PC Pro

“Data vampires” ignoring GDPR

Regulation­s have failed to curb privacy crisis as advertiser­s double down on data collection, Stewart Mitchell finds

-

Regulation­s have failed to curb the privacy crisis as advertiser­s double down on data collection, Stewart Mitchell finds.

Web advertiser­s are blatantly ignoring legislatio­n designed to protect consumers’ privacy and – in some cases – deliberate­ly misleading people into accepting ad cookies.

A year on from the introducti­on of the General Data Protection Regulation, even big-name advertiser­s continue to flout the law. Two out of three websites don’t comply with regulation­s because data is their lifeline.

“You have all the ad tech players, whether it’s publishers or the Interactiv­e Advertisin­g Bureau (IAB) partners or Google or Facebook or whoever… they need to make money from the data they collect, it’s how they make a living, selling the data on because everybody wants it,” said Joyce Allen, founder of BCS-accredited informatio­n rights training firm Freevacy.

“They are all as bad as each other – it really doesn’t matter who they are.”

We looked into the privacy settings of a range of websites and confirmed that, across the board, privacy policies and cookie settings failed to adhere to the regulation­s. In some instances, the sites are even being deliberate­ly designed to mislead consumers about

the choices they make ( see “Ad Tricks: the bait and switch” below for details).

“Some of these [cookie] explainers are made as difficult to understand as possible, I would argue, in order to urge people to suffer from consent fatigue and just click ‘Accept all’,” said Pat Walshe, director of Privacy Matters, a data protection consultanc­y. “Often the language and the choices they present are essentiall­y what amount to dark patterns that enable data vampires.”

Walshe gave examples that included multilayer­ed consent that left some permission­s switched on, such as Scotland’s The National newspaper, where visitors can switch off all five listed categories of advertiser data sharing, but clicking Save would still give permission to partners listed in a small link below.

“With The National, even if you rejected every single one of the categories presented to you, at the bottom of that there’s something called ‘Vendors’,” Walshe said. “If you’re not aware that’s there and merely disable all of the categories to opt out, you’d think you’re covered, but then go to ‘Vendors’ and what you find is that not all of the vendors are defaulted off. You’ll still be trapped.”

The National declined to comment when approached by PC Pro.

Encouraged by the big players

Deceptive practices are widespread, even among the biggest names. Last year, Google was accused of misleading practices by the European Consumer Group (BEUC), a collective of national privacy organisati­ons.

According to BEUC’s Every Step You Take report, Google used deceptive click flows to push users into accepting location tracking. The company also hid enabled-by-default settings for web activity on separate

In some instances, the sites are even being deliberate­ly designed to mislead consumers about the choices they make

pages and gave misleading and unbalanced informatio­n about what data was collected.

Google has since moved to address some of the criticisms, but according to BEUC the company’s actions exemplify an industry-wide disregard for clarity. “When it comes to one of the leading giants in this sector, Google, research by our member organisati­ons revealed the use of misleading practices,” a BEUC spokespers­on told us.

“Google uses various tricks and practices to ensure users enable location-tracking features and does not give them straightfo­rward informatio­n about what this effectivel­y entails.”

Google disputed some of the BEUC findings at the time and declined to comment further to PC Pro.

BEUC research found such practices were widespread. “It found that two out of three companies were in breach of the law,” the BEUC spokespers­on continued. “For example, they installed tracking cookies before the user had given permission.

“Some websites have improved their practices since last year, but the problems related to the use of online trackers are still far from being addressed.”

The requiremen­t to make users opt in to, rather than opt out of, ad tracking is one of the key parts of GDPR that companies routinely ignore, according to BEUC.

“Often the problem is not only about how difficult it is to opt out but about the fact that users are not asked to opt in when they should be,” the BEUC spokespers­on said. “Even if they are asked to opt in, this is not done in a way that would deliver valid consent under the data protection rules.”

What’s the punishment?

The Every Step You Take report led to official complaints being launched against Google and the company was also hit with a €50 million fine by French data watchdog CNIL for “lack of transparen­cy, inadequate informatio­n and lack of valid consent regarding the ads personalis­ation”.

The Irish data watchdog has also opened 17 investigat­ions into malpractic­e by various companies, including most recently against advertisin­g giant Quantcast over concerns about its personal data aggregatio­n and profiling.

However, according to Allen, this action is exceptiona­lly rare and the inaction of official data protection bodies such as the UK’s ICO is another factor that plays into the industry’s hands.

“If you take the herd mentality, it’s that somebody else will get the penalty,” she said. “While there is someone else that might get the penalty, people are thinking ‘well, they’re bound to look at Facebook and Google before they look at us’.

“So they will carry on doing what they are doing, some bits good, some bits bad and some bits hidden, and they will keep doing that until there’s case law.”

The ICO has said it plans to look into the ad-tech industry more closely in future, but for the time being there is almost zero threat of punishment for breaking the rules. “We have an impasse where the public don’t know whether to let collection happen, the companies can’t afford to lose their revenue streams, changes cost money and the regulators are looking but haven’t done anything specific,” said Allen.

“There will be court cases and when there are then the ad-tech companies and publishers will have to start to create a different set of rules to follow.”

 ??  ?? ABOVE There’s currently very little threat of punishment for acting like a data Nosferatu
ABOVE There’s currently very little threat of punishment for acting like a data Nosferatu

Newspapers in English

Newspapers from United Kingdom