Mariana M.’s Post

Update from the European Data Protection Board (EDPB): It has just published its opinion addressing the validity of consent to process personal data for the purposes of behavioural advertising in the context of ‘consent or pay’ models deployed by large online platforms.  During its latest plenary, the EDPB adopted an Opinion following an Art. 64(2) GDPR request by the Dutch, Norwegian & Hamburg Data Protection Authorities (DPA). The Opinion addresses the validity of consent to process personal data for the purposes of behavioural advertising in the context of ‘consent or pay’ models deployed by large online platforms. EDPB Chair, Anu Talus added: “Controllers should take care at all times to avoid transforming the fundamental right to data protection into a feature that individuals have to pay to enjoy. Individuals should be made fully aware of the value and the consequences of their choices.”  In addition to this Art. 64(2) Opinion, the EDPB will also develop guidelines on ‘consent or pay’ models with a broader scope and will engage with stakeholders on these upcoming guidelines.

EDPB: "Consent or Pay"... NOT OK. The European Data Protection Board's (EDPB) took a hard stance on the legitimacy of consent in 'consent or pay' models used by large online platforms for behavioral advertising. In sum, to the EDPB, such model is no real choice at all: ·        The EDPB emphasizes that 'consent or pay' models typically don't offer users a genuine choice, leading to a scenario where consent is often given under pressure or without full understanding of the consequences. Such models, where users must either consent to data processing or pay a fee, likely do not meet the GDPR requirements for valid consent. ·        The EDPB advises that online platforms should consider providing a truly equivalent alternative that does not require payment or involves minimal or no personal data processing. ·        The EDPB stresses that obtaining consent does not free the controllers from complying with other GDPR principles such as fairness, necessity, and proportionality. The board also highlights the importance of controllers demonstrating that their data processing activities align with GDPR standards, and considering the impact of any fees or consequences for users who choose not to consent. https://lnkd.in/gkUNByC5

The European Data Protection Board (EDPB) recently issued an opinion emphasizing the need for genuine choice in "consent or pay" models used by online platforms for data processing in behavioral advertising. This model, which often forces users to either consent to data usage or pay a fee, may not consistently meet GDPR standards for valid consent. The EDPB advocates for alternatives that provide equivalent service without behavioral ads or personal data processing. Furthermore, the EDPB stresses that consent must be informed, voluntary, and should not lead to adverse consequences for users who choose not to consent. We'll need to innovate in creating consent mechanisms that are not only compliant but also user-friendly and transparent, ensuring users feel their privacy is respected and protected. We expect future guidelines that will further address these concerns and involve stakeholder engagement. This development is pivotal for the marketing and advertising industries, which heavily rely on user data for targeting and personalization.

“Users’ preferences are encoded and stored in a string composed of a combination of letters and characters referred to as the ‘Transparency and Consent String’ (TC String), which is shared with personal data brokers and advertising platforms so that they know to what the user has consented or objected. A cookie is also placed on the user’s device. When they are combined, the TC String and the cookie can be linked to that user’s IP address. In 2022, the Belgian Data Protection Authority held that the TC String constitutes personal data within the meaning of the GDPR and that IAB Europe had been acting as data controller without fully complying with the requirements of the GDPR. That authority imposed on it a number of corrective measures as well as an administrative fine. IAB Europe is contesting that decision and has brought an action before the Brussels Court of Appeal, which has referred questions to the Court of Justice for a preliminary ruling. In its judgment, the Court of Justice confirms that the TC String contains information concerning an identifiable user and therefore constitutes personal data within the meaning of the GDPR. Where the information contained in a TC String is associated with an identifier, such as, inter alia, the IP address of the user’s device, that information may make it possible to create a profile of that user and to identify him or her.” #consentcookies #gdpr #personaldata

During its latest plenary, the European Data Protection Board adopted an Opinion following an Art. 64(2) GDPR request by the Dutch, Norwegian & Hamburg Data Protection Authorities (DPA). The Opinion addresses the validity of consent to process personal data for the purposes of behavioural advertising in the context of ‘consent or pay’ models deployed by large online platforms... #enjoyGDPR As regards ‘consent or pay’ models implemented by large online platforms, the EDPB considers that, in most cases, it will not be possible for them to comply with the requirements for valid consent, if they confront users only with a choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee. The EDPB considers that offering only a paid alternative to services which involve the processing of personal data for behavioural advertising purposes should not be the default way forward for controllers. When developing alternatives, large online platforms should consider providing individuals with an ‘equivalent alternative’ that does not entail the payment of a fee. If controllers do opt to charge a fee for access to the ‘equivalent alternative’, they should give significant consideration to offering an additional alternative. This free alternative should be without behavioural advertising, e.g. with a form of advertising involving the processing of less or no personal data. This is a particularly important factor in the assessment of valid consent under the GDPR. The EDPB stresses that obtaining consent does not absolve the controller from adhering to all the principles outlined in Art. 5 GDPR, such as purpose limitation, data minimisation and fairness. In addition, large online platforms should also consider compliance with the principles of necessity and proportionality, and they are responsible for demonstrating that their processing is generally in line with the GDPR.

CJEU Provides Clarity on IAB Europe Case: Today the CJEU has issued its judgment on the IAB Europe case, addressing the longstanding discussion around the Transparency and Consent Framework (TCF) mechanism's alignment with the #GDPR. This case, driven into the spotlight by the Belgian Data Protection Authority, highlights the complexities involved in ensuring that real-time bidding processes comply with GDPR standards. At the core of this debate is the TCF mechanism, developed by IAB Europe as a means to facilitate GDPR compliance within the advertising industry. This mechanism, which encodes users' consent into a Transparency and Consent String (TC String), has been scrutinized for potentially not meeting GDPR requirements. The CJEU's decision affirms that the TC String qualifies as personal data and designates IAB Europe as a 'joint controller' for the initial data processing that captures users' consent preferences. This clarification from the CJEU sheds light on the necessity of robust consent management practices and underlines the accountability and responsibilities of entities involved in digital advertising. The ruling emphasizes the need for compliance with GDPR, marking a step forward in addressing privacy concerns within the advertising sector. See the Belgian Data Protection Authority's decision on IAB Europe: https://lnkd.in/eiPckWAy #GDPR #DigitalAdvertising #Privacy #DataProtection #IABEurope #CJEU CJEU press release: https://lnkd.in/e_nfWcdT

CJEU in case on Real Time Bidding and the IAB. (i) CJEU ‘confirms that the TC String contains information concerning an identifiable user and therefore constitutes personal data within the meaning of the GDPR.’ (ii) IAB Europe is a ‘joint controller’ in GDPR terms. https://lnkd.in/ex25DDzr (Quotation is from the press release. See the judgment for more details.) #privacy #cookie #tech #advertising #gdpr #dataprotection #surveillance

⚖️ The European Court of Justice (ECJ) clarified on Thursday March 7th that IAB Europe's online advertising model uses personal data, and is therefore subject to the GDPR. 🚨 The Interactive Advertising Bureau (IAB) is an association representing digital advertising and marketing companies, developed a system that allows brokers and platforms to 💵 bid for advertising space in real time based on the profiles of website users. 👩⚖️ The CJEU also ruled that IAB Europe qualifies as the "joint controller" under GDPR, but not the sole controller. 👉 Background: The ECJ ruling comes after IAB Europe challenged a decision by the Belgian Data Protection Authority in 🗓️ 2022, which said that its real-time bidding model for advertising was not in line with EU data protection rules. The Belgian Court of Appeal then asked the Luxembourg-based ECJ for clarification. The case now heads back to the Brussels Markets Court… read more on Euronews👇. --- #SypherPrivacyTalks Stay tuned for more:📌 follow the Sypher Solutions company page. We'll keep you updated on #dataprotection, #privacy, #privacymanagement, #GDPR, #GDPRcompliance, #DPO, #cookies, #consent.

🚀 New Blog Post: CJEU Decision and Its Impact on Digital Advertising We've analyzed the recent decision of the Court of Justice of the European Union in Case C-604/22, which brings significant changes to how personal data is handled in the AdTech industry. Find out how this ruling affects GDPR regulations and what it means for the future of digital advertising. 🔗 Read the full article to understand the implications of this decision on transparency and consent within the Transparency and Consent Framework introduced by IAB Europe. #GDPR #AdTech #DataPrivacy #CJUE #DigitalAdvertising #privacy #decalex #privacyinfluencers #IAB #RTB Click the link for more details! https://lnkd.in/d4jGExXp

🚨🚨 New Legislation Alert 🚨🚨 As of August 25th, the #DigitalServicesAct has gone live in the EU, in another piece of legislation that may have been passed in Europe but will have a knock-on effect on a global level. But the EU already has #GDPR! There’s ANOTHER piece of legislation that impacts my digital strategy that I need to be aware of? You are correct, but the two pieces of legislation have different goals. #GDPR is primarily concerned with protecting the privacy of individuals - it sets out rules for how businesses can collect, use, and store personal data. The #DSA, is more focused on ensuring the safety and accountability of online platforms - It sets out rules for how platforms should moderate content, remove illegal content, and cooperate with law enforcement. The DSA requires platforms to take down illegal content more quickly, give users more control over their data, and be more transparent about how they moderate content. It also introduces new rules for "very large online platforms," which are defined as those with at least 45 million active users in the EU, so basically all the major social media platforms. The #DSA is still in its early stages, but it has the potential to have a significant impact on digital marketers. For example, the law's requirement to remove illegal content more quickly could make it more difficult for marketers to run ads for products or services that are prohibited in the EU. Additionally, the law's emphasis on transparency could make it harder for marketers to target ads based on personal data. Overall, the DSA is a significant development for the digital marketing industry. Everyone will need to closely monitor the law's implementation and make adjustments to their strategies as needed. As when GDPR launched, it's very early days with the DSA, and it'll take some time to figure out exactly what this looks like, so be sure to watch this space. If you need some help navigating the #DSA (or #GDPR), make sure to get in touch! https://lnkd.in/gWRvpUtk