The U.K. Information Commissioner's Office put the advertising technology industry on notice last summer. The message was simple: The entire industry has been operating illegally. Organizations were not properly gathering consent to serve targeted ads, and the agency cited a lack of transparency in how data is processed and sold in real-time bidding scenarios.
The ICO gave the adtech industry a grace period to shore up its practices.
It also met with stakeholders about these concerns, engaged with adtech organizations to learn about their practices and held a fact-finding forum that covered real-time bidding last November. The industry has responded to the ICO with proposals in turn. Google revealed its "walled garden" approach, which would eliminate third-party cookies and allow everything to be managed by the website provider. The Interactive Advertising Bureau announced a plan of its own to improve the contracts between websites and third-parties.
The latest proposal, however, is the "5th Cookie" working group, which aims to assist the adtech real-time bidding ecosystem via pseudonymization as newly defined in the EU General Data Protection Regulation.
The working group was launched by the Information Accountability Foundation, tech vendor Anonos and database marketing company Acxiom. The organizations have begun to accept submissions for those that wish to join the working group.
And take note: representatives from all three entities, as well as ICO Principal Technology Policy Advisor Paul Comerford, will speak during an IAPP web conference Feb. 13 on the 5th Cookie , pseudonymization and how GDPR compliant pseudonymization can stop reidentification via the "Mosaic Effect," which is when other pieces of information about an individual are used to identify a data subject.
"The 5th Cookie working group is about raising greater awareness and the benefits of it being different with pseudonymization versus anonymization," Anonos CEO, Co-Founder and General Counsel Gary LaFever said. "We are hoping to find people who actually see within the concept an area that not only makes sense for ethical and lawful processing of data, but it could actually further their business objectives."
LaFever said a website publisher will have its first-party cookies from the major tech companies, such as Amazon of Google. In addition to those cookies, they would also receive another first party cookie administered from the working group. This cookie would be managed by a "democratic cooperative" made up of one or more trusted third parties that will manage what LaFever calls a "microsegment." Any personal data processed through the working group's cookie would be pseudonymized and placed into small groups of data subjects who have similar interests and behaviors.
"The groups are small enough to meet the needs of the advertisers because they want to personalize and customize offerings, but not so small that they are immediately identified," said LaFever. "The data necessary to go from the microsegments to the individuals is under the control of the manager of the co-op, and this is exactly what the GDPR provides under the definition of pseudonymization."
Advertisers can bid on targeting those within the microsegments without knowing their identities. The managers of the co-op would be the only ones who have the information and tools to re-identify any given data, however, anyone who seeks to do so would need to prove to the manager why it is necessary.
Who will be making up those "trusted third-parties" and managers, and how will they be chosen? LaFever expressed flexibility on this point. The working group will ultimately take the shape of those who wish to join.
"In order for the 5th Cookie working group to be sustainable long-term, it has to work for all parties who are interested, and that means regulators, legislators, commercial entities, as well as data subjects and society as a whole," said LaFever. "We don’t want to prescribe what it’s going to look like and how its going to morph, because we don’t know."
LaFever positions the working group as an alternate approach to both the Google and IAB proposals. While LaFever acknowledges both tactics have strengths, he also sees some weaknesses as well.
"One of the biggest common weaknesses is, where are the technical safeguards that help to reduce the risk to the actual data subjects involved in the ecosystem? The walled-garden approach still has exposure because ultimately every person is assigned a constant identifier and that identifier is shared and you can find out who the person is," said LaFever. "The IAB approach is relying on contracts, which is good that they’ve improved the contracts, but who is enforcing these hundreds of thousands of contracts?"
The working group does not position itself to solve the adtech problem on its own. Despite any perceived shortcomings, the group states on its website that "it will support and build upon alternative solutions, including those presented in the Google and IAB proposals."
And it might take a lot of work to start taking on the adtech issues raised by the ICO. LaFever said he appreciates that the ICO focused on an industry that needs a lot of help. He believes the agency's interactions with the working group will help to broaden the discussions around adtech and real time bidding. LaFever hopes the 5th cookie can open the eyes of those who perhaps misunderstand the benefits of pseudonymization and have not truly embraced the GDPR.
"I think if we can wake people up to what pseudonymization is and what it enables under the GDPR and we achieve nothing else, it would be a success. The GDPR can actually be your friend if you take the time to understand it and realize there’s new ways achieve business objectives," said LaFever.
"And what the ICO's focus on adtech makes clear is the way business has been done no longer works. They aren’t saying don’t continue the business, they are saying look for new ways to get it done that are privacy respectful and if the 5th Cookie helps to further that dialogue, it’s a tremendous success."
The GDPR defines pseudonymization as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” To pseudonymize a data set, the “additional information” must be “kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person.” Bird & Bird Associate Gabe Maldoff explains pseudonymization as one of the top 10 operational of the GDPR in this piece for The Privacy Advisor.
If you want to comment on this post, you need to login.