5. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
Step 8.
Assets load
from CDN
Step 9.
Agency ad server
loads verification
vendor
MARKETERS
website.com
AD
Winningbid
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Verification
javascript
Agency
ad server
Verification
vendor
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
CDN
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
This is the current process of
real-time bidding that is used in
online behavioural advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
8. “The ePrivacy Directive clarifies that access to
‘website content may still be made conditional on
the well-informed acceptance of cookies’ and use of
similar tracking technologies. Digital services,
such as websites or apps are generally permitted
to require users to consent to the collection their
personal data through cookies or similar
technologies before allowing them to use a
service.”
IAB Europe, November 2017
10. ePrivacy Directive, Recital 25
(as selectively quoted by the IAB)
25.Access to specific website content may still
be made conditional on the well-informed
acceptance of a cookie or similar device., if it
is used for a legitimate purpose.
website content may still
12. “Article 95 GDPR on the relationship of the GDPR
with the ePrivacy Directive establishes that the
ePrivacy Directive's more specific rules prevail
over rules of the GDPR”
IAB Europe, November 2017
13. GDPR, Article 95
This Regulation shall not impose additional
obligations … in relation to processing in
connection with the provision of publicly
available electronic communications services in
public communication networks in the Union in
relation to matters for which they are subject to
specific obligations with the same objective set
out in Directive 2002/58/EC.
.
14. GDPR, Article 95
This Regulation shall not impose additional
obligations … in relation to processing in
connection with the provision of publicly
available electronic communications services in
public communication networks in the Union in
relation to matters for which they are subject to
specific obligations with the same objective set
out in Directive 2002/58/EC.
.
16. ePrivacy Directive, Recital 25
(as selectively quoted by the IAB)
25.Access to specific website content may still
be made conditional on the well-informed
acceptance of a cookie or similar device., if it
is used for a legitimate purpose.
website content may still
17. ePrivacy Directive, Recital 25
(as selectively quoted by the IAB)
25.Access to specific website content may still
be made conditional on the well-informed
acceptance of a cookie or similar device., if it
is used for a legitimate purpose.
website content may still
This is an allowance, not an obligation
18. ePrivacy Directive, Recital 25
(as selectively quoted by the IAB)
25.Access to specific website content may still
be made conditional on the well-informed
acceptance of a cookie or similar device., if it
is used for a legitimate purpose.
website content may still
This is an allowance, not an obligation
This is a recital, not an article
19. 25.Access to specific website content may still
be made conditional on the well-informed
acceptance of a cookie or similar device, if it
is used for a legitimate purpose.
ePrivacy Directive, Recital 25
(as selectively quoted by the IAB)
20. to facilitate the provision of information
society services ...
25.Access to specific website content may still
be made conditional on the well-informed
acceptance of a cookie or similar device, if it
is used for a legitimate purpose … such as
ePrivacy Directive, Recital 25
21. to facilitate the provision of information
society services ...
25.Access to specific website content may still
be made conditional on the well-informed
acceptance of a cookie or similar device, if it
is used for a legitimate purpose … such as
ePrivacy Directive, Recital 25
Article 29 WP (2013):
not “general access”
22. to facilitate the provision of information
society services ...
25.Access to specific website content may still
be made conditional on the well-informed
acceptance of a cookie or similar device, if it
is used for a legitimate purpose … such as
ePrivacy Directive, Recital 25
Article 29 WP (2013):
not “general access”
23. any service normally provided for
remuneration, at a distance, by electronic
means and at the individual request of a
recipient of services. For the purposes of this
definition: ... "at the individual request of a
recipient of services" means that the service is
provided through the transmission of data on
individual request.
Directive 98/34/EC, Article 1(2)
.
28. MUST BE ASKED AT INSTALLATION
based on the e-Privacy Regulation draft text amended by the European
Parliament LIBE Committee’s Rapporteur’s draft report, June 2017
Default, per
LIBE Recital 23.
Accept all tracking
Reject all tracking
OK
Reject tracking unless strictly
necessary for services I request
Accept only first party tracking
Tracking Preferences
29. MUST BE ASKED AT INSTALLATION
based on the e-Privacy Regulation draft text amended by the European
Parliament LIBE Committee’s Rapporteur’s draft report, June 2017
Default, per
LIBE Recital 23.
Accept all tracking
Reject all tracking
OK
Reject tracking unless strictly
necessary for services I request
Accept only first party tracking
Tracking Preferences
LIBE test proposes this
in Recital 23, though
Recital 21 as amended
appears to make it
unnecessary”.
30. Accept all tracking
Reject all tracking
OK
Reject tracking unless strictly
necessary for services I request
Accept only first party tracking
Tracking Preferences
56%
20%19%
5%
Thinking of yourself as a visitor to websites,
what would you select if shown this message?