Notes from IAPP LinkedIn Live on “Pay or Consent”

1.?????? Why does the pay or consent model matter to the ad ecosystem?

The ad ecosystem is broad and includes several actors: advertisers, publishers and actors of the ad tech supply chain. There are also several online advertising models:

• Search (closed environment)
• Social media (closed environment)
• The Open Web (Criteo deploys its technology in the open web)

What are the interests of the different stakeholders?

• Advertisers want to run efficient ad campaigns with reliable performance metrics to calculate ROI and allocate properly their budget
• Publishers want to monetise their ad space at the best price to get revenues to fund content creation
• Internet users want to benefit from (1) free access to content and services and (2) online ads that are relevant to their preferences

On top of this, there is an overarching societal imperative to enable free and indiscriminate access to information and plurality of media that is a cornerstone of our democracies.

As a consequence, the Pay or Consent debate needs to include the interests of all relevant stakeholders in addition to the interests of the data subject. It is important to reach a balanced solution to avoid unintended effects that would not in the end be in the interest of users.

2.?????? The Consent model – what does this mean for the ad industry?

The current discussion is very much framed around cases that are very specific to Meta which processes a wide range of data, including directly identifiable data, and has a very large presence. We should not however assume that the DPAs and CJEU decisions in these cases apply mutatis mutandis to the entire online advertising ecosystem.

There is also an elephant in the room : the e-privacy directive that requires to obtain consent from users when information is placed or access on their device, such as with cookies. Criteo processes pseudonymised and non-re-identifiable data on the basis of consent.

The intent of the GDPR was never however to apply the consent requirements of the e-privacy Directive to all data processing activities. Taking a step back and going to the text of the GDPR itself, it appears that consent is clearly required in two cases :

1.?????? When special categories of data are processed (article 9). Note that as per article 26 of the DSA, online platforms are now prohibited from profiling users on the basis of special categories of data;

2.?????? When data processing leads to automated decision making producing legal effects or equivalent effects on individuals (article 22). It is obvious that online advertising does not fall in this category. Showing a red skirt or a mushroom pizza to an Internet user does not legally affect individuals.

There is therefore still room under the GDPR for legal bases other than consent to apply to processing activities in particular in instances where the link to user privacy is very remote and the processing is required for legitimate activities such as ad attribution, ad performance measurement or fraud management. ?

Lastly, relying on consent in all instances would be contrary to recital 4 of the GDPR that provides that the protection of personal data is not an absolute right and needs to be balanced against other fundamental rights.

3.?????? The Pay model – what is a reasonable price?

The notion of reasonable price requires an economic assessment that has been the competition authorities’ role in Europe for more than 50 years. It is one thing to say that? a company is a big player, it is another to say that a company holds a dominant position or has market power. This requires first a definition of the relevant market to identify the boundaries of the competition between the different market players from a geographic and a product perspective. Several precise criteria have to be taken into account.

As a matter of fact, the EU Commission has just published a communication to adapt the criteria used to define the relevant market to the digital world. Future assessments by competition regulators will need to take into account: multisided platforms, free markets, network effects and data protection considerations just to name a few.

So the Pay or Consent discussion is clearly a topic requiring DPAs and competition authorities to work hand in hand. They are already collaborating on a number of other topics:

• The implementation of the DMA that requires the consent of users for the combination of their data across several services provided by a gatekeeper
• Several on-going competition cases in the online advertising sector are handled by competition authorities working closely with DPAs
• In France, the CNIL and the Autorité de la Concurrence have also recently published a joint report defining how they can work together

Finally, in the CJEU case triggered by the Meta Bundeskartellamt decision, the court clearly stated that DPAs and competition authorities have a duty of loyal cooperation.

As a consequence, if the EDPB is working on guidelines on Pay or Consent, it should do so with the European Competition Network (ECN).

4.?????? Is contextual advertising a viable alternative?

Contextual advertising – advertising based on the content of the page as opposed to the browsing activity - is not a panacea for several reasons:

• There are not enough contexts where advertisers would want their products to be promoted (for example, advertising placed close to an article about a recent plane crash or terrorist attack would not be very successful)
• Contextual ads are five time less efficient than targeted ads in terms of conversion. That would mean that switching to a contextual model would trigger five time more advertisements for users
• Several studies indicate that users generally prefer to receive ads that are relevant to them than not relevant
• Publishers need to remain in the driving seat when it comes to defining how they want to make revenues (paying model or advertising, whether it is contextual or targeted, or a mix of these)
• Contextual ads still require users to provide consent as the e-privacy directive applies to the processing of personal as well as non-personal data. The recent EDPB draft guidelines on article 5(3) of the e-privacy directive would dramatically extend the amount of scenarios where consent is required

5.?????? What are the practical measures organisations can take?

The concrete measures depend on the type of organisation, i.e., platform, publishers, ad tech provider, or advertiser, but in any case all organisations must stay strong on GDPR compliance. Regardless of whether users pay or consent, all GDPR provisions fully apply to the ad actors. Therefore, claiming that the consent or pay model amounts to paying for one’s privacy rights is fundamentally flawed.

Organisations also need to implement as need be the new requirements of article 26 of the DSA. As a reminder, platforms are now required to provide relevant information to users on who is paying for the ad and what are the main parameters used to display the ad. The user can also choose to change these parameters. The ad ecosystem is working hard to devise technical standards to ensure that these obligations are implemented across the value chain and that users get more transparency and choice.

Lastly, organisations and trade bodies should continue to engage with DPAs to work on codes of conducts and certifications. It is disappointing that 8 years after GDPR was adopted, these tools -originally designed to specify how GDPR applies in specific sectors or situations - have been completely underused. They may provide the avenue to devise constructive solutions for the ad ecosystem, for instance by defining pseudonymisation standards.

6.?????? What is the next frontier?

We need to “stay calm and carry on” by putting things into perspective:

• The consent or ok model is not new: paywalls have existed for a while and have work well
• Advertising enables access to free content on many supports in addition to online (TV, Press, …)
• Advertising has existed for centuries and will continue to carry messages (in ancient Rome for instance, mural paintings served to advertise upcoming gladiator fights)
• We should work on promoting responsible advertising practices and frameworks that enable to reuse data in a safe manner and to unlock its power for the benefits of individuals and society.