GDPR And The Confounding Question Of ‘Legitimate Interest’

“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Eric Berry, CEO at TripleLift.

The General Data Protection Regulation (GDPR) is going into force in late May and could either devastate the programmatic ecosystem in Europe, along with the publisher business, or it could be a non-event or perhaps somewhere in between.

A regulation that threatens to upend several multibillion-euro businesses should be clear and prescriptive in its guidance – but the GDPR is decidedly not.

Article 6 of the GDPR states that a data controller may only process data lawfully if, among other things, it has legitimate interest or consent. Processing effectively means doing anything with the user’s data, down to even having a pseudonymous persistent cookie. Determining when there is legitimate interest is the 20 million-euro (or 4% of global turnover) question. There are special carve-outs for employers, state interests, etc. that I will ignore and instead focus on ad tech.

Legitimate interest may be the legal basis for processing user data if the interests of the user do not override the interest of the controller when considering the reasonable expectations of the user and their relationship with the controller, according to the GDPR. The determination of legitimate interest requires “careful assessment” of these reasonable expectations and the context of data collection.

Running afoul of the GDPR can put a company out of business. Yet divining the intent of the legislators who drafted the GDPR when determining legitimate interest is an art.

How should a company interpret what the reasonable expectations of a user are? Who is this user, and what level of understanding does he or she have about cookies, tracking, advertising and commerce on the internet? Is this the sort of user who would be shocked to understand how ad tech has operated for the past 15 years, or should they be assumed to have come to terms with this as part of the reasonable expectations? And how does any of this balance with the controller’s interest?

Preventing fraud, ensuring network security, reporting criminal acts and performing administrative tasks such as transmitting employee data are all explicitly defined as legitimate interests. There is also a callout that “[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Direct marketing is likely limited only to mail or email, and cookie- or ID-based digital marketing would not be included.

The most relevant guidance on legitimate interest was issued from outside the GDPR. In 2014, the Article 29 Data Protection Working Party issued an opinion noting that a data controller may indeed have a legitimate interest in understanding customer preferences in order to better target products and services to meet their needs. Yet the opinion also states that profiling a user based on their overall activity is such a significant intrusion of their privacy that the potentially legitimate interest would be overridden.

More broadly, the opinion clarifies that the more sensitive the data, the more it balances in favor of the user, with the test being made generally against an average individual. But technical safeguards that enhance privacy or anonymity may tip the balance in favor of the controller.

While this adds color to the GDPR, it is not clear what is actually permitted.

Can you store cross-domain cookie IDs? Can you track a user’s clicks or ad impressions for different advertisers? Can you create a likelihood for receptiveness to a given brand based on past performance? Can you keep track of how long a cookie has been in place for a user? Probably, but a question with such an existential impact on so many companies should be answered definitively – as opposed to everyone hoping that someone else will be the example made.

Further confounding this issue is the question of enforcement.

The data protection agency (DPA) in the various EU member countries collaborated on the Article 29 Working Party guidance. The DPA in each country is the entity charged with enforcing the legislation when it goes into force.

That said, these are not homogenous entities – each DPA is run within national boundaries by the officials that constitute that agency in the country. The norms of officials change by country, meaning not only is the legislation itself unclear but enforcement is not guaranteed to be consistent. One may assume, for example, that the balance of reasonable user expectations versus the legitimate interests of the data controller in Germany – a nation known for its strict privacy views – would differ from those of the UK.

It is probably not the European regulators’ goal for the web to be either unusable through a slew of consent popups or non-monetizable by destroying overnight the programmatic and data ecosystems responsible for most monetization.

Yet the GDPR was drafted for a reason. Certainly, companies that rely purely on the bid stream or similar mechanisms to create profiles will need to refine their models. And perhaps the GDPR was designed explicitly to prevent Google and Facebook from continuing this behavior and thus limit their dominance.

It is dubious that the GDPR will be effective in this regard given that Google will continue to be where users search and Facebook will continue to be where they spend time. Both, however, will see their ability to track users via profiling diminished – Google via analytics, AdSense and other profiling, and Facebook via tracking users through Like buttons across the web.

Beyond that, however, can other types of companies effectively continue business as usual through the legitimate interest “loophole” – perhaps by adding some nominal technical anonymization and complying with provisions for opt-out or DPO? It is the question that Europe’s publishing ecosystem depends on, but it has no clear answer and may not be enforced consistently.

Follow Eric Berry (@ezberry), TripleLift (@triplelifthq) and AdExchanger (@adexchanger) on Twitter.

This post was syndicated from Ad Exchanger.