Consent management platforms may violate GDPR
Brands, publishers and platforms may be violating GDPR because consent management platforms (CMPs) cannot provide informed consent in a programmatic world (AdExchanger).
Key info:
- CMPs use popups asking users to "accept" or "deny" cookies, for data sharing with other parties in the chain
- The problem: "A general consent, without specifying the exact purpose of the treatment, is not acceptable." - EU advisory board
- That applies even if a manage consent list provides a detailed breakdown
- France's data regulation authority has passed rules that suggest ad platforms cannot use data where they have not collected consent themselves, potentially hamstringing RTB
- "It is technically impossible for the user to have prior information about every data controller in a real-time bidding (RTB) scenario ... this would seem, at least prima facie, to be incompatible with consent under GDPR." – IAB spokesperson
- CMPs also failing GDPR stipulations on enabling users to update data and withdraw consent
Danger. The entire real-time bidding (RTB) and programmatic advertising supply chain is fundamentally challenged the way GDPR is currently playing out. The fact the IAB has said it's "technically impossible" to deliver user consent the way the EU wants it spells trouble. Sooner or later, GDPR will see regulators dishing out big fines – or making marketing businesses delete their data.
So far, Google has taken the biggest hit for digital advertising and data processing consent, with French regulators – the same authorities now apparently threatening the existence of RTB – stating the consent Google gathers for ad personalisation is not valid.
That should set alarm bells ringing for everyone else.
The definition of consent is a huge concern for everybody involved in the digital supply chain. These days, that is pretty much every business, but particularly to data-driven marketers and the parties with whom they transact.
If the threat of big fines is not sufficient, how about being forced to delete all your data?
The UK tax authority, HM Revenue and Customs, has just canned 5 million taxpayer voice records because it did not gain explicit consent to use voice recordings for identification.
"Innovative digital services help make our lives easier but it must not be at the expense of people's fundamental right to privacy," said the UK’s data regulator, the Information Commissioner’s Office.
The IAB has its work cut out.