Websites and online advertisers test limits of European privacy law

Businesses engaged in online advertising are taking divergent approaches to a new European data protection law, with some shutting services to ensure compliance while others test the limits of what regulators will allow, a Reuters review shows.

Some major websites continue to deliver targeted advertisements to users in Europe who have not given consent for their personal information to be used, according to advertising industry sources, owners of major websites and a Reuters review of about 10 websites.

Such consent is a central element of the new General Data Protection Regulation (GDPR), but some websites and advertising software vendors contend that consent can be bypassed legally —and with the law only a month old, regulators have yet to weigh in.

Gabriel Voisin, an London-based attorney following GDPR at international law firm Bird & Bird, said that limited enforcement of consent requirements is enabling companies to push the line.

“Saying 100 percent of ad inventory is properly obtained at the moment is a massive overstatement,” he said, referring to advertising space for sale.

Somewhere between 10 percent and 30 percent of European consumers are refusing to consent to personalised ads when given the choice, four advertising industry executives told Reuters, citing their companies’ internal data.

HIGH STAKES

The stakes are high in Europe’s $22 billion (16.70 billion pounds) online display advertising market because websites and apps can charge advertisers as much as 10 times more when ads can be targeted using factors such as an individual’s browsing history or precise location.

Companies risk fines of as much as 4 percent of their revenue for GDPR violations.

German media company Axel Springer  has not sought user consent for targeted ads on properties such as news website Bild, citing an exception in the law for when a company has a “legitimate” business interest.

Regulators have said fraud prevention or marketing can fit the definition, provided that any privacy affect on consumers is limited, reasonably expected and likely to be accepted.

“Axel Springer takes the view that the use of certain tracking technologies in Germany continues to be allowed without prior consent – as long as users can opt out and provided there is a legitimate interest,” an Axel Springer spokesman said.

Newspapers owned by Britain’s Reach, including the Ealing Gazette and Grimsby Telegraph, loaded personalised ads before seeking users’ consent, according to a Reuters review on June 28.

Reach did not respond to a request to comment.

‘NO NOTICE’

North America’s National Hockey League website, NHL.com, maintained targeted ads in Europe without prominent disclosure about data use, according to a Reuters review on June 28. The league did not respond to a request to comment.

A spokesman for the British Information Commissioner’s Office told Reuters “that consent must be unambiguous, freely given, fully informed and involve a clear affirmative action in order to be valid under GDPR”.

Reuters’ findings are in line with broader assessments by consumer groups and other organisations.

More than a third of 75 major websites reviewed by media consultancy Oko Digital in early June “presented no notice” about personalised ads. Dutch consumer advocacy organisation Consumentenbond, meanwhile, found that about half of 150 websites it reviewed started tracking users before establishing consent.

Kean Graham, whose company MonetizeMore manages ad sales for several websites that each generate 20 million monthly page views or more, said that clients’ revenue fell 67 percent on the week after GDPR came into force because he removed the facility for personalised ads on websites of clients who were unprepared to seek consent.

“We’ve taken it quite seriously,” he said of the new law.
Meanwhile, Alphabet Inc’s Google, the software of which is widely used by websites and apps to deliver advertisements, has advised clients that the practice may be legally problematic.