The advertisers' responsibility for targeted digital advertising

Could this lead to a renewed focus on the general rules and obligations under the GDPR for digital marketing services?

Advertisers and agencies want paid placement to make the best possible impact. One of several technologies to achieve this is personalised ads. The ads are based on behavioural data about an individual or a group of individuals, including statistical predictions given the data points someone has collected about the individual.

The Schrems II solution does not mean "all clear"

The most commonly purchased personalised marketing services are American, or there are services that make personal data available in the US. This in itself has been legally problematic since the Schrems II judgment. Should the Schrems II issue be resolved, as we have good reason to expect, it will still not mean that, pursuant to the GDPR, there is a green light to use technologies such as pixels, third-party cookies or email ads resembling an email without being one.

There has never been an "all clear" here.

The advertiser bears the full responsibility

The advertiser is responsible for data collection, use and sharing as a so-called data controller under the GDPR. This will also often apply to the publicist.

The advertiser will often have a joint processing responsibility with providers of widely used services such as Facebook, Google and, as we understand Microsoft, for some of the data usage these stakeholders employ.

The basic requirement for a Data Controller is to know what data is collected, from where, how data is used and with whom it is shared. The Data Controller must then inform the persons concerned. This can be done, for example, in a privacy statement. In addition, the Data Controller (Advertiser and perhaps Publisher) must ensure that they have a lawful legal basis for the collection and use of personal data.

Consent is important

For personal data used for marketing, this in practice often means consent. In order for consent to be valid, the person who consents must have received good enough information to understand the personal data processing, which the consent will entail.

This is where the use of personal data-driven marketing services tends to become difficult. The information of the major providers is generally difficult to understand and requires cross-referencing with a variety of sources. In addition, it is demanding, from a legal perspective, to determine how far your responsibility as their customer goes.

If you struggle to understand this, then you are in good company. Many find it difficult to fully comprehend what it is they actually consent to. Overall, there is legal risk in using these services because it is difficult to understand what actually happens to data and how far your responsibility as advertiser goes.

Different level of risk

For some it may be right to take high risks, for others it may be better not to use the most aggressive services or the services that are most difficult to understand. For some, it may be right to use first-party data, but avoid third-party data. Or rely on contextual ads, perhaps combined with good old-fashioned email marketing where you have full control over data flow and consent.

Another way to view this assessment is to have good effect with a level of risk suitable for you, where you have control over the risk you choose to take.

The situation is further complicated by the fact that Norway, somewhat surprisingly, has proposed to carry on a special Norwegian "lax" provision on cookies, which allows setting cookies, including third-party marketing cookies, unless the end user "opts out" through the browser setting.

This Norwegian rule is not in line with EU's understanding of consent requirements for cookies. It does not cover either consent-based further processing of personal data collected through cookies. This is because the GDPR requires active opt-in consent.

A ban on personalized marketing?

Monitoring-based marketing is disputed among the general public, interest groups and politicians. By way of comparison, the EU is currently considering a proposal for a ban on personalised marketing, based on the most sensitive types of personal data such as religion, sexual orientation and health.

Would you like to know more or discuss more about the legislation?

Please contact Vebjørn at vso@raeder.no