The future of consent pop-ups and programmatic advertising in a privacy-first world

Photo by Ben Sweet on Unsplash

There’s been much speculation about the consequences of last week’s decision against the IAB’s Transparency and Consent Framework (“TCF”) in the EU (issued by the Belgian Data Protection Authority, following prior consultation with all other national supervisory authorities).

As it is also well-known, the TCF (now in its version 2.0) is behind the consent management pop-ups that torment European visitors of news websites and other ad-supported digital media.

Publishers represent, however, a small and shrinking part of the Internet, so the assertion that this decision will “do away with consent spam” is rather misleading.

The TCF was built with one very particular scenario in mind: that in which multiple personal data controllers hide behind the one party that has a direct relationship with the audience. There is in fact little more that they can aspire to in a world that discriminates against those sitting at the back of this particular “chain of custody”. That is, the ePrivacy Directive world, in which consent becomes the sole valid legal basis for the processing when cookies or local storage* are involved.

Now, I personally believe that, by making the bold move of incorporating “legitimate interest” as an alternative legal basis (if so chosen by the specific vendor/data controller) in the latest version of this framework, the IAB was aiming for a “fait accompli” strategy of sorts that could help it build the case for their own proposed changes to the ePrivacy framework (in the long overdue ePrivacy Regulation). Namely: that legislators put an end to such an anomaly, in alignment with Article 6 in the GDPR — in which consent is only one out of six possible legal bases.

Of course, behavioral programmatic advertising was always going to face additional hurdles in light of the risks involved and the clear disregard for individual privacy shown by multiple data brokers and ad tech players over the years (not to mention the very real possibility that sensitive data categories are involved in the definition of individual profiles), so the whole exercise was mostly wishful thinking.

The bomb that eventually detonated was packed with plenty of additional dynamite: it did not even have to get into the ePrivacy mandate (again, at the source of the entire schema) to find that:

• The legitimate interest “test” will be hard to pass in such context
• Consent is still not valid (for vendors not specifically choosing legitimate interest)
• The IAB itself is a joint data controller, having defined the framework that ad tech vendors abide by (and actually being present in the data flow by means of its own cookies)
• Consent Management Platforms are also a joint data controller (and not a mere data processor acting on their behalf), as they determine what vendors should do in order to properly implement the TCF
• International data transfers to the US are taking place without proper cover (an unfortunate legal trap shared by nearly every US-based service after the Schrems II ruling, including Google Analytics)

But I did mention that publishers are only part of the challenge. What about every e-commerce retailer or Wordpress-based corporate website out there? Presenting a single data controller will simplify matters (with most tags and cookies on their websites being served by third parties acting as data processors), but few data processing purposes will satisfy the legitimate interest test beyond mere statistical analysis of their overall website traffic (already exempted from obtaining consent in the latest draft of the ePrivacy Regulation). Which means that every other piece of SaaS technology or third-party hosted library will most likely require consent.

In other words, even if TCF consent pop-ups are entirely banned in the ad-supported media landscape for the sole reason that programmatic behavioral advertising, as an open exchange, cannot be saved, consent management pop-ups will still be required by every single website, including the news media, in order to provide a legal basis to most of their cookie or local storage-based optimization, personalization, or promotional efforts.

But there could be another twist.

Enter the Digital Content Directive

The EU Digital Content Directive is only now starting to see the light (the period for its transposition into national laws expired on July 1st 2021). Quietly but surely, it opens the door to people “paying with their data” for access to certain services or content, as long as this happens within the limits set by the GDPR.

I have already explained that I find it hard to understand how these two laws can easily coexist. The former is taking privacy into the sphere of private law, potentially turning what the latter deems a “fundamental right” into a commodity that can be happily traded.

That is, unless we are not really equating a “data payment” to a “privacy sacrifice”, but rather referring to a payment in “future time and attention”.

Recital 24 of this Directive mentions two specific examples: a consumer opening up a social media account and providing a name and email address that are used for purposes beyond the provision of the service, and someone giving consent for “photographs or posts that the consumer uploads, to be processed by the trader for marketing purposes”. Email addresses can become a destination in themselves, but also a permanent, unique identifier across multiple websites. Uploading a photograph can simply result in renouncing our intellectual property rights in favor of the platform, but it could also carry much more significance, easily posing a threat to our future choices and freedom.

In any case, it is also clear that having the GDPR act as a barrier will also hamper the ability of data collectors to resell or pass personal information along to others, given that individuals should eventually be able to withdraw their consent or exercise their various rights, and this will prove extremely difficult for business scenarios and data flows that are built as a one-way street. Hotel California, all over again.

Still, the door is now open to a new generation of “consent walls” (so categorically discarded as a valid option by many a supervisory authority), in which publishers or other businesses will request access to certain data points in exchange for access to their content or services.

Its interplay with legacy ePrivacy consent requests will be very interesting. Particularly in light of two other meteorites heading our way: Chrome’s deprecation of third-party cookies and the EU legislator’s response to the apparently anti-competitive outcome of all of the above — with dire consequences for the traditional media that many MEPs hold dear.

Cookieless and divided

I have mentioned Google’s plans for Chrome. If it all goes according to plan we will end up with a Topics API that allows advertisers and publishers to tap into a random combination of our most relevant interests, themselves automatically compiled across multiple websites that we have visited before.

Although there was hope that this Privacy Sandbox would not require consent (as cookies were to be discarded and no personal data is involved), I now have my doubts, given that the ePrivacy Regulation has maintained the provisions for the “use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment”, not to mention a constantly higher bar for whatever we consider “anonymous” data in a world in which a combination of various data sets can result in individualization.

I have also mentioned anti-competitive concerns. Not only has Chrome’s plans raised plenty of scrutiny and even forced Google to depend on the UK Competition and Markets Authority’s authorization for its final deprecation of third-party cookies (despite the fact that all other major browsers have already done it). Brussels is also looking into the potential risks posed by the Privacy Sandbox to a healthy digital advertising competitive landscape.

The latest draft of the EU Digital Services Act (as approved by the EU Parliament in January) aims to strike a balance between competition and privacy by allowing programmatic behavioral advertising on condition that an opt-out from personalized advertising is clearly provided, and under the assurance that children and special categories of data are filtered out. Which, it would appear, is only revisiting an issue which a polished interplay between the GDPR and ePrivacy frameworks would have already resolved — unless lawmakers have secretly given up on their own ability to get the latter out of the gate in the present century.

While the entire drama gets resolved, the ad tech ecosystem is of course preparing for a cookieless future with an ID-based alternative that would maintain current data flows by simply replacing the cookie’s role as a “hook” on which to hang personal traits and interests. Given that the most successful attempts rely on hashed email addresses or phone numbers, the challenge could easily move away from the ePrivacy precepts (as no data is written into the user’s terminal) and into a direct breach of the GDPR. That is, of course, if Chrome allows them (Google has already made it clear that they do not conform to its intended privacy standards), provided that competition authorities allow Google to allow Chrome to allow them :)

All together now

Which takes me where I wanted to be. In a better position to speculate about how different combinations of all of the above could result in massive changes in the Digital Advertising ecosystem. Apple’s App Tracking Transparency (self-serving) move has already shown the impact that a lack of clear visibility with regards to campaign performance can have on the allocation of billions of dollars in advertising spend — with Meta/Facebook’s stock suffering a serious blow as a consequence.

And here, on one hand we have the various questions that by the end of 2022 should have been resolved:

• Will the ePrivacy Regulation modify article 8.1 to incorporate legitimate interest as an option? This will simplify things for Chrome’s Topics API or, if allowed to survive, certain Real Time Bidding (“RTB”) activities.
• Will the Digital Services Act end up forbidding RTB as a whole? This will mean that we won’t have to worry about the validity of consent in the context of the open market for individual profiles. Also, we would be less concerned about expanding the role of legitimate interest in the ePrivacy Regulation.
• Will most national implementations of the Digital Content Directive, as well as the Digital Services Act allow people to pay with their data within the limits set by the GDPR? This will build the case for “Super Consent Walls” that accept an email address or phone number in exchange for access to premium content, provided that such contact details are not transferred to unrelated third parties with whom the exercise of data subject rights could be compromised.
• Will Chrome’s Privacy Sandbox be allowed (by multiple competition authorities) to forbid both fingerprinting and email/phone-based unique ID alternatives to the cookies it is intended to deprecate? This will boost the case for Topics API, contextual programmatic advertising, and solutions sitting on top of interests and preferences self-declared and self-managed by each individual (you guessed it, Zero-Party Data).
• Will The EU and US manage to negotiate a new Privacy Shield framework? It does not sound easy, as it really depends on the US government giving up on spying on the individual communications of EU citizens. In its absence, it is not just Google Analytics or even Google Fonts (!), but also the most popular SME tools (HubSpot, Mailchimp, Surveymonkey, Airtable…) that will need to be replaced across the board.

On the other hand, we have multiple scenarios and business cases that advertisers, vendors, publishers, etc. will have to ponder in order to come up with their best possible hypothesis and subsequent allocation of resources. Some examples:

• Consent spam explodes. A differentiated, highly-annoying “European internet experience” takes full shape. I would guess this is likely to happen if legitimate interest is not available to an upcoming Topics API framework or if competition concerns end up forcing Chrome to maintain third-party cookies, together with an impossibility to renew the EU-US Privacy Shield agreement. This should however help giant gatekeepers, as requiring consent keeps favoring direct relationships with the audience. No doubt a rather paradoxical outcome, as the US-based Big Tech players (their brand new servers fully grounded on EU soil) would end up commanding full control of a fairly isolated market.
• Consent Management Platforms take a step back. The internet becomes more bearable and we do not have to worry about a second-class European internet experience. This may require changes in the ePrivacy Regulation, a full ban of RTB on both sides of the pond, and a migration to Topics API as a means to inform advertising campaigns and content personalization efforts. Also, we would need to have a new Privacy Shield framework (with everything that this entails on the US side).
• Publishers could find a silver lining in the demise of RTB and third-party cookies, together with the advent of Super Consent Walls and the the ongoing consequences of Apple’s App Tracking Transparency policies (divesting expenditures in product discovery away from Instagram/Facebook, in the absence of a tangible advantage in terms of measurable performance). They may finally be able to leverage first-party relationships through their own home-grown brand or performance-marketing platforms.

Time to place our bets :)

*Writing to and reading from the user’s terminal (article 5.3 ePrivacy Directive: “to store information or to gain access to information stored in the terminal equipment of a subscriber or user”).