Ad tech vendors are using the smokescreen of ‘legitimate interests’ to declare themselves compliant to the upcoming GDPR, while not doing anything concrete to make themselves truly compliant.
Ad tech vendors do not have a clarity on how to obtain explicit consent before collecting data nor do they have plans in place to delete such data when requested, but erroneously believe they have sufficient legitimate interests to bypass compliance.
The upcoming General Data Protection Regulation will bring in stringent requirements for firms that store and handle data belonging to their customers. As per the upcoming regulation, firms will need to obtain explicit consent from customers before storing their personal data and will have to delete customer data whenever requested by customers.
However, GDPR will also allow firms to handle customer data based on their ‘legitimate interests’. Such legitimate interests may include collecting data to prevent fraud, to strengthen security around data or to transfer data within the organisation.
Article 6(1)(f) of the GDPR reads: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
According to the Article 29 Data Protection Working Party, ‘legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place’.
Many marketing firms and ad tech vendors are now clinging on to point (f) of Article 6(1) to claim that their data collection practices are compliant with GDPR. However, Jessica Davies, UK editor of DigiDay, said that such assumptions are erroneous and may land such firms in deep trouble once GDPR comes into force.
‘While some businesses will be able to claim a legitimate interest in using people’s data without having to seek explicit permission, no ad tech vendor that relies on bid-stream data to create segments and audiences can use the legitimate-interest loophole. But that is indeed what many are doing, according to sources,’ she said.
‘If a [location] ad tech vendor tells you they can use legitimate interest and they can’t explain why, they’re morons and don’t understand at all what GDPR means. They’re [agencies] getting high-level claims of legitimate interest but no real meat on the bones. It will likely result in agencies culling [location] vendors,’ said an adtech executive to Davies.
‘Companies risk being wiped out partially, if not entirely, and many are fighting tooth and nail, climbing mirrors to avoid the collapse of their commercial relationships, buying time and getting some oxygen while waiting to see what will happen,’ said another executive.
Even though ad tech vendors are claiming legitimate interests to collect personal data without obtaining explicit consent from people, they are failing to balance their interests against the rights of people whose data they are processing. At the same time, such interests will fall flat if it is found that there are other means available to achieve the same result.
‘Legitimate interest can’t protect people. The permission procedure is to remove all ambiguity, and legitimate interest is rigidly defined, so can’t be used as a hack. Consent is ultimately required,’said Amir Malik, digital marketing lead at Accenture to Davies.