When GDPR rolled out across the European Union back in 2018, the sweeping legal framework pledged to bring consumer privacy and protection to the forefront. In the years since then, we’ve seen the adtech industry at large do its collective darnedest to undermine these laws at every turn, and largely get away with it, thanks in part to the squishy phrasing of some of the legislation’s most critical clauses.
Now, European authorities are stepping in to cut that squishiness a bit. On Monday, the European Data Protection Board—the Union’s oversight committee for GDPR-related issues—released a 31-page manual calling out some of the slimier practices used by adtech companies to fudge consent on an internet browser’s behalf.
These new guidelines specifically call out the sites that assume a user’s agreement to be tracked and targeted based on say, the way they scroll down a webpage, rather than relying on their explicit agreement to that deal. Also called out in the memo are “cookie walls”—a cute name for the not-so-cute tactic where sites bar internet browsers from accessing their content unless they agree to allowing cookies and trackers on the site.
These are both tactics that directly step on the concept of user consent. Unlike the CCPA, its significantly watered-down American cousin, GDPR was written to require that websites garner a visitor’s consent before they handle that visitor’s data, and before they pass that data down the garbled supply chain of third parties in the adtech ecosystem. As you might imagine, the GDPR painstakingly lays out exactly what does and doesn’t qualify as consent, requiring that, in short, these websites explain the tech used to track the visitors in a clear and upfront way. It also requires that they offer these visitors an easy way to opt in or out of this sort of on-page tech.
This might sound easy enough to follow, but history’s shown that a lot of folks in the digital ad industry aren’t above pulling some weaselly stunts to keep the money flowing in. Sometimes, this means using a scroll or a click somewhere on the page as a tacit agreement to be tracked. Other times, it means outright ignoring a person’s request not to be tracked in the first place, or leaving that option off the table when users visit a site. And for some others, this means the aforementioned cookie wall, which strong-arms consumers into providing their data in order to access the content on a given site.
It might be easy to lay all the blame on a website for, well, being a shitty website, but the truth is it’s not that straightforward. Smaller shops across the web are universally hard-up for digital revenue. These sites regularly onboard unvetted third-party tech in the name of scraping by, even if those third parties come loaded with a ton of unseen data-hoovering baggage. In fact, a report out from MIT back in January found that one of the top reasons for GDPR-related hiccups on the part of UK websites was due to the third-party platforms they’d onboarded to become GDPR compliant in the first place.
The new guidelines from the EDPB are ostensibly meant to cut through this noise and give the shadier sides of the industry less wiggle room, but we’ve seen before that these constraints can have the unintended effect of pushing off-color tactics further underground, rather than exiling them from the ecosystem entirely. Hopefully, the authorities both here and abroad can keep step to maybe, one day, actually quash them for good.