eDiscovery Daily Blog

The Cat and Mouse Game Between Data Privacy Regulators and Online Advertisers: Data Privacy Trends

You didn’t think companies that make a lot of their revenue in online advertising were going to just roll over when Europe’s General Data Protection Regulation (GDPR) was enacted to protect personal information, did you?  Apparently not, as this article discusses.

According to Legaltech® News (Is the GDPR Creating a Cat-and-Mouse Game Between Advertisers and Regulators?, written by Frank Ready), the browser company Brave alleged last week that Google was using a mechanism called “push pages” to work around restrictions on the sharing of personally identifiable information (PII) laid out by the EU’s General Data Protection Regulation (GDPR). It did so, Brave said, by assigning a distinct, almost 2,000 character-long code to user information shared with advertisers.

Google issued a response to the site Tom’s Hardware saying that it does not “serve personalized ads or send bid requests to bidders without user consent.”  But, Google’s ad practices are already facing an inquiry by the Irish Data Protection Commission (DPC), specifically with regards to how well they comply with “GDPR principles of transparency and data minimization.” However, regulators attempting to enforce the anonymization of user data could find it difficult to keep pace with companies looking for new ways to both comply with privacy requirements and protect the online advertising revenue that is central to their business.

Jarno Vanto, a partner in the privacy and cybersecurity group at Crowell & Moring, thinks part of the problem is most of the information that’s collected about users online nowadays could potentially qualify as PII.

“Ad tech companies are now trying to come up with ways on the one hand to comply, but then they are still stuck in the old world where they were able to collect all of this data because they could rely on this distinction between non-PII and PII, and that’s no longer really a valued distinction,” Vanto said.

Debbie Reynolds, founder of the data privacy and cyber response firm Debbie Reynolds Consulting, believes other companies will be looking towards the outcome of the Irish DPC’s inquiry with interest as they try to align their own data practices with compliance and profitability.  Still, she’s not expecting much in the way of new parameters surrounding what constitutes a unique identifier.

“I don’t think the regulators are going to try and go out of their way to create new words or new definitions,” Reynolds said.

Vanto said he thinks it could be a tough road due to the amount of resources that would have be leveraged in order to keep track of the practices employed by each technology company.  But Vanto also noted that there are tech-savvy privacy activists who have an interest in monitoring such activity, as well as rival companies that may also be inclined to keep their competitors moving towards the same kind of consent-based data sharing models that they are being driven to adopt into their advertising practices.

Just like Tom is always finding it difficult to stop Jerry, it appears that regulatory agencies – even with GDPR – are finding it difficult to stop the companies wanting to do everything they can to keep the advertising dollars flowing.  It will be interesting to see how this struggle plays out over time.

So, what do you think?  Will the regulatory agencies be able to find a way to protect personal information from advertisers?  Please share any comments you might have or if you’d like to know more about a particular topic.

Image Copyright © Turner Entertainment

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.