Home Data Privacy Roundup It’s Better To Ask For Permission Than Forgiveness (In Europe And In General)

It’s Better To Ask For Permission Than Forgiveness (In Europe And In General)

SHARE:

Asking for permission isn’t just polite; it’s legally required.

European regulators are losing their patience with companies that attempt to use legitimate interest as their legal basis for processing personal data.

Under GDPR, legitimate interest allows companies, in certain cases, to process personal data without consent so long as it’s collected legally and there’s a justifiable reason for its use.

You can talk about the “value exchange” of personalized advertising until you’re blue in the face, but targeting people with ads ain’t one of those cases.

Meta is learning this the hard way.

Not too legit

Until earlier this year, Meta relied on a provision under GDPR called “contractual necessity” as its legal basis for data processing.

Users were previously required to agree to ad tracking as part of Meta’s terms of service, effectively forcing anyone who wanted to use one of its apps to accept tracking by default. (It’s not possible to use any of Meta’s apps without first agreeing to terms and conditions.)

Ireland’s data protection authority, which is considered business friendly, initially gave its blessing to this approach. But the Irish reversed course in January after the European Data Protection Board (EDPB) ruled that bundling consent for tracking into terms of service is illegal under GDPR. The EDPB also fined Meta roughly $414 million.

Considering that Meta generated $31.5 billion in advertising revenue last quarter, $414 million is a rounding error for them.

But the implications of the EDPB’s ruling are far more significant than the fine.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

When contractual necessity went out the window, Meta changed its legal basis for personalized advertising to legitimate interest and created an unwieldy online form that people could use to opt out of targeted ads.

That didn’t cut the mustard either. In early July, the Court of Justice – the EU’s highest court – ruled that legitimate interest isn’t an appropriate legal basis in this case.

The upshot: Meta needs consent if it wants to process data for personalized advertising in Europe.

Permission … please?

The Wall Street Journal reported earlier this week that Meta does plan to start getting permission from users in the EU before showing targeted ads on Facebook and Instagram.

Consent management platforms are largely overpromising what their solutions can do out of the box, according to Gartner’s most recent Hype Cycle report.It’s a huge development with major implications for all businesses, not just Meta.

“US-based companies – whether we’re talking about publishers, platforms or advertisers – must pay attention to consent,” said Cillian Kieran, CEO and co-founder of privacy compliance startup Ethyca. “They’d do well to implement reliable, auditable consent records with a positive end-user experience to show that they’re keeping up with growing regulatory demands.”

Emphasis on the “positive user experience.”

Consent under GDPR must be unambiguous, freely given, specific and informed. In other words, attempting to hide consent requests within a dark design pattern isn’t a legal way forward.

And so the $414 million-dollar question – actually, make that the $7.268 billion-dollar question (that’s how much ad revenue Meta generated in Europe in Q2 alone) – is: How can companies ask for ad tracking consent in a manner whereby people will actually say yes?

“We’ve seen many users become more sensitive to how their data is being used, with increasing awareness of how they can manage their privacy choices,” said Rachael Ormiston, head of privacy at compliance platform Osano. “It’s hard to predict, but I would imagine it’s a very real possibility that Meta will see poor opt-in rates.”

People need a reason to opt in. And it’s difficult to imagine anyone doing so, Kieran said, “unless it’s imperative to the product experience.”

We’ll have to wait and see whether Meta eventually shares its opt-in rate once it starts asking for tracking consent. In the meantime, Meta’s long road to permission (and perdition?) is “proof that regulations do have teeth,” Kieran said.

“While the wheels of the justice system turn slowly, they do turn,” he said. “In three to five years, I expect that data processing will be a highly regulated industry – and that will simply be the cost of doing business.”

Thanks for reading! Let me know what you think. Drop me a line at [email protected]. And if you want to see how the sausage is made, here’s some live footage of me producing this newsletter.

Must Read

Inside The Fall Of Oracle’s Advertising Business

By now, the industry is well aware that Oracle, once the most prominent advertising data seller in market, will shut down its advertising division. What’s behind the ignominious end of Oracle Advertising?

Forget about asking for permission to collect cookies. Google will have to ask for permission to not collect them.

Criteo: The Privacy Sandbox Is NOT Ready Yet, But Could Be If Google Makes Certain Changes Soon

If Google were to shut off third-party cookies today and implement the current version of the Privacy Sandbox, publishers would see their ad revenue on Chrome tank by around 60% on average.

Platforms Are Autogenerating Creative – And It’s Going To Be Terrible

This week, we’re diving into the most important thing in advertising – the actual creative – and how major ad platforms are well on their way to an era of creative innovation. Actually, strike that. I meant creative desolation.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Comic: TFW Disney+ Goes AVOD

Disney Expands Its Audience Graph And Clean Room Tech Beyond The US

Disney expands its audience graph and clean room tech to Latin America, marking the first time it will be available outside the US. The announcement precedes this week’s launch of Disney+ with ads in Latin America.

Advertible Makes Its Case To SSPs For Running Native Channel Extensions

Companies like TripleLift that created the programmatic native category are now in their awkward tween years. Cue Advertible, a “native-as-a-service” programmatic vendor, as put by co-founder and CEO Tom Anderson.

Mozilla acquires Anonym

Mozilla Acquires Anonym, A Privacy Tech Startup Founded By Two Top Former Meta Execs

Two years after leaving Meta to launch their own privacy-focused ad measurement startup in 2022, Graham Mudd and Brad Smallwood have sold their company to Mozilla.