osborneclarke.com

1

Online Advertising Mashup

Dr. Ulrich Baumgartner

IAPP Europe Data Protection Congress

Brussels, 18-20 November 2014

osborneclarke.com

2

1. It's all about profiling…

osborneclarke.com

3

The Wise Man…

"Half the money I spend

on advertising is wasted;

the trouble is,

I don’t know which half." - John Wanamaker, 1896 -

osborneclarke.com

4

The Solution…

• Profiling - Basis for Targeted Advertising:

– User "tagged" with identifier

– Tagged user's online behaviour is tracked

– Behavioural data are used for creating a user profile

– Profile used to show ads reflecting interests of user

osborneclarke.com

5

Profiling

Tracking

Provider

Ulrich

Hiking

Alps

Men's

Fashion

Advertising

for

Men's Outdoor

Clothing

osborneclarke.com

6

Any profiling starts with "tagging"…

Tracking

Provider Ulrich

Internet

Users

osborneclarke.com

7

Any profiling starts with "tagging"…

Tracking

Provider "User ID: 3000"

Internet

Users

Ulrich

osborneclarke.com

8

Profiling

Tracking

Provider

Ulrich

(User

ID:

3000)

Hiking

Alps

Men's

Fashion

Ulrich (User ID:

3000)

is interested in:

Alps

Men's Fashion

Hiking

osborneclarke.com

9

Keyword Targeting

osborneclarke.com

10

First Party Targeting

osborneclarke.com

11

Re-Targeting

Product viewed

Ad for same product

on another website

osborneclarke.com

12

Contextual Targeting

osborneclarke.com

13

Behavioral Targeting

[Wie L&L]

Web pages

visited over time

Relevant ads displayed

on publisher website

osborneclarke.com

14

It’s all about profiling…

• Users are tagged by…

– Log-in data (social media platforms, online communities, webshops, etc.)

– Cookies

– Device identifiers

– Ad IDs

– Browser fingerprinting

osborneclarke.com

15

Does Profiling require an opt in?

USER 3000

Hiking

Alps

Men's

Fashion

Pseudonym

User Profile

Ulrich

Hiking

Alps

Men's

Fashion

Personal

Data

osborneclarke.com

16

2. Online Marketing Ecosystem

osborneclarke.com

19

3. Cookies, etc.

osborneclarke.com

20

Cookies

• Directive 2002/58/EC, Sec. 5 (3), as amended by Directive 2009/136/EC

("Cookie Directive"):

– "Member States shall ensure that the storing of information, or the gaining

of access to information already stored, in the terminal equipment of a

subscriber or user is only allowed on condition that the subscriber or user

concerned has given his or her consent, having been provided with clear

and comprehensive information, in accordance with Directive 95/46/EC,

inter alia, about the purposes of the processing. This shall not prevent any

technical storage or access (…) strictly necessary in order for the provider

of an information society service explicitly requested by the subscriber or

user to provide the service."

osborneclarke.com

21

Cookies

• Cookie Directive has been widely implemented across Europe

• Implementation laws deviate

• The question remains:

– Opt-in vs. Opt-out?

osborneclarke.com

22

EU Cookie Laws

Cookie Dir.

implemented ? Opt-in required

() ? Implied

Consent () ? ()

Affirmative

Consent ?

Cookie Laws – An Overview

Cookie Laws – An Overview

osborneclarke.com

25

IP Addresses

IP Addresses

Personal

Data? ? ? ()

osborneclarke.com

26

Browser/Device Fingerprint

• Information obtained about a device (PC, smartphone, tablet) that collectively

creates a unique “fingerprint” of that device

• Incl. user agent string, plugin details, time zone, fonts, sreen size, colour

depth, etc.

• NB: Fingerprint not affected by “do not track” browser settings

Personal data?

osborneclarke.com

27

Try it! https://panopticlick.eff.org/

CLICK HERE

osborneclarke.com

28

4. Online Marketing – The Latest

osborneclarke.com

29

Real Time Advertising

Real-Time

Advertising

Visitor enters Publisher

website URL. Publisher

sends request to Ad

Exchange for 1 ad of

particular spec (e.g., a

banner)

Ad Exchange makes

available details of visitor,

Publisher site, and ad unit

to participating

advertisers/agencies.

Advertiser #1: I offer € 0.4 for this

impression because the visitor

abandoned a shopping cart on

my site 2 hours ago.

Advertiser #2: I offer € 0.3 for

this impression because the

visitor is a 15- to 22-year-old

male with an interest in sports.

Advertiser #3: I offer € 0.2 for this

impression because this is an

authoritative movie and gaming

site.

Ad Exchange selects

the highest-paying

advertiser and sends

corresponding creative

to Publisher website.

Visitor sees ad from highest-paying

advertiser. Complete process takes place

while web page loads (1−5 milliseconds).

osborneclarke.com

30

Programmatic Buying

• Enables automated buying of advertising inventory by using data-driven and

predefined algorithms

• Sell Side Platforms (SSP) – electronic service platforms of ad space

marketers, auctioning ad space to the highest bidder

• Demand Site Platforms (DSP) – electronic demand platforms on which

advertisers can book ad space

• SSP and DSP include user profiles of OBA service providers and may

combine those profiles with self-collected user data

osborneclarke.com

31

Programmatic Buying

A

dvert

isers

Pu

bli

sh

ers

Real Time

Bidding

(RTB) Demand

Side

Platform

(DSP)

Supply

Side

Platform

(SSP) Ad

Publisher Website

Data Dealers

osborneclarke.com

32

Programmatic Buying

• Privacy Take Away

– If SSP/DSP are able to re-identify a specific user on the basis of

pseudonym (SSP-ID/DSP-ID), personal data is involved

– Even pseudonyms likely qualify as personal data

– Any transfer of OBA data requires justification

• User consent not an option in practice

• Overriding legitimate economic interest in data transfer?

osborneclarke.com

33

5. Online / Offline Convergence

osborneclarke.com

34

Online/Offline Convergence

• Combination of online tracking information with offline purchase information

to complement user profiles

• Integration of a variety of industry-specific offline data sources (e.g. coupon

usage, retail purchase activity and grocery store purchase activity)

• Offline data typically include postal or email address

"Data Onboarding" or "CRM Re-Targeting"

• Result: Ads become even more targeted across various channels

osborneclarke.com

35

Online/Offline Convergence

• Privacy Take Away

– Combination of (non-personal) online targeting data with personal offline

data requires prior opt-in

– The same applies to the trading of personal offline data

– Notice requirement challenging in practice

osborneclarke.com

36

6. Location Based Advertising

osborneclarke.com

37

Location Based Advertising

• Location data used to

– Refine profiles

– Make local offers

Particularly relevant for mobile advertising

osborneclarke.com

38

Location Based Advertising

"Location data from smart mobile devices are personal data."

(Art. 29 Working Party (WP 13/2011)

Might be different for non-granular location data (e.g. city name, ZIP code)

osborneclarke.com

39

Location Based Advertising

If personal location data is used, the Art. 29 WP expects:

• Opt-In generally required

• Strict requirements apply, e.g. opt-in must be:

– Separately obtained

– For dedicated purposes

– With detailed notice (incl. level of granularity)

– Must be renewed after one year

osborneclarke.com

40

Beacons

osborneclarke.com

41

Beacons

• Beacons send out a unique signal that can be picked up by an app to trigger

an action (e.g. personalized messages)

Beacons can close the loop between online and real world behaviour

• Beacon signal not personal data

• But: Apps determine the precise location of a user, e.g. within a shop

• Apps combine Beacon-ID with other user information

User profile incl. location data

osborneclarke.com

42

Beacons

osborneclarke.com

43

Beacons

• Privacy Take Away

– Rules for location data apply

– Opt-in required for the app provider

osborneclarke.com

44

7. E-Mail Tracking

osborneclarke.com

45

E-Mail Tracking

E-M

ail

Mark

ete

r

Su

bscri

bers

(O

pt-

In)

E-Mail

Marketing

Software

E-Mail

Template

Customized E-

Mails

Customer

Database

Online Shop

Tra

ckin

g (

CT

R)

Purchase Click-Through

Purchase

History

osborneclarke.com

46

E-Mail Tracking

• Tracking of reading behavior via web beacons, tracking pixel or

individualized links

• The following information can be tracked:

– Reading time

– Location

– Links clicked/websites opened

– Device/OS information

– Etc.

osborneclarke.com

47

E-Mail Tracking

• Two scenarios

– User is tracked on basis of email address

– User is tracked on basis of (non-personal) user ID

osborneclarke.com

48

E-Mail Tracking

• Scenario 1: User is tracked on basis of email address

– Email address is personal data

Opt-in required

osborneclarke.com

49

E-Mail Tracking

• Scenario 2: User is tracked on basis of user ID

– Targeted emails can only be delivered on basis of email address

– Which means: User ID/profile has to be connected with email address at

some point

Opt-out sufficient?

osborneclarke.com

50

E-Mail Tracking

• Privacy Take Away

– Opt-in required for tracking on basis of email address

– Also for tracking on basis of user ID, opt-in likely required

However: Creative ideas currently discussed to avoid such "conversion

killer"

osborneclarke.com

51

8. Social Media Marketing

osborneclarke.com

52

Social Media Monitoring

Filtering (Crawler, Bots…)

Filtered Database

- Evaluation (Analysis/Text-Mining Software)

- Setting up of alerts

"Social Buzz"

(WWW, Social

Networks,

Blogs,

Boards…)

osborneclarke.com

53

Social Media Monitoring

• Automated tools that allow marketers to search, track, and analyse

conversation on the web about their brand or about topics of interest

• Also user generated content affected

• Results used for PR management and campaign tracking, measuring return

on investment, competitor-auditing, and general public engagement

osborneclarke.com

54

Social Media Monitoring

• Monitoring inevitably involves personal data

• Legal requirements unclear, i.e. to what extent opt-in/opt-out necessary

• Some countries have specific laws (e.g. Germany):

– Publicly accessible data?

– Justified interest of users in keeping the data secret?

– Will the data be anonymized?

– Copyrights?

osborneclarke.com

55

Sharing

• Share/like functionalities trigger a transfer of user data from the website

featuring such plugin to the respective social media provider

• Data transfer already triggered when a website with the plug-in is opened

• User data includes IP address

osborneclarke.com

56

Sharing

• Privacy Take Away

– Website provider responsible for such data collection and transfer

– But: No transparency on use and processing of such data by the social

media networks

– Possible solution:

• “Two-click solution”, i.e. the use of a “deactivated” plug-in (image only,

without third party content)

• Activated only after a user has clicked on it

osborneclarke.com

57

Single Sign-On

Webshop

Account

Z

Social

Media

Account

Y Email

Account

X

Facebook

SSO

Email

Account X

Social

Media

Account

Y

Webshop

Account

Z

e.g. Facebook Connect/Google+ Sign-In

osborneclarke.com

58

Single Sign-On

• Single sign-on (SSO) is a session/user authentication process that permits a

user to access multiple applications with one set of log-in data

• Usually triggers exchange of identifiers between SSO provider and

application provider

• Are such identifiers (typically hashed email address) personal data?

• Best practice: Disclosure in privacy policy required

osborneclarke.com

59

8. Mobile Advertising

osborneclarke.com

60

Mobile Advertising

• Cookies not an option for mobile

• Until Recently: Use of UUIDs/UDIDs

• Banned by industry b/c could not be controlled by users

osborneclarke.com

61

Mobile Advertising

• Apple IDFA, Google Advertising ID, etc.

• These IDs for mobile devices give consumers control over tracking

– Users can reset the ID and can indicate that they don’t want the ID used

for targeted advertising

• But: Can also be abused for non-marketing purposes

Strict enforcement by app stores!

osborneclarke.com

62

In-App Advertising

In-App Banner In-App Layer Facebook Post

osborneclarke.com

63

Mobile Advertising

• In-App-Advertising:

– Apps dominate usage on mobile devices vs. mobile websites.

– In-app advertising continues to dominate volume of inventory on mobile

devices vs. mobile websites

(Smaato Global Mobile RTB Insights Q3 2014 Report)

osborneclarke.com

64

Mobile Advertising

• Privacy Take Away

– Are Ad IDs personal data?

– Likely to be treated like cookies

– Apple and Google Ad IDs provide opt-out option, which must be disclosed

in the privacy policy of apps using the ID

– Think of location data rules

osborneclarke.com

65

9. EU Data Protection Regulation

osborneclarke.com

66

EU Data Protection Regulation

• What does it say on profiling?

– Recital 58:

"Every natural person should have the right not to be subject to a measure

which is based on profiling by means of automated processing. However,

such measure should be allowed when expressly authorised by law,

carried out in the course of entering or performance of a contract, or when

the data subject has given his consent. In any case, such processing

should be subject to suitable safeguards, including specific information of

the data subject and the right to obtain human intervention and that such

measure should not concern a child."

osborneclarke.com

67

EU Data Protection Regulation

• Art. 20(1):

"1. Every natural person shall have the right not to be subject to a

measure which produces legal effects concerning this natural person or

significantly affects this natural person, and which is based solely on

automated processing intended to evaluate certain personal aspects

relating to this natural person or to analyse or predict in particular the

natural person's performance at work, economic situation, location, health,

personal preferences, reliability or behaviour."

osborneclarke.com

68

EU Data Protection Regulation

• Art. 20(2):

"2.(…)a person may be subjected to a measure (…) only if the processing:

(a) is carried out in the course of the entering into, or performance of, a

contract, where the request for the entering into or the performance of the

contract, lodged by the data subject, has been satisfied or where suitable

measures to safeguard the data subject's legitimate interests have been

adduced, such as the right to obtain human intervention; or

(b) is expressly authorized by a Union or Member State law which also

lays down suitable measures to safeguard the data subject's legitimate

interests; or

(c) is based on the data subject's consent (…)."

osborneclarke.com

69

EU Data Protection Regulation

• Art. 29 WP expressed the need to include in the EU Data Protection

Regulation a definition of profiling and suggests the following:

– “Profiling” means any form of automated processing of personal data,

intended to analyse or predict the personality or certain personal aspects

relating to a natural person, in particular the analysis and prediction of the

person’s health, economic situation, performance at work, personal

preferences or interests, reliability or behaviour, location or movements."

WP 29's "Advice paper on essential elements of a definition and a

provision on profiling within the EU General Data Protection

Regulation (13 May 2013)"

osborneclarke.com

70

osborneclarke.com

70

Contact

Dr. Ulrich Baumgartner, LL.M.

(King's College London)

+49 89 5434 8078

Ulrich.Baumgartner@osborneclarke.com

+49 89 5434 8079