names like Yieldlove GmbH and Wizaly, who bid to show you ads based on a broadcast of your personal data.
Want to stop all that? You can click on a series of buttons to block them, but it’s time consuming and very confusing. That was part of the problem, according to the Belgians, who took up the case because IAB Europe is based there. An ad-tech company’s “legitimate†interest in profiling a person for an ad was outweighed by that person’s fundamental rights and freedom from having their data shared in online auctions.
Regulators had long complained that the consent buttons broke Europe’s General Data Protection Regulation law, but now there’s an official ruling. It paves the way for lawsuits against advertising companies who continue to use it, as well as more targeted enforcement by regulators. Activists have come straight out of the gate. The Irish Council for Civil Liberties and the Electronic Privacy Information Center in Washington, two non-profit privacy groups, on Thursday demanded in an open letter to several of the world’s biggest advertisers, including Unilever Plc and Procter & Gamble Co, that they delete all personal data collected using the consent tool. Unilever declined to comment. P&G didn’t respond to a request for comment.
“The problem is the system throws personal data around to a large numbers of companies,†says Johnny Ryan, a director with the Irish Council for Civil Liberties who co-filed the original complaint against the system.
—Bloomberg