

























Open Rights Group response to the ICO call for views on their new approach to regulating online advertising
Commercial viability of targeting practices is not a static definition, but is ultimately determined by what practices are tolerated and allowed to be offered withing the online advertising market.
With this in mind, real-time-bidding and behavioural advertising are currently underscored by a free-for-all model where, once consent is given (and oftentimes, even when it’s not) adtech intermediaries process, share and repurpose this data at will. This is illegal under the UK GDPR, which requires data not to be processed beyond the specific, granular purpose for which consent was given.
It follows that the true value and commercial viability of advertising practices cannot be measured, insofar prices are distorted and the market is impacted by the unfair competition of non-compliant advertising practices. In turn, any serious assessment regarding the extent necessary of employing targeting features to attain a “commercially viable advertising model” should be preceded by an effective regulatory sweep to remove illegal advertising from the market, and restore a level playing-field for law-abiding businesses.
Change needed – Targeting: No change
Firstly, the ability to target individuals based on personal data is the main enabler of harms, discrimination and predatory practices that plague online advertising. Targeting based on personal data exposes women to unjust prosecutions for their attempt to exercise reproductive health rights; problem gamblers to being targeted with gambling ads that are meant to exploit their addiction; anyone to be excluded on the basis of their gender, sexual preferences, ethnicity or other sensitive characteristics; children and those in a more vulnerable status to be targeted and taken advantage of.
These are not unfortunate outcomes, but inherent to the technolopgy being used: behaviour is the only personal data that can be observed and captured by storage and access technologies; however, behaviour is never a reliable proxy for an individuals’ characteristics, preferences or inner desires, but is a reliable mean to identify addiction, health statuses and other syndromes—all of which are, indeed, recognisable by “typical”, “compulsive” behaviours and clearly discernible patterns of behaviour. A system that is inherently bad at guessing your commercial preferences but inherently good at identifying weak spots that can be exploited does, not surprisingly, serve the purpose of exploiting individuals better than it does serve the purpose of delivering legitimate advertising. Advertising systems that target individuals on the basis of personal data should never be considered low-risk or exempted from consent requirements.
For the avoidance of the doubt, contextual advertising may not be considered as targeting on the basis of personal data, insofar targeting is based purely on the context of the website where the ad is being shown. The inclusion of information that either directly or indirectly relates to an individual—for instance, where the IP address was used to guess the geolocation of an individual— should never be considered contextual and thus be treated as targeted advertising.
Finally, we would draw attention to the fact that the call for views includes the following statement:
“We will continue to enforce consent requirements for collecting personal information for ad targeting and personalisation.”
Therefore, we consider a relaxation of consent requirement for ad targeting based on any amount of personal data to be outside of the scope of this call for view, and we expect the ICO to honour this statement.
Strongly disagree
As mentioned in response to question 6, tolerance toward non-compliant advertising practices prevent a meaningful measurement of the true value and commercial viability of advertising practices “that can also safeguard people’s privacy and improve user experience”.
Adding to those considerations, the approach of the call for views turns the relationships between commercial viability and “safeguarding people’s privacy and improving user experience” on its head: it is for advertising market players to commercialise their services withing the boundaries and in compliance with the norms that have been established by legislation. The UK GDPR and PECR already require advertising to be done in a manner that safeguards privacy and our agency. The role of the ICO is to enforce these boundaries, not to adapt them to meet the needs of non-compliant advertising firms.
Finally, it is worth underscoring that, in the event of exemptions to cookie consent requirements being adopted, “safeguarding people’s privacy” would ultimately depend on the limits and safeguards in place that underpins those exemptions. The call for views provides some, welcome clarifications over what will not be exempted, but does not at any point clarify what practices may or are being considered to be covered by those exemptions. This does not allow to appreciate the approach, and if and in which manner the ICO is managing to “safeguard people’s privacy” while conducting this call for views.
Increased risk of privacy harm
This questionnaire give adtech providers ample freedom to argue in favour of removing consent requirements for a range of purposes, as listed in questions 1-6. From the perspective of civil society and independent experts, instead, the call for views does not provide any proposal whose impact on people’s privacy can be commented upon. Further, the call for views allows industry players to keep their responses as confidential, which could prevent evidence in favour of deregulation to be scrutinised publicly.
Notwithstanding that the “scale of these negative impacts“ can only be measured when a proposal will be presented, it is clear that the design of this call for views presents a very high likelihood to over-represent the views of the adtech industry and, in turn, to underweight the increased risk of privacy harm that could result.
Giving legal enforceability to technical signals would allow individuals to express consent for online advertising targeting via browser settings and communicate them persistently as they browse the Internet, thus ensuring that meaningful choices can be made and communicated to adtech providers. This solution would also constitute an effective way to allow individuals to object and opt-out of processing, thus ensuring that they retain choice and agency in an opt-out model of online advertising. Finally, such a system could also be relied upon by parents to set consent preferences via parental controls and thus protect their kids from online tracking.
According to Schedule 12(2) of the Data (Use and Access) Act:
(3) […] the means by which the subscriber or user may signify consent include—
10(a) amending or setting controls on the internet browser which the subscriber or user uses; (b) using another application or programme.
Therefore, powers to amend exemptions to Regulation 6 PECR could be used to give legal enforceability to technical signals.
Please provide your name: Mariano delli Santi
Please provide your email address: mariano@openrightsgroup.org
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。