Meta's €400m fine shows that consent is still a challenge for digital advertising
By Heather Lloyd, head of product marketing, Nano Interactive
Consent has been at the core of online regulation since GDPR came into force five years ago. And it continues to rear its head – From Apple’s App Tracking Transparency (ATT) making in-app tracking opt-in, to the small matter of a €400m fine for Meta/Facebook. But while the public is more aware than ever of its right to freely given, informed consent for people-based targeting, is the ad industry on the same page?
By 2024, 75% of the global population will have its personal data covered by privacy regulations, according to Gartner. But according to an AdExchanger piece, almost nine out of 10 consent management platforms in the EU are still to be deployed correctly, collecting personal data before opt-out has been provided. Research firm Adalytics is famous for its exposes both on YouTube’s ad placements and its alleged targeting of minors – which have caused shockwaves across the industry. But it has previously looked at consent mechanisms too, finding that for one in particular, users opting out regularly had no effect.
An EU report earlier this year confirmed what cynics among you may already suspect: five years on from GDPR, it is still "Difficult – if not impossible – for individuals to exercise complete control over how their data is shared."
But, on the other hand, it argues, how can consent be “freely given, specific, informed and unambiguous” given the “opacity and complexity of the system”? There is definitely progress, as the latest PwC report suggests – but still much further to go. Ultimately, the acid test is that if we in the industry still struggle to understand consent, what chance does the public have?
What comes after Chrome’s cookie phase out?
With Chrome phasing out cookies from Q1 2024 (effectively the last major browser to do so), what’s next? With cookies being deprecated primarily because they fall short from a privacy standpoint, how do the post-cookie alternatives stack up? Going all the way back to 2021, Digiday ran a piece entitled ‘Third-party cookie replacements fall short of consent and transparency promises’, as these solutions were just emerging. And it’s hard to see how we’ve really moved on since.
Nano’s own Tipping Point research found 70% of UK consumers are taking action to mask their personal data on a weekly basis or even more often. Steps taken included opting out of cookies, clearing caches, browsing incognito and using a VPN. If most people are effectively voting with their feet already, how many will do the same when they realize the replacement is potentially even more intrusive - using an email address or mobile number?
Transparency
Going back to consent mechanisms, it’s interesting to note that the above-mentioned EU report on this topic gives Apple’s App Tracking Transparency a big thumbs up. Despite causing outcry within ad tech, here it is singled out for praise as user friendly, understandable and most importantly – for actually working correctly. This is alongside a series of big red crosses next to the cross-industry Your Online Choices, which, despite existing for much longer, still apparently doesn’t even offer cross-browser support.
One of the report’s recommendations is for a single user interface ‘for data collection and targeting across the ecosystem.’ But the closest thing we have to that - IAB Europe’s Transparency & Consent Framework (TCF) was previously deemed inadequate by the Belgian data protection officer and its future still hangs in the balance.
Big tech, targeting and consent
Meanwhile, we’ve seen strong arguments that big tech should not own targeting itself. The live case in point is Google’s Topics API solution – a kind of half contextual, half people-based alternative to the cookie. The W3C rejected Google’s proposal, for one on the grounds that the interest data gathered could be combined with other signals, and perhaps even used for fingerprinting.
But fundamentally also, because Topics, like cookies before it and other post-cookie IDs, is still based on the idea of internet-wide profiling. Essentially, however you dress it up, still a form of people-based targeting.
Even if Google, Apple et al currently lack the ability to add a ‘block all fingerprinting’ button, it’s hard to imagine given their public statements against this practice, that they’re not at least trying to develop one. At least one mobile commentator believes Apple already has.
On the other side, we have the solutions offered by the industry here – like Your Online Choices. On some browsers, indicating an opt-out preference may have no effect at all. Even after indicating an opt-out preference for all listed companies, the YOC tool will sometimes still show companies as continuing to collect data.
At least in this example, the current effectiveness of industry-led, versus browser and OS-led consent solutions is not entirely convincing. And continued failure here may only deliver more power to those who already control most of the market.
All of which takes us back to the urgency of creating a more robust consent solution across the industry at all costs. So long as advertising is viewed – by the public, by governments and indeed, by privacy campaigners – as opaque, over-complex, even non-compliant – in the long-term, as most recently seen with Meta, we all lose.