Three organisations have joined forces to set up a working group in an effort to tackle one of the biggest conundrums of the adtech world; how to ensure GDPR compliance when using real-time bidding systems.
The issue has been vexing data regulators from the UK and Ireland since complaints were lodged with both the UK Information Commissioner’s Office and the Irish Data Protection Commissioner just weeks after GDPR came into force.
The official complaints – on behalf of tech start-up Brave, the Open Rights Group and University College London – called for an EU-wide investigation into the practice.
However, it was not until June 2019 that the ICO issued its first report into the issue, in which it claimed the ad industry’s “immature” understanding of data protection is triggering the mass unlawful use of consumer data, leaving millions of consumers at risk of potential harm.
The regulator has been criticised in recent weeks for its lack of action but, since its initial report, two principal alternatives have evolved to solve the problem: a "walled garden" approach proposed by Google and an Internet Advertising Bureau UK led proposal, involving improvements and tightening-up contractual terms and conditions.
However, now technology firm Anonos, data giant Acxiom and think tank the Information Accountability Foundation (IAF) have set up the “5th Cookie” working group, that will study how GDPR recommended technical and organisational safeguards will be able to enforce greater accountability and ethics across the adtech industry.
The trio believes its third alternative, supporting a democratised co-operative model, should be evaluated. If a decision is made to go in one of the other directions outlined above, members of the 5th Cookie working group believe it should be a conscious decision, after evaluating the merits of all alternatives, including consideration and evaluation of their model.
Anonos general counsel and CEO Gary LaFever said: "GDPR highlights pseudonymisation as a recommended technical safeguard. Pseudonymisation - legally defined for the first time at the EU level in the GDPR, with a heightened standard relative to past practices - is a new state-of-the-art.
“In more than a dozen places, GDPR links pseudonymisation to express statutory benefits. Under GDPR, pseudonymisation is an established legal standard that allows all sides to ’win’ by balancing data protection and innovation.
“The 5th Cookie model embraces GDPR compliant pseudonymisation and data protection by design and by default to support GDPR compliant legitimate interest processing as a complement to consent."
The organisations claim the 5th Cookie model is proof that legitimate interest-based adtech processing is possible. As a result, everyone interested in ethical data stewardship, from the smallest players to the largest brands, can participate in digital marketing.
Data subjects could be reached by advertisers as members of small, dynamically changing groups called micro-segments. Each micro-segment would represent the individuals included within the group, and based on individual characteristics, data subjects could be included in multiple micro-segments.
The composition of micro-segments would change dynamically to reflect the individuals, corresponding to the specified characteristics associated with the micro-segment.
IAF executive director and chief strategist Martin Abrams said: “In today’s data-driven world, new technical measures are necessary to balance data innovation and the assurance of the full range individual rights because consent by itself is no longer enough."