Data privacy: why consent does not equal compliance

Brands and publishers are unwittingly leaving themselves exposed to being fined billions of dollars for data privacy violations, warns Jamie Barnard

The South Indian monkey trap is an ingenious device for capturing troublesome monkeys. The trap consists of a hollowed-out coconut attached to a stake and filled with rice that can be accessed via a small hole. Although the monkey’s open hand fits easily through the hole, its clenched, rice-filled fist remains stuck fast. The monkey will stay this way, refusing to drop its much-prized rice, until it is sadly caught.

The marketing industry is in a similar predicament. In thrall to the reach, scale, and personalisation provided by third-party tracking cookies and surveillance-based adtech, and without a silver bullet to replace them, marketers are unwilling to let go. But privacy concerns are making these tools too dangerous, and brands that refuse to drop them risk being caught by the regulators.

Data privacy risk

In today’s model, advertisers must work with a wide range of intermediaries and vendors to track, profile and target consumers with relevant and often personalised content. This creates a complex marketplace where hundreds of companies share personal data about millions of people in thousandths of a second. Unfortunately, much of the machinery which makes this possible, and the corresponding collection and use of data, is in conflict with people’s expectations of privacy and in breach of data protection regulation. The digital advertising industry must adapt or accept the consequences of these compliance failures.

As regulatory scrutiny intensifies, keeping hold of the rice feels increasingly risky. And it is intensifying: since 2018, more than €1.7bn in GDPR fines have been handed out, with enforcement activity increasing by 40 per cent in 2020/21.

Having already levied huge fines against big tech and ad tech companies, regulators are turning their sights on advertisers. Grindr, H&M, Marriott, Sephora and Saga have all received severe fines, and new investigations are underway against many others, including SkyBet.

We know that more will follow because the compliance failures that lead to these fines are not unique to those who have been punished – they are commonplace across the demand and supply sides of the industry.

Consent is not compliance

A serious blind spot for brands is caused by consent models. Many organisations assume that obtaining consent from users to collect and process their data ensures compliance. In reality, consent does not equal compliance. Many brands operate under an illusion of compliance, when, in fact, they are routinely leaking personal data across their media supply chain and tolerating the unlawful collection and sharing of data by unauthorised third parties.

Research from Compliant reveals that there are a number of ways in which brands are inadvertently putting themselves at risk. For example, our analysis shows that of the 91 per cent of the EU advertisers using a Consent Management Platform (CMP), 88 per cent are passing user data to third-parties before receiving consent to do so. While a properly implemented CMP is a useful tool for securing consent, integrating them with legacy technologies and enterprise architectures is clearly a problem.

Another risk stems from “piggybacking”, where unauthorised cookies and tags collect data from brand websites without the advertiser’s permission. Piggybacking results in unconsented data being shared far and wide across the adtech ecosystem.

According to our analysis, the tech/telecoms, entertainment and automotive sectors are most vulnerable to piggybacking in Europe. At the extreme, one UK publisher’s site activated an astonishing 427 unauthorised tags/cookies. With every additional tag on a site, the risk of unconsented personal data being unlawfully shared with third parties increases, as does the corresponding liability of the website owner. The European Data Protection Board has indicated that advertisers could be jointly liable for the wrongful collection and use of data by connected third parties.

A third risk stems from data resellers that collect, organise and sell data to advertisers and publishers. With so many companies are passing data before consent is secured, it’s highly likely that data resellers attached to publisher and/or advertiser sites will do so too. Our study indicates that the same sectors consistently allow reseller tags inside of their data flows (automotive, entertainment, and tech/telecoms), with more reseller tags than other sectors.

Protecting consumers

In the context of digital media and ecommerce, it can be easy to forget why privacy is such a big deal. While avoiding fines and brand damage are high priorities, privacy is ultimately about protecting people.

The more we digitise our lives, the more data we share about ourselves; the more data we share, the more it can be weaponised against us, and the more vulnerable we become to abuse. The more exposed we are, the more we depend on privacy law and data ethics to protect us from real harm – extortion, persecution, discrimination, identity theft, and so on.

So, as we consider privacy risks in digital media, we must always consider the unintended consequences of data collection.

Three ways to enhance compliance

While privacy compliance in digital media is a persistent challenge for advertisers and publishers, there are positive actions that companies can take immediately:

  • Embed always-on compliance monitoring. Take advantage of automated tools that continuously monitor, measure and benchmark risk across your media supply chain.  This allows you to respond rapidly to risk and informs your ongoing strategic priorities.
  • Understand your media supply chain. Real-time risk reporting requires full transparency of your media supply chain – who has access to data, what they use it for, who they share it with and what they do with it. Use this information to take decisive action to increase discipline and reduce compliance risk.
  • Experiment with a portfolio of privacy-safe solutions. It’s time to let go of the rice in the coconut and make do with available alternatives such as first-party data IDs, publisher provided IDs, contextual advertising, data cleanrooms, etc.

Companies that search for solutions that serve the interests and expectations of their consumers are less likely to bet on the wrong horse in the long run. And building discipline, transparency and resilience into their media ecosystem will accelerate decision-making, reduce the time taken to innovate and, paradoxically, encourage risk-taking. Companies that invest in always-on, automated privacy compliance will soon become the ones to beat.

The first marketers to let go, will be the first to discover and adapt to new models. Laggards will still have their fist in the coconut when the hunter returns. The race is on.

Jamie Barnard is CEO of digital marketing technology company Compliant


What will a UK version of GDPR look like? New UK version of GDPR must have at its core a commitment to lower costs and compliance issues for small businesses, say business experts

Why bother with ransomware? The rise of ‘low effort’ extortion attacksAndy Zollo, EMEA regional vice-president at Imperva, discusses the rising threat of ransomware-free extortion attacks on businesses

Information Age guide to data + privacyData and privacy regulation is becoming increasingly complicated, with the EU set to fine companies up to €20m for misusing people’s information. Here are strategies and tools to ensure you stay compliant