At the start of 2018, the date of May 25th held a sort of apocalyptic significance for the digital advertising industry. That date, when Europe’s General Data Protection Regulation (GDPR) came into force, was supposed to fundamentally change the way digital advertising works, through much stricter rules on use of personal data.
And indeed there was an immediate impact. Some publishers cut off access to their content for Europeans, to avoid risking falling foul of the rules. Others updated their cookie consent mechanisms (though with wildly different interpretations of what GDPR-compliant consent looks like). And over the years since, there has been a steady trickle of data businesses which have shut up shop in Europe, unable to square their businesses with the new data laws.
But some parts of the digital advertising industry seemed to carry on much as before. A lot of publishers kept automatically opting-in readers to ads personalisation. Third-party data continued to flow freely through many programmatic pipes.
For the companies who haven’t changed their ways, it’s been left to Europe’s various data regulators to take action. But despite the importance of GDPR, it’s hard to call to mind any landmark rulings relating specifically to digital advertising. This raises the question – what have we actually seen in the way of enforcement from Europe’s data regulators?
Fines few and far between
The closest thing we’ve had so far to a landmark GDPR fine is the €746 million penalty handed to Amazon earlier this year by the Luxembourg National Commission for Data Protection. At the time it came to light, it was worth more than double all the other GDPR fines previously handed out combined, according to Wired.
But while the fine could turn out to relate to advertising, we don’t yet know for sure. The fine was revealed in Amazon’s quarterly earnings, and later confirmed by Luxembourg’s data authority, but the regulator has not yet revealed which rules Amazon violated.
Similarly the second-largest GDPR fine, the €225 million penalty handed to WhatsApp by Ireland’s Data Protection Commission earlier this month, may have an advertising angle. The Irish data authority said WhatsApp does not clearly explain how it uses data to its users – and WhatsApp does use data for marketing purposes. But again, the link is somewhat tenuous.
The biggest GDPR fine clearly linked to digital advertising, therefore, is the €50 million penalty levied against Google by France’s CNIL in 2019. The CNIL ruled that Google didn’t give users enough information about how it used their data, and did not properly get consent for ads personalisation.
Specifically, the CNIL said that information about how data is used was not sufficiently accessible, split across multiple pages and requiring up to five or six button clicks to access. And Google’s consent mechanism for ads personalisation was hidden in a ‘More Options’ section when users created an account. The ads personalisation option also came pre-ticked, a practice forbidden by GDPR.
The CNIL’s judgement was significant in how it specifically punished practices still common in digital advertising, despite being forbidden by GDPR. But the size of the fine drew criticism. Max Schrems, chairman of NOYB, one of the privacy groups which brought the case to the CNIL, said “the amount is tiny for Google”. He added however that the fine was nonetheless “an important symbol”.
Last year the CNIL also hit Amazon with a €35 million fine for placing cookies without properly collecting consent, but this related to French law which predates GDPR.
Beyond the Google case, enforcement has been thin on the ground. There have been a few penalties handed out for bad practices around cookie consent. Spanish data protection authority the AEPD has been most active. It has issued fines to companies including Vueling Airlines and Ikea for not following GDPR’s guidelines for cookie consent, though these have been fairly small. Vueling received a €30,000 fine, while Ikea’s was €10,000.
Besides these cases, most GDPR fines with references to advertising and marketing are related to telemarketing and email marketing. Usually these are cases where a company has illegally contacted their customers for marketing purposes, without asking their consent.
Why the hold up?
So why have we not seen more enforcement?
Firstly, some regulators have chosen to start by educating companies on their obligations under GDPR, rather than immediately meting out punishments. The UK’s ICO is a prime example.
The ICO has highlighted major concerns with how digital advertising, and real-time bidding in particular, currently operate. But the regulator started with a period of industry engagement, consulting with digital ads businesses to better understand how real-time bidding works, in order to inform future judgements. This period also involved explaining the ICO’s concerns to ad tech businesses, giving them a chance to change their practices before being handed fines.
The biggest reason for slow enforcement however has been the ‘one-stop shop’ mechanism which is included in GDPR. This mechanism says the companies will be regulated by the data protection authority in whichever EU state their headquarters are based.
For tax purposes, many international tech companies base their headquarters in either Ireland or Luxembourg. As a result, the data regulators in these two countries have been tasked with enforcing GDPR against the tech giants, despite not being particularly well equipped to do so.
This issue has been noted by the European Parliament, which earlier this year passed a motion which called out a lack of enforcement in Ireland and Luxembourg. The motion said that Parliament “is particularly concerned that the Irish data protection authority generally closes most cases with a settlement instead of a sanction and that cases referred to Ireland in 2018 have not even reached the stage of a draft decision”.
The fines against Amazon and WhatsApp have both come since that motion was passed, suggesting a level of progress. But this hasn’t been enough to relieve privacy campaigners’ concerns.
Just last week the Irish Council for Civil Liberties released a report on “Europe’s enforcement paralysis”, which argued that Ireland’s Data Protection Commission has proven unable to properly regulate big tech. The report found that 90 percent of major GDPR cases referred to Ireland remain unresolved.