Who: The ICO, the Direct Marketing Association (DMA) and the Internet Advertising Bureau (IAB)
When: March 2017
What happened:
UK data protection authority the ICO issued draft guidance on consent under the GDPR. The DMA and IAB both responded to the ICO’s consultation, seeking clarification and amendment on various points.
ICO draft guidance
The ICO paper seeks to give guidance on the higher standard of consent under the GDPR. It takes the view that, for consent to be valid, the following requirements must each be met:
- Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: Pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (eg a binary choice given equal prominence.
- Granular: Give granular options to consent separately to different types of processing wherever appropriate.
- Named: Name your organisation and any third parties who will be relying on consent – even precisely defined categories of third party organisations will not be acceptable under the GDPR.
- Documented: Keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
- Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
- No imbalance in the relationship: Consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this wil make consent particularly difficult for public authorities and for employers, who should look for an alternative legal basis.
Industry responses
The IAB and the DMA between them take issue, amongst other things, with:
- Named third party consent – the requirement that third parties relying on the consent must be named. This goes beyond the position under the ICO’s guidance on the current (pre-GDPR) law, which allows consent to be obtained for carefully defined categories of third party. The trade bodies say it also goes beyond the GDPR’s requirements, and will lead to major adverse impacts for the marketing industry and for consumers.
- Invalidity of opt-out consent and implied consent. The DMA argues it is significant that, following debate in the EU Parliament and Council of Ministers, no reference to opt-out was included in recital 32, but pre-ticked boxes were. It argues that the UK’s edited electoral roll is an example of opt-out consent. The IAB argues that implied consent via “cookie banners” – including on the ICO’S own website – should be seen as “valid for the digital advertising industry under the GDPR” (other than where explicit consent is required).
The IAB also calls for the ICO guidance on “bundling” of consent to go further. The draft guidance appears to leave the door at least slightly ajar to “cookie-gating” – making access to online services conditional on the user accepting the use of cookies – although the ICO says this “would be unusual” and “you would always be taking a risk”. The IAB argues that the economic interests of funding online services through targeted advertising need to be recognised as “necessary”, meaning that a “cookie-gating” consent would still be “freely given” for GDPR purposes.
More generally, both trade associations plead for understanding on the ICO’s part of the complexities and particular challenges faced by the advertising and marketing industries. For instance, in the context of programmatic advertising, they each make the point that many different entities may process online identifiers but may have no direct contact with the data subject. This clearly raises challenges as to how those businesses should get valid GDPR-grade consent, to the extent that the data they process is seen as personal data under the GDPR and to the extent they are relying on consent as their legal grounds for processing.
Why this matters:
On the third party consent issue, the ICO may no doubt feel that its hands are tied by GDPR recital 42 (“For consent to be informed, the data subject should be aware at least of the identity of the data controller…”). However many marketers and agencies will be significantly impacted if the guidance on this point remains as it is. Those relying on category-based consents should start preparing for that prospect.
On opt-out consent, UK marketers and their advisers may – if the ICO sticks to its guns – have to change their mind-sets going forward. Rather than being a form of “consent”, opt-out may need in future to be looked at as a form of user control in the context of processing carried out on legitimate interest grounds.
The issue of “cookie-gating” appears to be still very much in play, and may continue to be one of the key battle-grounds not just for the ad industry but for the digital sector generally.
However, more than anything else, these themes from the ICO guidance and the IAB and DMA responses highlight the serious problems the adtech industry may face depending on how the draft ePrivacy Regulation (ePR) shakes out, and exactly how broadly the GDPR’s definition of personal data is construed:
- If the ePR requires GDPR-grade consent for cookies, and if consent on a named basis is required, then how can DSPs, DMPs and other entities in the supply chain get that consent?
- In a real-time bidding scenario, getting consents on a “just-in-time” basis is clearly not feasible, so would we instead be looking at (a) browser-setting consents (in which case the adtech industry needs to be talking with Microsoft, Google and other browser manufacturers – and quick); (b) relying on publishers to get consents (but potentially naming each of a – probably large – group of adtech suppliers and intermediaries, with a need to re-permission when any new adtech business wants to be involved); (c) some industry solution – perhaps an adaptation of the current youronlinechoices.eu; (d) some combination of these measures; and/or (e) some other approach?
- If implied or opt-out consent is not going to be valid (and that’s certainly the ICO’s view in its draft guidance) then won’t consent levels plummet? Or will publishers seek to shore up revenues by introducing cookie-gating to force opt-in consent, even though the current draft ICO guidance says the consent risks being invalid as not “freely given”?
- As for those adtech businesses who do not directly set or access cookies or other information on a user device, can they rely on “legitimate interests” as the basis for processing instead of consent? Recital 47 of the GDPR recognises that processing for “direct marketing purposes may be regarded as carried out for a legitimate interest” – will the final ICO paper address this point and what guidance if any will it offer on the extent of its applicability?
- And if use of cookies and other technologies stored on the user’s device ends up being effectively unworkable for the adtech sector, will the ePR allow scope for other forms of “device fingerprinting” based on signals emitted from the device, and will processing of that data (to the extent it is “personal data”) be justifiable under legitimate interest grounds?
In the face of so many moving parts, is it any wonder that many in the adtech industry are at a loss as to how to proceed? However, “wait and see” cannot be a valid strategy for too much longer: there is a range of eventualities to prepare for, it’s not clear when that range is going to narrow and time is running out in the countdown to May 2018.
The ICO draft guidance can be found here. The IAB and DMA responses are here and here respectively.