Deceptive and infringing practices
There are a few things which are inherently wrong with most Cookie Banners and Consent Management Platforms – including those that are based on the Transparency and Consent Framework of the IAB, an industry association for the online advertising ecosystem.
First of all, far too many CMPs and cookie banners come with pre-ticked boxes or are opt-out by default (you have to do something to opt-out). So if you're in a hurry or simply don't want to spend 10 minutes trying to dive into privacy policies, you will probably agree to have everything you do on the internet being shared with hundreds of companies, including the most intimate and personal sites you visit. Such pre-ticked boxes are clearly unlawful.
Secondly, we believe that many consent frameworks that are deliberately deceptive or misleading also don’t comply with GDPR. GDPR is clear that for consent to be valid, it must be informed, specific and freely given. If tracking involves special category data, such as when you use a health app, visit the website of a political party or that of a trade union, the bar is even higher. Your consent must also be explicit.
Finally, we are very concerned about the ways in which companies share, enrich and exchange your data in a vast ecosystem of data brokers and advertisers. Once you have given “consent”, your data disappears in the data brokerage ether and could be used for anything, from product promotion to microtargeting by political parties. As we argued when we complained to Data Protection Agencies against seven AdTech and data broker companies, that’s neither fair, nor transparent.
Privacy by design and by default
You should have the right to make real, informed choices and your consent is nothing that should be “managed”. Consent is something that can only be earned – ideally by those who clearly explain why they deserve your trust. That, however, puts a large part of the murky ad-tech ecosystem in an incredibly difficult position: hundreds of companies – most of them non-consumer facing – exchange, link and enrich data in ways that are so complex that it is incredibly difficult to do so transparently. Deceptive CMPs open the door to a broad range of abuses we observe in the AdTech ecosystem, from manipulation to discrimination. This, we believe, a systemic problem, that is inefficient, and puts everyone at risk. It’s bad for publishers and brands who care about their users, readers and consumers, as it betrays their trust.
So what’s the solution? Protecting your own privacy shouldn’t be a full-time job that requires advanced technical knowledge. That’s why we think that people and their data should be protected by design and by default (this is something the law requires too). It’s useful to compare good privacy to good food security: we don’t go into a restaurant and test whether our food is safe – we trust that there are laws, institutions and practices that ensure that it is. And when it isn’t, those you don’t play by the rules get punished. That’s something we want for our data as well.
What is Privacy International doing about it
Online advertising and invasive tracking everywhere need to be fixed and a first step is to make sure that the ecosystem is fully compliant with existing laws. That’s why in November 2018, Privacy International complained about seven companies, data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian), with data protection authorities in France, Ireland, and the UK. Our submissions set out why these companies do not comply with the Data Protection Principles in GDPR, namely the principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, and accuracy. They also do not have a legal basis for the way they use people's data, in breach of GDPR – as we’ve set out above, they don’t have valid consent. Many of these companies play an important role in Real Time Bidding (RTB). As a result of our submission to the Irish Data Protection Commission, the AdTech company Quantcast is now under investigation. The UK ICO is also looking more closely at AdTech. But we won’t stop here.