Sign up to save your podcasts
Or
Share LW - Can Ads be GDPR Compliant? by jefftk
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
LW - Can Ads be GDPR Compliant? by jefftk
Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Can Ads be GDPR Compliant?, published by jefftk on January 8, 2023 on LessWrong.
I think the online ads ecosystem is most likely illegal in Europe, and as more decisions come out it will become clear that it can't be reworked to be within the bounds of the GDPR. This is a strong claim, but before I get into backing it up here's some background on me:
I'm not a lawyer or an expert in privacy regulation; this is something I follow because I'm interested in it.
I worked in ads until, but I'm speaking only for myself. I don't expect to go back into the industry.
June 2022
So, how are sites not compliant?
When you visit a site in Europe, or an international site as a
European, you'll typically see a prompt like this:
In this screenshot El País is asking for permission to use cookies and use your data to personalize ads.
Why are they asking you? A combination of two regulations:
The ePrivacy
Directive (2002) which requires the site to get your consent before using cookies or other storage on your device unless they're
strictly necessary to provide a service you requested.
The GDPR (2016) which tightly limits what companies can do with your data without your consent.
The idea is, if you click "accept" then they can say they had your consent for all the advertising stuff they do. But I think it's very unlikely this is compliant with the GDPR.
For example, in a recent case France's data privacy regulator CNIL recently fined
Microsoft €60M (full text) for a similar popup on Bing. I'm going to come back to this decision later because it has other implications, but in paragraph 65 the CNIL ruled that their cookie banner was not collecting valid consent because it took more clicks to refuse cookies than to accept them.
The principle here is that for consent to be valid under the GDPR it needs to be just as easy to give consent as it is to refuse it.
This is not widely respected today, since for most companies it's going to be much more profitable to put up a not-really-legal banner that heavily pushes users towards saying yes and hope they don't get in trouble, but as the data protection agencies continue their enforcement I think this will become less practical.
Another approach you see on a few sites is the one that Der Spiegel takes:
They offer a choice between accepting their standard ad stuff or paying to subscribe to the site (more details). I'm glad they're giving users the choice here and I think this should be legal, but I'm pretty sure it isn't right now. The problem is that the user's consent isn't "freely given" in terms of the GDPR's Article
4(11) if they would otherwise have to pay for access.
The third option is to have a cookie banner that is as easy to reject as it is to accept:
When I click "deny" and visit their site, they show a popup saying
"Lower quality ads may be displayed." This includes (definitely low quality...) ads from Outbrain, with many network requests to outbrain.com and
outbrainimg.com:
The problem is, per the Schrems
II ruling these are also not GDPR-compliant. Because US companies are required to share information with the US government and IP addresses are personal information, the GDPR requires sites to get consent from users before sending any of their information to American companies or their subsidiaries. European courts have applied this ruling to fine sites for using Google
Analytics, Google
Fonts, and the Akamai
CDN. Since Outbrain is an American company, based in NYC, this is not compliant.
Schrems II compliance rules out all commercially available adtech options I know about, and the only fully GDPR-compliant sites I've seen are ones where clicking "reject" means you don't get any ads at all.
As a somewhat speculative aside, I think there's another problem with these consent popups: when you visit the site they read your cookies. Pe...
View all episodes
By The Nonlinear Fund
4.6
88 ratings
Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Can Ads be GDPR Compliant?, published by jefftk on January 8, 2023 on LessWrong.
I think the online ads ecosystem is most likely illegal in Europe, and as more decisions come out it will become clear that it can't be reworked to be within the bounds of the GDPR. This is a strong claim, but before I get into backing it up here's some background on me:
I'm not a lawyer or an expert in privacy regulation; this is something I follow because I'm interested in it.
I worked in ads until, but I'm speaking only for myself. I don't expect to go back into the industry.
June 2022
So, how are sites not compliant?
When you visit a site in Europe, or an international site as a
European, you'll typically see a prompt like this:
In this screenshot El País is asking for permission to use cookies and use your data to personalize ads.
Why are they asking you? A combination of two regulations:
The ePrivacy
Directive (2002) which requires the site to get your consent before using cookies or other storage on your device unless they're
strictly necessary to provide a service you requested.
The GDPR (2016) which tightly limits what companies can do with your data without your consent.
The idea is, if you click "accept" then they can say they had your consent for all the advertising stuff they do. But I think it's very unlikely this is compliant with the GDPR.
For example, in a recent case France's data privacy regulator CNIL recently fined
Microsoft €60M (full text) for a similar popup on Bing. I'm going to come back to this decision later because it has other implications, but in paragraph 65 the CNIL ruled that their cookie banner was not collecting valid consent because it took more clicks to refuse cookies than to accept them.
The principle here is that for consent to be valid under the GDPR it needs to be just as easy to give consent as it is to refuse it.
This is not widely respected today, since for most companies it's going to be much more profitable to put up a not-really-legal banner that heavily pushes users towards saying yes and hope they don't get in trouble, but as the data protection agencies continue their enforcement I think this will become less practical.
Another approach you see on a few sites is the one that Der Spiegel takes:
They offer a choice between accepting their standard ad stuff or paying to subscribe to the site (more details). I'm glad they're giving users the choice here and I think this should be legal, but I'm pretty sure it isn't right now. The problem is that the user's consent isn't "freely given" in terms of the GDPR's Article
4(11) if they would otherwise have to pay for access.
The third option is to have a cookie banner that is as easy to reject as it is to accept:
When I click "deny" and visit their site, they show a popup saying
"Lower quality ads may be displayed." This includes (definitely low quality...) ads from Outbrain, with many network requests to outbrain.com and
outbrainimg.com:
The problem is, per the Schrems
II ruling these are also not GDPR-compliant. Because US companies are required to share information with the US government and IP addresses are personal information, the GDPR requires sites to get consent from users before sending any of their information to American companies or their subsidiaries. European courts have applied this ruling to fine sites for using Google
Analytics, Google
Fonts, and the Akamai
CDN. Since Outbrain is an American company, based in NYC, this is not compliant.
Schrems II compliance rules out all commercially available adtech options I know about, and the only fully GDPR-compliant sites I've seen are ones where clicking "reject" means you don't get any ads at all.
As a somewhat speculative aside, I think there's another problem with these consent popups: when you visit the site they read your cookies. Pe...