Tuesday 23 July 2019

Steve Dempsey: Pop-ups are price of online privacy

'The online advertising ecosystem is probably too complex and compromised to devise a framework that protects users’ data and still supports surveillance capitalism.' Stock photo
'The online advertising ecosystem is probably too complex and compromised to devise a framework that protects users’ data and still supports surveillance capitalism.' Stock photo
Steve Dempsey

Steve Dempsey

Europe's General Data Protection Regulation, or GDPR, was supposed to give users transparency and control over their data. But this control comes at a cost: and that cost is thousands of pop-ups. Nowhere is this more evident than news websites that rely on online advertising for their revenues.

Some of these pop-ups are obtrusive, demanding a user's attention and consent to share data for personalised ads. Many use an out-of-the-box solution from the likes of Quantcast, a tech company that specialises in AI and data-powered real-time advertising - and which seems to have used GDPR to play gamekeeper as well as poacher.

Even more pop-ups are small and easily ignored. They mention privacy policies and cookie settings and point out that user consent to share data will be inferred if users click OK, or click on any content on the site.

Some also link through to pages that detail all the ad vendors they work with, allowing users to choose the ones with whom they'll share their information. Seriously, who is going to read through these lists, let alone select the ad tech vendors they're happy to share personal data with? Criteo or AppNexus, which do you prefer?

One thing is clear: there's no consistency for consumers. European legislators left it up to the businesses that operate online to develop technology and hardware that incorporates privacy by design. But imposing data-consent requirements for all EU citizens without a framework for managing it was a little like that time the EU went with monetary union without banking union.

We all know how that worked out.

The online advertising ecosystem is probably too complex and compromised to devise a framework that protects users' data and still supports surveillance capitalism.

But it has tried. The Interactive Advertising Bureau (IAB) is the industry body that supports the online advertising industry.

It has proposed a complex system that allows publishers to capture user consent on behalf of advertisers and store that consent centrally. It's complex due to the nature of programmatic advertising; bids can come in from a host of ad exchanges in real time from an ever changing set of ad exchanges.

But the IAB framework has some issues. Firstly, there's every chance it will do little more than protect the status quo of a murky programmatic advertising ecosystem where behaviourally-targeted ads are traded for next to nothing. But a far greater issue is the fact that the biggest ad tech vendor isn't on board. Who am I talking about? Google, of course. The search giant has promised that it will integrate with the IAB framework.

Google has also been playing hardball with publishers that use its advertising ecosystem, insisting that they accept liability as the controllers of the data collected and shared with advertisers.

That said, it has softened its cough in relation to its own consent management platform, Funding Choices. Publishers using this platform were only allowed to gather consent for a maximum of 12 ad tech vendors. Google lifted this limit following publisher complaints.

Google's stance exemplifies some of the practical issues around GDPR and advertising. The big guys can throw their weight around and dictate terms to smaller guys. Sadly, smaller in this instance means news companies.

But some publishers have been able to ignore GDPR altogether. How? By being overseas. Hundreds of US news sites have taken one look at GDPR, shrugged, and turned their back on their European audiences.

Try to read a story on the Los Angeles Times and you'll get the following message: "Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market." Visit USA Today and you'll get an 'EU Experience'.

This is a pared-back version of the site that doesn't collect personally identifiable information and looks very sparse. Ironically, the site does need to collect some personally identifiable information to determine whether a reader is in the EU in the first place.

It's unlikely that a more insular Europe was part of the GDPR plan. Similarly, putting more power in the hands of the bigger tech companies which control and monetise data is probably an unintended consequence.

GDPR's aims are laudable and should be embraced by users of all online services. But getting international ad tech companies, on which many news organisations are dependent, to embrace them may be harder than legislators initially thought.

Sunday Indo Business

Also in Business