There’s been some buzz recently around two new class-action lawsuits being filed in the Netherlands and the UK by the Privacy Collective. This is the largest class-action case around GDPR to date — and that’s a pretty big deal.
So, what’s it all about? In a nutshell, the Privacy Collective is going after two major data management platforms (DMPs) for allegedly unlawfully selling consumer data. Of course, it’s more nuanced than that, and the implications — not just for the data industry, but for businesses and consumers — are huge.
There has been a lot of talk about cookies lately, especially with Google announcing the demise of the 3rd party cookie. On the surface, it might seem like that’s what this lawsuit is about, but GDPR isn’t about cookies: it’s about consumer protection. Rather than banning specific measures, the GDPR was created to give consumers control over their data.
From a consumer perspective, it’s difficult to understand how and where your privacy may be being violated, and that’s the point of this lawsuit. We are all used to (and probably sick of) giving consent every time we visit a new website, and a lot of people think that’s GDPR. Yes, websites are getting your cookie consent, but they also need consent from you to build a profile on you, and then they should be getting explicit consent to sell that profile, with the consumer knowing to whom it is being sold — every time they sell that profile.
According to this lawsuit, those additional moments of explicit and informed consent aren't there.
There's nothing inherently wrong with cookies; it's more about how cookies are used. In this case, we're looking at the use of a (usually 3rd party) cookie to link personal data to a global identifier; this means they have one universal profile per consumer, which makes it possible for businesses to purchase and use those universal profiles for advertising. The more businesses that buy into the system, the more consumer data that’s collected and added to each global ID profile. That’s not what most of us are thinking about when we click the consent button to view a website.
This global ID practice is illegal under GDPR, and this lawsuit is bringing it to light. It's about more than just operating outside of consumer expectations or understanding — consumers flat-out have not given permission for their data to be used in this way.
It’s important to stress here that there’s a difference between annoying marketing and illegal use of consumer data.
Imagine you’re part of a tennis club. That tennis club has a newsletter, and you are on that mailing list. When you receive a newsletter, you see some ads placed in that newsletter — this might be annoying, but there’s nothing legally or really even morally wrong with that. You have knowingly given your personal details and consent to the tennis club, and they have chosen to include an ad in their communication with you. If you don’t like it, you can unsubscribe from the newsletter, or even request that they delete your personal information from their database. Problem solved.
Now imagine that you start receiving ads and emails from a tennis shoe brand whose website you’ve never visited, let alone given consent to, and you find out that you’re being served these ads because the tennis club has sold the email list — including your email address — to this brand. That’s not ok, and that’s what we’re looking at when we talk about global IDs and RTB.
Creating and selling global IDs is actively anti-customer-centric, and in its current form, it violates the consumer’s right to understand where and how their data is being used. They took your information, and you never gave permission for that. And that’s without even getting into who is profiting from selling your information. This isn't compatible with GDPR because consumers need to provide explicit and informed consent upfront, not opt out afterward.
From our perspective, brands have a responsibility to their consumers. Our vision is to build a future where both consumers and businesses embrace the use of data and technology as fundamental to mutually beneficial relationships. It’s inherently pro-GDPR. It’s pro-consumer privacy, and it’s pro-transparency.
Enterprise businesses and DMP customers need to think carefully about the role they play in all of this. Right now, it’s the tech giants who are under fire, but if you’re using their technology, you’re complicit in these practices. Are you working with global IDs? Think long and hard whether you believe this is responsible from a marketing perspective.
In general, approach global IDs with extreme caution. Ask a lot of questions when vendors offer this. Force them to accept liability for any GDPR or privacy law violations in your contract. They won’t do it? That’s a big red flag.
Most businesses out there are understandably keen to use customer data to build a better relationship with their customers. But if a customer doesn’t want this, it’s not creating a better relationship in the long run! Be transparent with your customers and follow a principle of no surprise — this means using the data your customers gave you and know that you have, and don't sell it to others. Make it easy for them to opt out.
We’re all consumers too, so we’d do well to think about creating customer journeys that we ourselves would be delighted with.
This is good news for consumer choice. GDPR may seem annoying, but it’s empowering you to really understand what’s happening with your data. More than that, it’s allowing you to control what happens to your data.
Do your best to be informed on these topics. It’s not always easy, and a lot seems to happen behind closed doors. Get in touch with the brands you purchase from a lot. Find out more about their compliance standards. Let them know if you don’t like the way they are handling your data. If they’re smart, they’ll listen.