“Are crumbles all that remains of the cookies?” A conversation on the future of ad tech at the Nordic Privacy Arena 2021

On September 27 and 28, 2021, the Swedish Data Protection Forum (Forum för Dataskydd) hosted the 2021 edition of the Nordic Privacy Arena (“Operationalising Data Privacy – Challenges, best practices, and success stories”) in Stockholm, Sweden. This hybrid event brought together privacy practitioners, watchdogs, and academics to debate some of the most pressing issues regarding privacy compliance, such as artificial intelligence (AI), cybersecurity risks, international data transfers, age-appropriate web design, and new enforcement trends. 

The end of the first day saw a discussion on online advertising moderated by the Future of Privacy Forum’s Managing Director for Europe, Dr. Rob van Eijk. The panel, entitled “Algorithmic marketing and profiling – are crumbles all that remains of the cookies?”, counted on the valuable contributions of Dr. Anu Talus, Finish Data Protection Ombudsman (DPA), Michael Hopp, Partner and Head of the Plasner law firm’s Data Protection team, Anna Eidvall, Partner and Head of the MAQS Advokatbyrå’s law firm’s privacy and data protection practice, and Patrick Breyer, Member of the European Parliament (MEP) for the Greens/EFA group. 

The session was divided into four parts, which are covered in this blogpost: (1) a debate on cookie consent tools: can browser settings do the job, as debate zooms in on data collection practices, notably around the suitability of relying on users’ browser settings?; (2) a discussion about the pros and cons of banning all or some targeted ad practices; (3) the speakers’ views on what to expect from ePrivacy Regulation negotiations over the coming months; and (4) an interesting exchange on whether contextual advertising is a silver bullet or a distant reality.  

Cookie consent tools: can browser settings do the job?

Van Eijk started by pointing to the ways in which the Finish Telecom regulator (Traficom) recently-issued guidance on cookies and other tracking technologies advised service providers to collect website visitors’ consent. He noted that the guidelines drew inspiration from two decisions taken by the Helsinki Administrative Court in April 2021, by excluding browser settings from the list of appropriate means in which users may express their consent for the placement of cookies in their devices.

In response, Talus underlined that Traficom’s guidance had been issued only two weeks prior, after extensive work with her Office during the drafting process. She also expressed that she was pleased with the outcome, as it reflects the Data Protection Authority’s (DPA) longstanding position on cookie consent. Regarding browser settings, Talus stressed the difficulty of collecting GDPR-aligned consent through such means, although Recital (32) of the GDPR seems to indicate that this is theoretically possible.

Van Eijk then asked MEP Breyer about his thoughts on the Advanced Data Protection Control (ADPC) specification proposed by None of Your Business (NOYB), notably on whether this type of framework — similar to the Do-Not-Track (DNT) specification — have a future in the European regulatory discussion. In reply, Breyer stated that the ADPC addressed the issue of users’ “cookie-fatigue”, in that it proposes a practicable solution to enable the latter to make and website owners to respect those choices. He also took the view that such proposals could positively avoid leaving browser manufacturers free to establish default settings. 

Then, the panel touched on the question: are online players unwilling to correctly configure their consent banners, in line with current legal standards? In this regard, Eidvall noted the complexity of the legal framework in this space, with an interplay of the GDPR with the ePrivacy Directive rules, and with Telecom and data protection regulators both playing a role in some jurisdictions, such as Sweden. For the speaker, the first dimension meant that consent from internauts should be sought at two levels: one at the moment of placing the cookie on/collecting device information from a user’s device and another for processing the data for ad targeting or other purposes. It also meant that controllers will often need to carry out Data Protection Impact Assessments (DPIA) and — after the Schrems II CJEU ruling — Transfer Impact Assessment (TIA), as well as comply with cumbersome information requirements towards users, the importance of which the recent DPC sanction against Whatsapp Ireland illustrated. 

Furthermore, Eidvall added, some smaller businesses (such as online publishers) may be unwilling to change their current cookie practices, as they are often in a “do-or-die” situation: should they decide not to deploy behavioral ads, their revenues may significantly decrease. Thus, she argued that the change should be championed by large tech companies. However, she noted that significant change on their part is unlikely to come unless the risk of being sanctioned becomes higher than the business benefits of using cookies. 

Hopp observed that companies are now questioning whether they are required to comply with the privacy rules that are effective in the jurisdiction where the placement of cookies takes place, or with those in their country of establishment, as there have been significant challenges to the latter view. He also noted that there is a lack of clarity around consent requirements when it comes to online tracking, which the EDPB tried to sort to some extent but that will hopefully be resolved by the new ePrivacy Regulation.

To wrap up the first topic, van Eijk highlighted that the EDPB has tried to reach some harmonization of EU DPAs’ views on cookie consent through its own guidance, which weighs in on “cookie walls” and user affirmative action following the Planet49 case. Additionally, some DPAs are specifically requiring consent to be as easy to refuse as to give, when it comes to placing cookies or similar technologies. National conflicting court decisions on cookie consent may also be a blind spot for companies with an online presence when devising compliance strategies.

Pros and cons of banning all or some targeted ad practices

To stir the debate during the panel’s second segment, van Eijk mentioned EU lawmakers’ discussions on the Digital Services Act’s (DSA) rules on targeted online advertising. In that context, some MEPs favor a strict and encompassing ban on those practices, while others favor narrower prohibitions or only enhanced transparency duties. The moderator was keen to hear speakers’ views, notably on whether consent could serve as a proportionate solution for legitimizing current ad tech practices. 

Breyer looked back on last year’s European Parliament (EP) requests to the European Commission (EC) to phase-out personalized online ads, in favor of contextual ones, which do not rely on personal data processing. One of the reasons for which he does not support consent-based targeted ads relate to the fact that users are currently being deprived of real choices, due to the use of “dark patterns” that make it more cumbersome for them to reject tracking. Another reason mentioned by Breyer was that, even in cases where individuals are given a fair choice, there are societal issues associated with a targeted advertisement, leading to more than just individual harms. In this regard, he mentioned that the technology that is deployed by undertakings to understand and predict the behavior of online consumers is being leveraged to threaten democracies through the spread of disinformation. 

The MEP also mentioned that targeted advertising generates issues in the online media landscape. One of the problems he identified was media outlets’ heavy loss of revenues to targeting companies and ad brokers. He believes that forcing online media to rely on contextual advertising — as newspapers and TV networks do — would create a level playing field that would enable the preservation of professional and quality media. Breyer also noted that, despite a growing number of EP lawmakers now believing that an opt-in standard for targeted online ads is not the solution, there does not seem to be a majority favoring a ban, which could also hamper the strength of the EP’s position in future negotiations with the Council of the EU on the DSA.

The conversation then shifted to the use of metadata in the context of Real-Time-Bidding (RTB) requests, and whether a specific ban there would be appropriate. Hopp answered in the negative, instead favoring reliance on self-regulation instruments and clearer regulatory guidance on online advertising. He mentioned that, nonetheless, there are areas in which all the players in the ecosystem should agree that targeting ads is not possible, such as deliberately rendering consumer loan ads to individuals with a high interest in online betting. On the other hand, he also proposed that regulators could prohibit certain practices by relying on the GDPR’s general Article 5 principles, regardless of whether controllers rely on consent or legitimate interests to carry out personalized advertisement.

Eidvall concurred, stating that legal bans are seldom effective. Instead, the speaker advised companies in the online advertising space to look at the issue from a data ethics perspective. She stressed that undertakings ought to start thinking about whether certain processing operations that are technically possible are also morally sound, before implementing their digital marketing strategies.

This led to a debate about whether this type of reflection actually happens in self-regulatory frameworks, and about how enforcement takes place in such scenarios. Is it fair to leave it to browser and app manufacturers to shape the ecosystem by limiting what ad tech providers can technically do as Apple did with its App Tracking Transparency? Eidvall took a positive view of such developments, including Google’s phasing-out of third-party cookies, which is scheduled for 2023. She also stressed the importance of avoiding turning privacy into a class issue, which could be done by allowing users who wish to pay with their data to do so, while ensuring that alternative payment methods are available to all. 

Van Eijk then took stock of varying cookie banner configurations and enforcement trends that are seen across Europe, with the French CNIL’s compliance notices and NOYB’s letters to website owners aiming at fixing some practices. He wondered about the part that enforcement standard-setting bodies and trade organizations, such as the Interactive Advertising Bureau (IAB), could play in the future.

On this note, Hopp acknowledged the importance of the IAB’s role in relation to its members but focused on what consumers could do to change the paradigm. He noted that, as more people become aware of their privacy rights, it is possible that the number of complaints in the face of infringements will increase. He finished by admitting that some providers may be making deliberate choices to overlook compliance in this realm to maximize their revenues and that collecting valid consent may not suffice to place them under a good light in the public eye.

On whether the design of fair opt-in mechanisms for online targeting would help fight ubiquitous dark patterns, Breyer observed that users tend to reject tracking when they are given a meaningful choice, as illustrated by Apple’s iOS 14.5 launch. Nonetheless, he noted that website owners who deploy “cookie walls” argue that they generally manage to obtain users’ consent. According to the MEP, this is due to the fact that the majority of cookie banners do not provide fair choices to users, as it is currently hard for them to identify the correct path to reject tracking in most websites. The panelist added that it should not be possible to subject a user to consent requests each time they open a new website, nor for website owners to reject access in case users refuse consent. He argued that the information that data brokers can gather about internauts is often very sensitive and that it could be used to manipulate or blackmail the latter. This, according to Breyer, reinforces the argument for banning targeted ads, also because research has shown that publishers’ revenues are not meaningfully affected in case they replace personalized ads with contextual ones.

What to expect from ePrivacy Regulation negotiations?

van Eijk invited the speakers to make some predictions about how and how fast the ePrivacy Regulations trialogue between the EU lawmakers will progress, also given that France will take over the Council’s Presidency in January 2022.

Breyer pointed out that France has taken a very harsh stance in ePrivacy negotiations within the Council, notably coming up with data retention language for the Council’s negotiating mandate. After stressing that the Court of Justice of the European Union (CJEU) has consistently ruled that indiscriminate data retention for law enforcement purposes breaches the EU Charter of Fundamental Rights, the MEP revealed that the EP is not willing to compromise at any price in the ePrivacy saga. He predicted that the EP would not accept watering down the existent level of electronic communications confidentiality protection under the ePrivacy Directive, in particular when it comes to the purpose limitation principle. 

Talus identified the ePrivacy Regulation as an opportunity for the EU to clarify DPAs’ competencies when it comes to enforcing electronic communications privacy rules. Currently, many countries — including Finland — reserve enforcement powers to their Telecom regulators in this space. Talus believes that companies and individuals do not benefit from the blurring of each authority’s competencies, and that when it comes to personal data processing, DPAs should take the lead, also to ensure the coherent application of the GDPR and ePrivacy norms.

Eidvall stated that, regardless of whether the French Presidency will be able to advance ePrivacy negotiations, mounting enforcement and self-regulation — but also data subject awareness — is likely to happen. In response to a question raised by van Eijk on the impact that the upcoming final Belgian DPA decision in the IAB RTB case promises to have on self-regulation instruments, Eidvall mentioned other relevant inspections that are ongoing, like the ones triggered by NOYB’s complaints.

Hopp expressed that regulators are expected to come up with a solution to the cookie conundrum even if the ePrivacy Regulation is not approved. On van Eijk’s question of whether the GDPR already provides grounds for banning dark patterns and conditional consent practices (like cookie walls), Hopp underlined that the question of consent validity is clearly answered in the GDPR, including when it comes to “mandatory consent” practices in news websites. 

Contextual advertising: a silver bullet or a distant reality?

Following Breyer’s calls for a paradigm shift towards contextual online ads, the moderator referred to how the Dutch public broadcaster (NPO) applied such techniques and actually bolstered its advertising revenues. Therefore, he asked the panelists whether the innovation chances in the contextual advertising sphere were worthy of further exploration.

Eidvall mentioned that her clients often express interest in using anonymization techniques in the online advertising space, to find alternatives that would be equally effective without processing personal data. However, she noted that anonymization itself qualifies as “processing” under the GDPR. In any case, she reported on a number of initiatives that seek to eliminate personal data from the process, also relying on ethical approaches as a unique selling point.

Hopp noted his clients’ lack of appetite for combining, e.g., differential privacy with contextual ads for measuring the reach of their ad campaigns. Instead, he highlighted their concerns about the phasing out of third-party cookies and their wishes to deploy first-party cookies for ad measurement. In this regard, Hopp took the view that anonymizing first-party data for strict measurement purposes should not be legally necessary, as long as companies comply with the purpose limitation principle and do not leverage it for user profiling.

To conclude, van Eijk stated that the lawfulness of first-party data use in the online context depends on the impact on the rights and freedoms of individuals, as well as the nature of the data at stake. In the moderator’s view, processing browsing behavior, children’s and special categories of data for targeting purposes may have unbearable risks. He pointed to groups who are trying to reach a consensus on what is “privacy by design” in the online advertising context, such as working groups at the W3C. In this regard, it is worth keeping an eye on the change announced by Google to move away from the FLoC identifier to more topic-based data as a more privacy-friendly solution changing the paradigm of the online advertising ecosystem.  

For further reading, check out:

FPF’s Event report: “Dublin Privacy Symposium 2021 – Designing for Trust: Enhancing Transparency and Preventing User Manipulation”, July 2021.

FPF’s blogpost Manipulative Design: Defining Areas of Focus for Consumer Privacy, June 2021.

Highlights of FPF’s March 2021 event Manipulative UX Design and the Role of Regulation.