On May 22, 2019, WSGR and the Future of Privacy Forum (FPF) co-hosted an event focusing on advertising technology and how to overcome the challenges of complying with evolving global privacy requirements.

Jules Polonetsky from FPF opened the program, focusing on the evolution of online advertising, from contextual to programmatic behavioral advertising. WSGR attorneys Lydia Parnes, Cédric Burton, Libby Weingarten, and Lore Leitner discussed the legal regime that applies to this technology: new legal requirements, recent case law, and data protection authorities’ decisions affecting the ad tech ecosystem, as well as the differences between EU and U.S. legislation applying to ad tech.

Here are some key takeaways of the event:

  • Differences between the EU and U.S. Rules on online advertising. In the EU, the ePrivacy Directive regulates the use of cookies, while the GDPR regulates all processing of personal data, including personal data collected via cookies. The U.S. does not have a comprehensive privacy regulation or specific laws regulating cookies or similar technologies, but the Federal Trade Commission (FTC) has general authority to prohibit unfair or deceptive practices, including in the online behavioral advertising sphere. Relying on that authority, the FTC has engaged in enforcement and has also encouraged the industry to develop a self-regulatory program.
  • The impact of CCPA and potential federal legislation. The California Consumer Privacy Act (CCPA), which goes into effect January 2020, is likely to have an impact on ad tech. The CCPA applies to for-profit entities doing business in California that collect personal data from California consumers and either: have gross annual revenues above $25 million, collect personal data of at least 50,000 consumers, or derive at least 50 percent of annual revenue from selling personal data. Under the CCPA, individuals have the right to opt out from the sale of their personal data, which, in practice, is likely to include data sharing between actors in the ad tech environment. (For a much more in-depth analysis of the CCPA, please register for WSGR’s privacy and cybersecurity practice webinar series, available here.)

In parallel, there is support in the U.S. from both industry players and consumer advocates for a comprehensive federal privacy law that could preempt state privacy laws. There are a number of draft bills in the process and the impact of such legislation remains to be seen.

  • Increased enforcement and general awareness level in the EU. The GDPR rules applicable to ad tech are not significantly different from the rules applicable under the Data Protection Directive. The upcoming ePrivacy Regulation is likely to have a more significant impact on the ad tech ecosystem, even though its rules are still unclear as the law is negotiated at the EU level; it is unlikely to be enacted before 2021. In fact, the big shifts in the EU have stemmed from an increase in general awareness of privacy related issues, the rise of complaints, and related enforcement actions dealing with ad tech.
  • Recent developments related to cookie walls and cookie consents in the EU. A number of recent data protection authority (DPA) decisions dealing with cookies walls have been issued in the EU. The Austrian DPA has issued a decision allowing paywalls where individuals can either choose to pay a reasonable amount for ad-free service, or use the service for free but accept the use of advertising cookies. The Dutch DPA issued a recent decision which bans cookie walls, but allows paywalls. The U.K. Information Commissioner’s Office (ICO) has noted that the Washington Post cookie wall violates EU law as it does not give individuals a genuine choice and control over how their data is used. Additionally, the Court of Justice of the EU is soon to issue a decision in the Planet49 case that may have an impact on cookies. The Advocate General stated in a non-binding opinion that a pre-ticked checkbox that users must untick to refuse consent does not constitute valid consent, and consent for cookies should be separate from consents for other processing activities.
  • Responsibilities of different parties in ad tech. In the pending Fashion ID case, the Advocate General opined that the operator of a website embedding a third-party plugin such as the Facebook “Like” button, which causes the collection and transmission of the users’ personal data, is jointly responsible for that stage of the data processing. If the Court of Justice were to follow that decision, this would mean that website operators would be directly liable for obtaining users’ consent, and they would need to provide appropriate notice before the data is collected and disclosed to ad tech companies.

In summary, the discussion provided insight on how the evolvement of privacy laws will impact ad tech in both the EU and the U.S. WSGR will continue to monitor further legislative developments on both sides of the Atlantic.