The IAB Europe Guide to Cookies: Privacy Promises Should Do More Than Crumble

The IAB Europe recently published a guide called ‘Guide to the Post Third-Party Cookie’ Era’ in an effort to help the AdTech industry begin to find a way forward through this complicated path. The organisation noted that the problem they are facing is huge, as the removal of third-party cookies from Chrome is the “single biggest change to the digital advertising ecosystem since the introduction of real-time bidding in 2009.”

The focus of the IAB Europe report is on potential solutions. However, nearly all of them side-step the real underlying issue which is the current way that the AdTech industry is structured. It is widely believed that  personalisation requires surveillance of individuals’ personal data. The undeniable fact is that any approach to personalisation that relies on surveillance will, like the status quo, run afoul of the GDPR. Fortunately, recent technological innovations mean that privacy-respectful personalisation can now be achieved without relying on surveillance.

A superior approach has been hiding in plain sight. By embracing the true GDPR definitional requirements of Pseudonymisation, the AdTech industry can achieve personalisation without surveillance, in a way that is transparent and accountable. In the current social and regulatory environment, making promises about privacy will not be enough. Real change, openness, and demonstrable controls are required for the AdTech industry to move forward in this post-third-party cookie world.

IAB Europe Guide Proposals
The IAB Europe Guide highlights numerous challenges facing the AdTech industry, with major changes in the legal and regulatory environment, along with the sunsetting of third-party cookies among the most pressing. The GDPR and the ePrivacy Directive include stricter requirements around consent. This means that the processing of personal data for omni-channel tracking and targeting of individual customers is rapidly becoming more difficult, despite consumer expectations for personalisation continuing to expand. The Guide also proposes a number of potential solutions to these problems, including CRM and explicit consent-based systems, as well as some solutions based on first-party cookies. In each instance, surveillance remains a central premise for the AdTech ecosystem. Advertisements work by associating an individual (through the use of an Ad-IDs, Cookies, UUIDs, GUIDs, etc.) to a detailed profile representing behaviours or characteristics that are of interest to advertisers. The new reality is that any approach to replace third-party cookies that is predicated on continuing surveillance will continue to fail in the eyes of the regulators. It  will be deemed automated decision making or “profiling, which produces legal effects concerning [the data subject] or similarly significantly affects [the data subject]” under GDPR Article 22. This classification has major implications when it comes to the requirements of the GDPR, as this kind of profiling is only permissible when explicit consent is given by the data subject. The GDPR requirements for explicit consent, however, are rather complex.

The IAB correctly notes that under the GDPR regulations “for cookies to be stored and accessed, consent must be freely given, specific, informed, withdrawable and unambiguous.” The issue is that the sophisticated algorithms underlying RTB cannot be described with sufficient detail at the time of initial data collection to be specific, whilst also being sufficiently understood by consumers in order to claim they are informed. Additionally, informed consent requires that all data controllers must be identified by name at the time of initial data collection. With data sharing in the RTB system spanning many hundreds of parties, this is manifestly impossible. Any approaches that try to salvage the status quo via consent will fail before they even get off the ground.

The IAB identifies some parts of the way forward, but stops short of the complete solution. The guide notes that “Rather than trying to replicate or find a ‘work around’ for third-party cookies, it’s critical for advertisers and publishers to gain maximum value from first party data derived from direct to consumer touch points.” This is on the right track, but incomplete. First-party data, when combined with protection using GDPR-compliant Pseudonymisation can help resolve the problem in AdTech.

 

The 5th Cookie Approach Doesn’t Fall Apart
The 5th Cookie model noted by the IAB in their report proposes an innovative approach to solving the central challenge facing AdTech by:

  1. Enabling personalisation that is not reliant on surveillance.
  2. Separating access to services from consent to data collection.

 

No More Surveillance in AdTech.
On the first point, the 5th Cookie approach enforces centralised data enrichment and re-identification controls that enable decentralised data processing. This supports the use of non-consent legal bases (such as legitimate interests) because the processing does not “produce legal or similarly significant effects” prohibited under Article 22 of the GDPR.

This approach is possible because the 5th Cookie model places data subjects into “microsegements”, collections of individuals that are small enough to accurately represent characteristics or behaviour that advertisers want to target, but not so small that any individual data subject can be identified or surveilled. Through the use of GDPR-compliant Pseudonymisation and the creation of privacy-respectful subsets of original data, the identity of data subjects is separated from what they represent to an advertiser.

When the advertiser wants to contact individuals in a particular microsegment to deliver an advertising campaign, they can only do so through the use of data stewards. These data stewards have obtained personal data from consumers using compliant consent and notice processes. The data steward can then enforce appropriate policies as evidence of demonstrable accountability, and the data subject can also notify them if they want to opt-out of receiving personalised ads at any time. This technologically-enforced, privacy-respectful process embodies the principles of data protection by design and by default. It also removes the uncontrolled, ecosystem-wide surveillance of individuals from the Adtech ecosystem.

Separating Services from Data Collection and Processing
Although the IAB does not note this in their report, the EDPB’s recent guidance on consent sets out that access to services must now be uncoupled from consent to data collection. When it comes to cookies, freely-informed and specific consent means that cookie walls (and bundling access to services with consent to cookies) is no longer permitted. The EDPB has explicitly stated that consent for each different purpose must be separate, and access to services cannot be contingent on consent to tracking cookies:

“In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)”

The 5th Cookie approach, which is based on GDPR-compliant Pseudonymisation, solves this problem too. It contemplates the intentional unbundling of a user’s consent to personalised advertisements and the attendant data collection and processing, from other consents that allow the user access to the site – i.e. access to services isn’t contingent on agreement to personalisation.

With the use of the 5th Cookie model, AdTech industry players can continue to leverage first party cookies, and use unbundled and transparent consent to deliver personalisation without surveillance. The transparency and accountability built into the model will build consumer trust that ultimately benefits brands as well.

New Heights of Cookie Awareness
The retirement of third-party cookies looms rapidly on the horizon. Despite a heightened public awareness of data protection and privacy rights, consumers are not walking away from their expectations for personalised experiences. A new model is needed, one that decouples surveillance from personalisation, and that separates consent to a service from consent to use data. Fortunately, using the 5th Cookie approach, those in the AdTech industry can continue to discover information about individual consumers, without needing to know who those consumers are. The way forward is a collaborative, transparent, and fine-grained microsegmentation approach using pseudonymised, and technologically-protected cohorts of consumers.

 

By Magali Feys, Chief Strategist, Ethical Data Use, Anonos


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.