Everything You Need to Know About the Proposed Consent Act and GDPR
May 2, 2018
In the wake of the Cambridge Analytica scandal and the public outcry that followed, it was only a matter of time before politicians in the US started looking for a better way to stop this exploitation of data from happening again. A new set of proposed regulations known as the CONSENT Act is already being floated before congress.
The Customer Online Notification for Stopping Edge-provider Network Transgressions Act (or CONSENT) is a proposed attempt by some US senators to regulate the way data is collected, used and shared. It applies to all ‘edge providers’, i.e. companies or individuals who provide a service over the internet, which of course includes those working in AdTech.
As the name suggests, it’s all about ensuring that companies have consent to use this data in other ways, too. This includes information about apps people use, where they are in the world, and what websites they visit, as well as anything that makes use of their social security numbers, health and financial information, call records, emails and private messages and even information relating to children.
How Would It Work?
Anyone who collects information from people on the internet – be they publishers, platforms or anything else – would need to get explicit consent from those people before they use their data for anything else.
This means that the ‘edge’ companies would now need to outline, in detail, all the ways they plan to use the information, and contact everyone on the list to make it very clear if, and how, anything changes. That includes sharing or selling information about people.
Importantly, too, these platforms would not be allowed to stop people from using them if they refuse to allow their data to be used for a particular purpose. They just wouldn’t be able to use their information.
What Does it Mean for AdTech?
This has huge implications for targeted ads, because advertisers, publishers and platforms would only be allowed to target ads to people who specifically and explicitly consented to having their information collected and used in this way.
This means that advertisers would have access to vastly reduced pools of people, plus, because consent has to be given for each new activity, companies will need to ask people if they can use their data collected from their own apps or sites for the purpose of targeting ads, or even for tracking the customer journey from ad to sale.
In other words, ad exchanges and header bidding providers would now be reliant on publishers to get user consent for them, so that they can target ads, place them on a publisher site, and track engagement. This is something that we’ve already seen with GDPR in the European Union.
How Does it Compare to GDPR?
GDPR is the EU’s own attempt to rein in what ‘edge’ companies can do with consumer data, and it comes into effect in May 2018. The core idea is that EU citizens will have greater control over their data, but it’s also geared towards making regulations around data privacy and consent simpler and easier to understand, both for businesses and internet users.
To comply with GDPR, brands need to make sure that they get hold of all personal data legally, in carefully defined conditions. They are also responsible for protecting it from being exploited or misused. Individual people will be given more visibility over how their data is used, and more opportunities to opt out.
AdTech is an area that is particularly heavily affected, because it involves so many different data points and transfers, and because it relies on analyzing user data to target and track ad performance. Under GDPR, you need a ‘legal basis’ for processing anyone’s personal data, which pretty much covers any automated process using personal data.
So, for example, when a publisher makes an ad request or a buyer sends a bid, data is delivered and received. That’s a process, and under GDPR it requires you to show that you have the legal basis to use data in that way.
All of which is similar to CONSENT, though GDPR goes a lot further. CONSENT doesn’t focus as heavily on dictating how companies store, control, or manage data – although it does push for improved data security and frameworks for dealing with a breach. Its primary concern is simply ensuring that organizations communicate with users to ask permission when they want to use data in a particular or different way.
That said, because CONSENT focuses on, well, consent, it looks as if the only way adtech companies will be able to use people’s data in activities like header bidding will be to get their explicit agreement.
GDPR has a little bit more leeway here, as a ‘legal basis’ for using data normally means expressed consent, but it doesn’t necessarily mean that. Another legal basis that a lot of companies argue is perfectly valid is using the data to further their, or third parties, ‘legitimate interests’. That is, as long as they can show that they aren’t infringing on the rights of the person that the data belongs to.
There’s another big difference, too. While GDPR covers names, email addresses and photos, the scope of CONSENT notably doesn’t cover ‘personally identifiable information’ – that is, names and email addresses. This means that platforms and other companies collecting this data would be able to use this information without seeking consent every time (although they would still need to tell people they were doing it).
At the moment, we are skeptical that this bill will be passed into law. Two previous attempts to pass online privacy regulations failed in 2011 and 2015.
That could change, of course. With pressure mounting on politicians to curb the powers of platforms like Facebook, this might just be the moment they pull together to make a change.
As published on The DrumGo back