Consent crunch for Australian brands, retailers, banks as IAB Europe’s GDPR fail looms large over privacy overhaul
Brands, publishers and the ad supply chain have been warned that collecting data on customers is about to get much harder after the IAB Europe’s cookie consent pop-up was ruled unlawful, throwing a hand grenade of uncertainty into the global ad tech supply chain. Now Australia is bracing for its own privacy overhaul to go even harder than GDPR – and consent is the key battleground in determining how digital advertising will function, and the personal identifiers that brand, agencies and publishers are allowed to use to target audiences. And regardless of the Federal election outcome, due by May, industry figures say the Federal Attorney General department is set on proceeding with its review of the Privacy Act.
What you need to know:
- Australian advertisers and publishers face increasing consent requirements to use personal data under new privacy laws.
- A decision last week by a regulator in Belgium that ruled IAB Europe’s consent pop up system was illegal highlights how hard it is to get right.
- Australian industry groups say while consent is set to be a key feature of privacy laws, it must be clear yet technology agnostic to survive the test of time and new tech advances.
- Dr Johnny Ryan from the Irish Council for Civil Liberties, who brought the case against the IAB Europe, says there is no way RealTime Bidding can be legal under GDPR.
Publishers, banks, retailers and other businesses in Australia face strict, granular and enforced consent rules to collect data on consumers following an overhaul of privacy laws, highlighted by a major decision in Europe that a widely used cookie consent pop up was not transparent enough.
Australian experts say a ruling by a General Data Protection Regulation (GDPR) agency in Belgium that a consent pop ups system designed by IAB Europe was in breach is a lesson for local lawmakers to be clear and avoid “loosey goosey” language.
Thousands of businesses and ad tech firms in Europe have for years used the local IAB’s Transparency & Consent Framework (TCF), a set of standards that outlined what to tell users and how to collect their data for advertising purposes. But the Belgian agency found the pop ups were “too generic and vague” to explain how far and wide user data was shared.
While the impact of the decision on Australian businesses dealing with Europe is unclear, Australia is currently reviewing its own privacy laws, and GDPR has long been held up as a “gold standard”.
But the decision underscores the difficulty in balancing the privacy needs of the public with the signals advertisers and ad tech players have grown used to harvesting to target ads. There are many views on what marketers, publishers and agencies should do after the deprecation of cookies.
Consent is looming as the next mountain for publishers and brands to climb.
The 'enforcement' of consent is the key future-state that any business needs to be focused on and then work backward from there when trying to understand how data can be used.
Mount Consent
The GDPR decision brings to the fore one word for Chris Brinkworth, director at data compliance advisory Civic Data: Enforcement.
“The 'enforcement' of consent is the key future-state that any business needs to be focused on and then work backward from there when trying to understand how data can be used,” Brinkworth says.
The decision in Europe doesn’t make asking for consent illegal – quite the opposite, he adds. The ruling specifically relates to the consent framework offered by IAB Europe. It’s a distinction IAB Europe was also keen to make, warning it may have to instruct the industry to write bigger, wordier and more overt pop ups.
“If anything, the [Belgian DPA] appears to require the disclosure of additional information in consent popups,” IAB Europe said in a document released after the decision.
This is “an opportunity rather than a threat,” Brinkworth says he tells clients. A chance for brands to build trust with those who want a relationship, rather than a spray and pray approach.
"The industry passes data up and down the data supply chain to each other. It is a critical function," Sarla Fernando from the Association for Data-driven Marketing and Advertising (ADMA), says.
"To date, TCF was seen as being [one of] the good options available to enable the modern AdTech system to continue to operate in a consent based [opt in] framework without points of friction. There was a sense of security in assuming that it was GDPR compliant. The Belgium DPA’s decision shows that this assumption has clearly been challenged."
But consent remains a serious challenge for any company looking to collect data on its audience, customers or viewers.
“This case does suggest that when the law says you need to gain a person’s consent for an activity, you will need to be very careful to ensure that that consent is voluntary, specific and informed,” Anna Johnston, Principal at Salinger Privacy, says.
“Which is very challenging in the context of any digital environment where you have limited real estate to communicate with your customers, and they have expectations about a frictionless user experience.”
I’m seeing quite a groundswell in advocacy for a controller-processor distinction out there - myself included - but properly defined and confined, not written loosey goosey EU GDPR style.
Controller/Processor
The IAB Europe-GDPR decision hinged on an element of law that Australia does not currently have – but is considering: The data controller/data processor distinction. A controller decides how and why data is processed, and the processor does the actual processing. One example is a small business, the controller, asking a printing company, the processor, to produce invitations for an event.
The GDPR decision was made in a “very EU specific way” that found IAB Europe to be a controller because it developed the TCF for the industry, Peter Leonard, a lawyer and director at consultancy firm Data Synergies, says.
“The moral of this story: in Europe, be careful about writing rules that others follow, even you do not coerce those others to follow them, or require them to follow them, or operate the playing field where they play the game for which you wrote the rules,” he says.
“I’m sure others will say that this decision shows why Australia should not introduce a controller-processor distinction … I’m seeing quite a groundswell in advocacy for a controller-processor distinction out there - myself included - but properly defined and confined, not written loosey goosey EU GDPR style.”
Australian privacy laws
Locally, Australia is understood to be forging ahead with reform of privacy laws that, first introduced in 1988 and amended several times, have not kept up with changes in technology (Australia joined the global internet in 1989). The IAB Australia has urged the government not to go too far in its review, warning current proposals could cripple audience segmentation, analytics and measurement. Consent is set to be a key part of the reform, as is how to define data that identifies an individual. And GDPR has been seen as a benchmark for the global data industry.
“I think that’s fair to say that GDPR sets the pace because the rules for what constitutes a valid consent are written into the letter of the law in the GDPR,” Anna Johnston, principal of Salinger Privacy, says.
While Australian consent laws are similar, they have so far been set by case law and guidance from the regulator. “That is likely to change soon,” Johnston says.
Gai Le Roy is the CEO of the IAB Australia and says the Belgian GDPR decision should not alarm the local industry.
“We can learn from the negative consequences that other jurisdictions have experience to ensure we don’t make the same mistakes,” she says.
“It’s a matter of working through the issues and ensuring advertising practices comply with legal requirements and consumer expectations.”
ADMA's Fernando says the organisation would caution against any systems like TCF that centralise trust and control in a way that's not transparent - it won't last long, otherwise.
Australia's current privacy laws are not considered to "have adequacy" with Europe's GDPR, meaning other ways – an EU/US "Privacy Shield" and Standard Contractual Clauses – had to be developed to share data across borders, as many companies do. Fernando says those are also under scrutiny by GDPR regulators.
As one exec at a major publisher noted: “No doubt we’re going to have to start managing consent more granularly, more closely.”
There is no security in real-time bidding. That makes it impossible for real-time bidding to ever be lawful.
CMPs, set to boom, favour big players
Clear and detailed consent collection is likely going to be table stakes to participate in the digital advertising space in Australia – and abroad, and that means dedicated systems and Consent Management Platforms, or CMPs.
CMPs are likely to be one of the big winners from privacy reforms, but the burden will fall heaviest on smaller players.
“Giving consumers a clear understanding how their data is being used and giving them a choice is really important,” one senior executive from a major publisher says. “But making that a burdensome and difficult regime to manage is only going to continue to privilege the platforms.”
Still, it may be necessary to meet consumer privacy standards.
Brinkworth warns “dark patterns”, or deliberately misleading or deceptive language to get consent from users, is already under the microscope in Australia.
All of this may change, again
The digital advertising industry faces a lot of uncertainty after this decision, especially in Europe. IAB Europe says it is considering appealing the ruling, and while it is good for the industry to pay attention, it does not immediately affect Australian privacy laws. “We are not convinced the best outcome was achieved,” Le Roy says.
This is to say that Australia is currently in a very different regulatory environment to Europe.
Dr Johnny Ryan from the Irish Council for Civil Liberties, which brought the case against IAB Europe to the regulator, had a much more blunt summary of the decision.
“There is no security in real-time bidding. That makes it impossible for real-time bidding to ever be lawful,” he says. “The TCF was created for real-time bidding. There is no way to make it lawful.” He has another court case alleging RTB itself is unlawful under GDPR. The outcomes of that case, and a number of regulatory inquiries against Facebook, Google and Amazon around the world, would change the situation yet again.