Episode 19: Peter Craddock on the history of consent and personal data - The Monopoly Report

Summary6 min read

Podcast Summary: The Monopoly Report - Episode 19: Peter Craddock on the History of Consent and Personal Data

Release Date: February 26, 2025

Hosts and Guests:

Host: Alan Chappelle
Guest: Peter Craddock, Partner in Data Protection at Keller and Heckman

1. Introduction to Consent in the Digital Ad Landscape

Alan Chappelle opens the discussion by contextualizing the evolution of consent within Europe’s digital advertising marketplace. He introduces Peter Craddock, highlighting his pivotal role in developing the IAB EU Transparency and Consent Framework (TCF) and his involvement in defending the TCF before the EU Court of Justice.

Notable Quote:

"I imagine Peter and I are going to go pretty deep on consent, on the definition of personal data, and have a really interesting back and forth."
[00:25]

2. Evolution of Consent and Personal Data Definitions

Peter Craddock delves into the historical ambiguity surrounding what constitutes personal data, particularly focusing on IP addresses and cookies. He explains the uncertainty prior to the Briar Judgment of 2016, where the Court of Justice of the European Union (CJEU) clarified that an IP address could be considered personal data if it can be linked to an individual through lawful means.

Key Points:

Pre-Briar Era: Organizations often assumed IP addresses and cookies were not personal data, allowing them to sidestep stringent data protection regulations.
Briar Judgment Impact: Established that IP addresses are personal data when additional information is available to identify individuals, leading to more cautious data handling practices.
GDPR Adoption (2016): Reinforced the potential of identifiers like IP addresses being personal data, though emphasizing that context matters.

Notable Quote:

"The GDPR has not solved that problem... we're still dealing with a kind of fragmentation."
[07:28]

3. Fragmentation in EU Data Protection Enforcement

Craddock highlights the fragmented nature of data protection enforcement within the EU. With both GDPR and the E-Privacy Directive (E-PD) in play, national regulators interpret and enforce rules differently, leading to inconsistencies across member states.

Key Points:

Two Systems: GDPR governs personal data broadly, while E-PD specifically addresses electronic communications and cookies.
National Divergences: Countries like France, Italy, Spain, and the Netherlands have varying exceptions and interpretations, complicating compliance for international businesses.
Recent Enforcement Actions: Example of the Dutch authority challenging the legitimacy of commercial interests as a legal basis for data processing, showcasing divergent regulatory priorities.

Notable Quote:

"You can't have a coherent approach because the priorities of authorities are different."
[07:28]

4. The Transparency and Consent Framework (TCF) Development

Peter Craddock discusses the inception and challenges faced in creating the IAB EU Transparency and Consent Framework (TCF). The framework was developed to standardize how businesses communicate data processing activities to users, ensuring transparency and consistent consent mechanisms.

Key Points:

Standardization Need: To harmonize transparency in data processing and legal basis declarations across the ad tech industry.
Challenges Faced: Agreeing on common terminology, labeling, and explanations to ensure clarity for data subjects.
Adoption and Growth: From initial resistance to over 95% adoption by commercial websites in the EU, demonstrating the framework’s effectiveness.

Notable Quote:

"The TCF covers a whole range of purposes and only some of them have to do with personalized ads, profile-based advertising."
[17:26]

5. Debating the Effectiveness of TCF in Consent Management

Alan Chappelle raises a critical viewpoint, suggesting that while the TCF effectively manages consent for cookies and general transparency, it may falter when handling consent for profiling and targeted advertising. He expresses concern that bundling these consents could conflict with EU regulations against consent bundling.

Notable Quote:

"The European Union does not like bundling consents... they've sort of set the whole mechanism up to fail a little bit with EU regulators."
[20:18]

Peter Craddock's Response: Craddock disagrees, arguing that the issue lies not with the TCF but with the perception and implementation of profile-based advertising. He emphasizes that the TCF itself allows for a nuanced approach to consent, provided that the underlying processing activities are transparent and justified.

Notable Quote:

"It's not so much about the TCF, but it's more about the activity itself... it's a way of trying to get together as an industry and figuring out how do we get to better transparency."
[17:26]

6. Cookie Walls and Paywalls: Navigating Consent Requirements

The conversation shifts to the emergence of cookie walls—mechanisms that restrict website access unless users consent to all cookies. Craddock critiques their simplistic accept-or-leave approach, highlighting regulatory pushback that demands only strictly necessary cookies be exempt from consent.

Key Points:

Initial Cookie Walls: Offered "accept all or leave" choices, disregarding the necessity criterion.
Regulatory Response: Regulators disallowed such approaches unless non-essential cookies are genuinely optional.
Evolution to Paywalls: Shift towards tiered services where users can choose between ad-supported free access or paid, ad-free experiences.

Notable Quote:

"The cookie wall came really as a way of getting, of forcing people to make a choice... that is problematic."
[23:09]

7. The Meta Case: Consent and Contractual Necessity Challenges

Alan Chappelle brings up the high-profile case involving Meta (Facebook), where the EU challenged the platform’s reliance on contractual necessity and legitimate interests as legal bases for profile-based advertising. The court ruled that neither could be used, leaving consent as the primary basis, which raised concerns about consent being genuinely "freely given."

Key Points:

Contractual Necessity Rejection: The CJEU determined that profile-based advertising isn’t part of the core service contract, thus invalidating its use as a legal basis.
Legitimate Interests Scrutiny: Courts limited the use of legitimate interests, especially when they conflict with individual rights.
Article 7.4 GDPR: An underexplored provision that might allow combining contract and consent to legitimize certain processing activities.

Notable Quote:

"Consent is needed for profile-based advertising because the Court of Justice seems to suggest that's the only way."
[21:00]

8. Implications of Regulator Positions and Market Alternatives

The discussion turns to the limited options users have when major platforms like Meta mandate consent for data processing as a condition for service access. Craddock argues that while theoretically, users have alternatives, the dominance of such platforms makes true choice difficult.

Key Points:

Market Dominance: Platforms like Meta hold significant sway, making it hard for users to find viable alternatives.
User Dependency: High investment in these platforms (e.g., LinkedIn for professional networking) creates a de facto necessity.
Regulatory Dilemma: Balancing user rights with the practicalities of market alternatives remains challenging.

Notable Quote:

"If you have to take into account the position of every individual, how can a business actually move ahead with any decision?"
[37:35]

9. Conclusion and Final Thoughts

As the conversation wraps up, both Alan and Peter reflect on the complexities of enforcing data protection laws in a fragmented regulatory landscape. They acknowledge the ongoing debates and challenges but remain optimistic about the industry's efforts to enhance transparency and user consent mechanisms.

Final Notable Quote:

"Well, this has been a fantastic discussion... Peter, thank you so much. This has been a fantastic discussion. I really appreciate you coming on."
[41:07]

Key Takeaways:

The definition of personal data in the EU has evolved, with significant court rulings shaping current interpretations.
GDPR and E-Privacy Directive create a complex regulatory environment with varying national implementations.
The IAB EU TCF serves as a crucial tool for standardizing consent and transparency in digital advertising, though it faces challenges in handling profile-based advertising.
Mechanisms like cookie walls and paywalls represent the industry's attempts to comply with stringent consent requirements, albeit imperfectly.
High-profile cases like Meta's underscore the tensions between user rights and business interests, highlighting the need for nuanced legal interpretations and industry adaptations.

Subscribe to The Monopoly Report: For more in-depth analyses of big tech’s antitrust issues and global advertising economics, subscribe to our newsletter at Monopoly Marketecture and listen to all episodes at monopolyreportpod.com.

Loading summary

Transcript36 lines

[00:01]
Peter Craddock
Your data is like gold to hackers. They'll sell it to the highest bidder.
[00:05]
Alan Chappelle
Are you protected?
[00:06]
Peter Craddock
McAfee helps shield you blocking suspicious texts.
[00:09]
Alan Chappelle
Malicious emails and fraudulent websites.
[00:12]
Peter Craddock
McAfee Secure VPN lets you browse safely and its AI powered tech scam detector spots threats instantly.
[00:18]
Alan Chappelle
You'll also get up to $2 million of award winning antivirus and identity theft.
[00:22]
Peter Craddock
Protection, all for just $39.99 for your first year.
[00:26]
Alan Chappelle
Visit McAfee.com, cancel anytime terms apply. Foreign welcome to the Monopoly Report the Monopoly Report is dedicated to chronicling and analyzing the impact of antitrust and other regulations on the global advertising economy. If you are new to the Monopoly Report, you can subscribe to our weekly newsletter at Monopoly Market and you can check out all the Monopoly report podcasts@monopolyreportpod.com I'm Alan Chappelle. This week my guest is Peter Craddock, a partner in data protection at the law firm Keller and Heckman. I'm excited to get Peter's thoughts on the concept of consent in a digital ad setting. My listeners on the business side may not know of Peter, but Peter was instrumental in building out the IAB EU TCF over the years and was one of the key lawyers for the IAB in its defense of the TCF in front of the EU Court of Justice over over the years. I imagine Peter and I are going to go pretty deep on consent on the definition of personal data and have a really interesting and back and forth. I can't wait. Let's have at it. Hey Peter, thanks for coming on the pod. How are you?
[01:43]
Peter Craddock
I'm doing well, thanks Alan. Thanks for having me.
[01:46]
Alan Chappelle
Oh, it's my pleasure. It's great to meet you. So let's walk through the history of consent in the ads marketplace in Europe over the years. And so what I'm going to try to do is yada Yada through about 20 years of history and see if we can come up with something that sort of coherent. But there was a time when it wasn't clear that an IP address was personal data and the E Privacy Directive required a consent for cookies kind of, you know, it was sort of maybe an implied consent. And so what was that? Because you've been in this space a while, what was that from your perspective you know, until like, you know, eight years ago? Kind of walk us through the marketplace back then.
[02:22]
Peter Craddock
Well, the thing is that until we had the Briar judgment of 2016, there was a lot of uncertainty about what is an IP address. Is it Personal data? Can it be personal data? Is it always personal data? And if you think about it, the questions that we were asking regarding IP addresses, we were also asking regarding cookies. Because if you think about the values that are stored in the context of cookies, they have similar characteristics. You know, it's not necessarily linked to an identity, it might be linked to a device rather than a person. And so there were similar considerations. And so a lot of the time organizations were just taking the position, well, you know, probably not, it's probably not personal data, we're not using it as personal data. So you should be more or less safe. And we should be able then to avoid the rules of the Data Protection Directive at the time, as implemented in national law. And the rules were a bit, indeed a bit more flexible in that respect. There was this idea that consent might not be as strictly interpreted as it is nowadays. And so you could get away with more simply also because there was less enforcement. So then we had the BRIAR judgment. And so that was a really interesting one. There's a kind of foundational bit of case law, because in there the Court of Justice of the European Union basically said information like an IP address can be personal data. If someone, in that context, it was basically the website administrator, the website operator, if that someone has means at its disposal, lawful means at its disposal, to basically get additional information to tie the IP address to a natural person. And so there, there was a very specific use case, and that was in the context of basically cybercrime, that it would be possible to get the public authorities involved and to figure out who was behind an IP address. And so, yeah, there was a very specific situation where it was possible to make an IP address personal data. But if you're not going to link that to a user account and if you don't have any specific reasons to tie it to someone, well, it still is not personal data. And so that BRIAR judgment was really very important from that perspective, but it was very rapidly interpreted in the wrong way to basically say IP addresses are personal data, full stop. That then had also an influence later on, because around the same time the GDPR was finalized and the GDPR was adopted in 2016 and the application of the rule started in 2018. And so then there's one specific reference in the recitals to the gdpr, the kind of preparatory explanation that says IP addresses and cookies and other identifiers can be personal data can. Right. So I think, you know, may, may be combined, et cetera. And so again, it's that potential personal data aspect that is in there. It's not that they always that they are potentially personal data. And so today, basically we're still dealing with that. We're still dealing with this same idea that IP addresses could be personal data, but you do have to have additional information at your disposal. So did we go from something where it wasn't clear at all to something where it's very clear that it's all the time? No, it's just that basically we've clarified the fact that you need to have that additional information. What's been interesting is at the same time you've had that evolution regarding consent, because this is the point, you know, what were the rules like before? Are they now a bit stricter? And we've seen that since 2018, there's been more and more of an emphasis of regulators on the conditions for consent in the eu. And they've been clarifying them and sometimes even going beyond the text of the gdpr.
[06:26]
Alan Chappelle
Yeah. And so how a lot of this has manifested itself within the greater ad tech space is that like, if you ask anybody in adtech about privacy and data protection, their first words out of their mouth is like, well, we don't touch pii. We don't touch pii. And as if that's a get out of jail free type of a card. And it's really fascinating to me that on some level, we're almost 20 years into this and we're still dealing with the fundamental question about what is personal data and where is a consent required? Because if you talk to most EU regulators, everything is personal data and a consent is always required. Okay, so my number one recollection as an American lawyer was that there was always seemed to be some seemingly random data protection authorities somewhere in Europe who would make proclamations about cookies being illegal, and then that would cause all kinds of waves in the business community here. And so what is it about the EU that seemingly allows so many cooks in the kitchen? And has GDPR really solved that problem?
[07:29]
Peter Craddock
The GDPR has not solved that problem, I can already tell you. And that is because of the fact that we, we have two systems to deal with. On the one hand, on cookies, we're talking about the E Privacy rules. E Privacy. I'm British, so privacy privacy. But the E Privacy rules basically are the ones that deal with this cookie rule and that basically say that for the storage of information on a device or the accessing or gaining of access to information already stored on the device, you need consent, unless something is strictly necessary for the service or for transmission of a communication. So that's basically epiracy. On the other hand, you have the GDPR and the epiracy rules are national. So every national regulator has its own remit. And the national rules sometimes change. There are some countries that have exceptions for analytics, like France, like Italy, like Spain, like the Netherlands. And then you've got others that just don't. So that already creates a bit of fragmentation. But then on the GDPR side, where normally we're supposed to have a kind of more uniform approach, even then you see that there are divergences between the approaches of different authorities. And it's a bit odd because you'd hope that we'd have a bit more harmonization, that we'd have a clear approach that is pan eu, but it's not yet there simply because the priorities of authorities are different. And sometimes, you know, they have different perspectives. Like recently there was a whole case regarding the Dutch authority that basically said, you can't have legitimate interests when it comes to commercial interests. Commercial interests are not legitimate interests. And everyone else was saying, no, that can't be true. But you did then have these examples of national divergences. And there's no central authority, central regulator to basically say, no, this, this is, this is the way we do it and we're imposing a view on everyone else. Instead, there's a collaborative system where different authorities communicate, discuss together and come up with a consensus. But then you still have certain divergences and you have certain disagreements among authorities also regarding the scope of those of those positions. So, so we, we don't have that kind of unified approach yet. I think the GDPR has helped to lead to a bit more often the unified approach, but we're still not there. And we're seeing that in the way that enforcement is happening. Just think about recently there's been regarding deep seek. There's been a fantastic flurry of actions from different authorities, with Italy saying, we're banning it from Italy, Ireland and asking questions, different authorities asking questions. You know, it's not like there's everyone together. We're together figuring out what our position is. You see that fragmentation and that's not great when you're in international business because you're basically facing so many different regulators. If you don't have an actual establishment in the eu, it's pretty difficult because you're dealing with lots of different regulators. Yeah.
[10:44]
Alan Chappelle
And I don't mean to be overly critical of the EU or the EU process. And I will simply point out that we over here in the Good old US Survey have our own brand of what I'll call dysfunction number one. Our definition of personal information is so broad that I actually don't know where personal information leaves off and de identified data takes over. And we have a little bit of a Schrodinger's cat thing there where a data set can be both personal information and de identified data. But also we are rapidly approaching a scenario where we have multiple states each weighing in on their pet, you know, privacy issues, and some of them are going to start taking slightly different positions and that's going to be a world of fun for the business community. But anyway, okay, so it's now, you know, 2015, and we're the industry, we're heading towards the GDPR and it's becoming pretty clear that a consent is going to be required in Europe for the serving of a digital ad, whether it's legal basis or placement of a cookie. But what were some of the biggest challenges to the creation of the tcf? I know you have some insights there.
[11:53]
Peter Craddock
Yeah, no, so the, the, the tcf, basically, if you, if you think about the story of it, the, the TCF came as a result of an observation that there was a need for a standardized approach to transparency on the one hand and to documenting the legal grounds on the basis of which certain processing activities take place. So this is all in the case where we're processing personal data. And so, you know, to your point of earlier about, you know, are we processing personal data? The excuse was we're not, we're not using personally identifiable information. Well, you know, there's a similar reflex to be had by lots of actors today still today, am I really processing personal data? But if you assume that you are, then you have a number of key obligations under data protection rules in Europe. And the two main ones that where there was a real need for a harmonized approach, a standardized approach that was regarding transparency. So what do I tell people about what I'm doing with data? And then how do I communicate about the legal ground that I'm relying on now? Everyone was already doing these processing activities. So the TCF isn't there to create those processing activities as some have claimed in, notably in the context of a litigation. But they basically, they're there to help have a standardized approach so that there's the same way to explain the fact that I am going to be processing personal data. And this is what it's going to look like, this is what I'm going to do with it. These are the identities of those who are involved in that processing activity. And so there's a lot there that had to do with two key issues. And the first challenge then was coming up with a standardized approach and figuring out, you know, what would be the scope of that. And through my contacts with people who've been involved in that, from the very beginning, there had been lots of discussions about how do we label things? And so the biggest challenge first, obviously, was getting people to want to do this. But secondly, it was figuring out how do we communicate in a common way? Because ultimately, this is about finding a common terminology, finding a common language, so we can all speak in the same way that we can tell data subjects, Internet users in particular. In this context, you know, what's happening? How are we going to use your data? Each of us individually, but we want to use the same language. And so because you have different approaches to personal data processing and so different kinds of specific purposes, there's a lot of work to be done in terms of harmonizing the labels. How do I explain these? And so a lot of the background, the work in the back end, was really about coming together as an industry and saying, you know, we can agree on wording, we can agree on explanations. Then the kind of those next stage, in terms of big challenges, was explaining that to the broader public, obviously. And so the adoption process doesn't seem to have been always that easy. But then gradually, you have more and more people coming on board, and then it grows very rapidly. And then nowadays, basically, the TCF is the framework that is being implemented by, you know, from what I heard, over 95% of commercial websites in the EU. So it shows that this has really grown. And then now you even have the TCF in Canada. You have other initiatives that basically have been derived from the TCF itself. And so it's. It's a fantastic standardization project for the industry. But then now, after that kind of initial phase of challenges, the following challenges all had to do with the enforcement aspect, where people start to say, well, you know, is that really enabling compliance? I have questions about it. Who do I turn to? Who do I blame? And so that leads to a lot of litigation. That is interesting in and of itself, but, you know, it shows the fact that when you're trying to come together as an industry, you have to anticipate the fact that they will potentially be challenges. People will question, you know, why are you doing that? And are you really doing it in the best possible way?
[16:20]
Alan Chappelle
So it's funny to hear you describe it. It just sounds all so wonderfully civilized and I say that with a little bit of a smirk because what I remember both from the run up to the TCF and then a few years prior to that as we started placing icons on ads here in the States, part of that self regulatory movement is these things become a bare knuckle fisted brawl really, really quickly. And boy, by the way, mad props to Julia Schulman and Matthias and the entire town and the entire team of the iabeu because this was not an easy undertaking trying to get all of these, you know, just crazy cats herded. I'm going to make a bold statement here and I want to, you know, get you to react to it. So in my view, the TCF works best as a way to get consent for the placement of cookies and as a general transparency tool. But once you go down the path of also getting a consent for profiling and ad targeting, I think the TCF runs into trouble. You agree? Disagree.
[17:27]
Peter Craddock
I disagree. And that's, that's actually because it's not so much about the, the tcf, but it's more about the, the activity itself. And this is where you see that the TCF itself, I'm, I'm a big fan of it. Not just because now I've been contributing to the, to, to certain groups in there and really seeing it evolve over the past couple of years in particular, but also simply because if you think about it, it's really a way of trying to get together as an industry and figuring out how do we get to better transparency, to better communication about what we're doing. And the TCF covers a whole range of purposes and only some of them have to do with personalized ads, profile based advertising, basically two purposes really are focused on that. And what you see then is the combination of those purposes and the actual underlying processing activity, which often uses OpenRTB, notably to function, is that there's then this issue of complaints coming in, people feeling like they're being watched all the time. And this is actually where the issues come. It's not from the TCF itself, it's from a perception of what profile based advertising does and how it works. Because ultimately if you think about how it works, the tcf, this is all about, you know, saying this is a set of principles to say that when I'm going to be doing this processing activity, I'm actually going to declare it in a specific way, I'm going to talk about it, I'm going to be transparent about the fact that I'm doing this. So the issues that the TCF runs into are actually not TCF related. They're because the underlying processing activity raises certain eyebrows. Should it raise eyebrows, should it require consent? I still like to challenge that because I still like to think that if you think about the way that the Internet, the open web works, a lot of it is basically because businesses have found that certain kinds of advertising help them to build the business case. So then we could get into a whole debate about, you know, contextual versus profile based. And this is a kind of debate that is really interesting nowadays. We're starting to see more studies, empirical evidence going one way or another. But ultimately, does it require consent? I still think you could argue that no. But it's really that combination that raises the issue. And this is where I think the trouble comes. It's because there's this particular approach regarding profile based advertising that leads to complaints, that leads to enforcement, and that's where the trouble starts.
[20:19]
Alan Chappelle
So I actually think we're in more agreement than I thought going in here. So my issue is not with the TCF per se. My issue is that if you're going to say you're getting a consent for the placement of cookie and you're going to get a consent for profiling and targeted advertising, that by my count is two consents. And the European Union does not like bundling consents. And so on some level, by buying into the notion that you absolutely need an additional consent for profiling and targeted ads, they've sort of set the whole mechanism up to fail a little bit with EU regulators.
[21:01]
Peter Craddock
This is an interesting point because when you think about that bundling, you're looking at it from the perspective of, well, cookies on one hand and profile based advertising on the other. But when you look at why you need that consent, if you say consent is needed for profile based advertising, that's then based on the GDPR is based on the idea that this is personal data that is being processed for specific purposes. The cookie aspect is under the E privacy rules. So nothing prevents you from combining consent to cookies for profile based advertising. It's because we basically often have a two step approach because we start with consent to cookies for a number of processing activities and then within there you then look at okay, well what is my consent for the processing of personal data? But you can actually combine them in a workable way. This is why I think that if you think about the way the TCF is implemented, there are some who really implement it in various stages. And this is potentially where the issue arises. Because if you look at the policies themselves of the tcf, you have that possibility to combine the certain ways of doing things together in a feature and so on. So there are ways to combine those.
[22:23]
Alan Chappelle
Got it. And I think that's where I'm not even sure there's a point of disagreement, as between you and I, but the question is really, can one bundle a consent obtained under the E Privacy Directive with a consent obtained via the gdpr? And we may have to leave that debate for a separate podcast because I want to jump into, get into paywalls and cookie walls. So, you know, the GDPR has a very high bar for consent, specific, informed, freely given. And some websites sort of had some challenges meeting that standard. And so in order to push users into consent, you know, sites have set up these cookie walls. And so walk the audience through here. What do I mean by a cookie wall? And what was the concern with the cookie wall under EU data protection law?
[23:10]
Peter Craddock
The cookie wall came really as a way of getting, of forcing people to make a choice. But initially the cookie walls that we've seen have all been about accept all cookies or go away. If you don't accept cookies in general, then we don't want you on our website. And that is problematic. And this is something that regulators have been fairly consistent about. You know, if you're going to use a cookie wall, then you have to make sure that the thing you're blocking, if you're blocking access to something that actually you are blocking access only because someone hasn't given consent or agreed to something that is actually needed for the website to function. Now, because we have behind us about 20, 30 years of people not really thinking about what is necessary, what is necessary to the functioning of a website, or not documenting, not arguing properly. And basically it's allowed a certain vision to take over that basically everything that is not, strictly speaking functional is not necessary for the functioning of a website.
[24:26]
Alan Chappelle
That sort of puts EU regulators in a weird position because there's no such thing as a business that I could walk into and say, hey, you know what, Starbucks, I don't want to pay for this coffee, but I think you should give it to me anyway.
[24:39]
Peter Craddock
Of course.
[24:39]
Alan Chappelle
And it sort of puts EU regulators in a weird spot because it's very debatable what is and what isn't really necessary for a website to function.
[24:51]
Peter Craddock
Agreed. And this is where I think that now, with getting to a point of a bit more maturity in the discussion, we're finally getting a debate. Notably, because some, some random people like me say, you know, we, we maybe should not always think of it that way. And it's because, you know, you get more and more people saying, well, there's the freedom to conduct a business that is also relevant. You know, you do have, you do have the possibility to run your business. There's no obligation to make anything available for free, full stop. And so I choose the conditions, you know, to use the example of Starbucks. When I walk into a Starbucks, Starbucks sets the conditions under which I'm able to benefit from the service. Some of those I might find personally to be exorbitant. You know, I might find that a coffee for, I'm exaggerating here, but for $25, you know, I would never pay for that, but maybe my neighbor will. And so then you get into an interesting debate about who sets the tone. Who decides what is necessary? Is it the business? Is it every individual customer separately? Is it a regulator? What about the case where someone might be in a more difficult position financially, or if someone might have a disability, does that mean that they basically, they are prevented from enjoying the service in the same way if the condition excludes them? So you get a whole range of, as such, really fascinating questions from a legal perspective. But they don't help businesses because that uncertainty blocks them. So the cookie walls really kind of were a way of cutting short that discussion, saying, you know, we don't want to get into that. You, you just, you accept or you leave. But once regulators started to push against that, then you got an evolution of how do we do this? And that led more to the paywall approach, where we're not saying, you know, just accept all cookies or leave this website. But suddenly we're getting more into a more nuanced definition of what is the service. And then kind of different tiers of a service. And then you have the kind of low version where you probably might get access to a website, but you might see more ads. And then you have the paid version where either you see no ads or you see fewer ads. Then this is when you get into that kind of tiered approach to access to the content.
[27:22]
Alan Chappelle
You know, there's other places where micropayments are a much, much larger, you know, percentage of the, of the equation. Here in the west, we tend to like ad supported because people have sort of been trained on everything is free, and that's wonderful. And, and then there's, there's certainly an underbelly to that. The reality is that publishers need to keep the lights on and they need to figure out how to monetize their content in some way. And one of the challenges is that you've got big tech sitting on a very large chunk of their ad revenue and in a mobile context, I suppose, on the subscription revenue as well. Okay, so I wanted to talk a little bit about what Meta has sort of become the lightning rod for everything, data protection in the ad space in Europe anyway. And they had sort of a famous case that went down, what, a year and a half. It's been playing out for a number of years because first the EU said, well, you can't use contractual necessity, you can't use legitimate interest. Okay, well we'll use consent. Problem with consent, I think in general is that as a large entity there's an unequal bargaining position as between Meta and your typical user on the street. But walk me through that, you know that history a little bit, what's going on there.
[28:40]
Peter Craddock
So the idea behind these evolutions is that when confronted with the idea, well, you know, I want to make available my service, I want to make my service available to EU users, but it's going to be ad funded. Well, initially there was that idea, well, you know, this is logical, it's part of the contract, you know, that's when I enter into a contract with Meta to use my Facebook account, then basically I agree to terms of service. And those terms of service include the fact that there is some kind of consideration. And when we're in that logic of free services that I'm not paying for directly, there's always that counterpart, well, someone else is paying for it and that someone else is basically through ad revenue in this context because you know, they're not a public utility, they don't get funds from the government, which basically would be funds coming from me anyway. I would not be paying indirectly as a taxpayer. I'm not paying directly as with my wallet. Well then there's somewhat somehow else that basically they're being compensated for the fact that they're offering this service. So that idea was, you know, it's baked into the contract, it's part of it. It's logical that it's all together. It's the consideration for the fact that I'm benefiting from that service. And there the idea that was given the reasoning that was given at the level of the EU court of justice was where you can't rely on contract as a legal ground for this processing activity of basically profile based advertising. Because we don't see this as being part of the definition of a social media service, that the social media service, based on these factual considerations by the court of justice, I'll get back to that in a second. But these factual considerations led them to say, you know, the service itself is not in return for a person profile based advertising, that personalization of the advertising itself, that this was not part of the definition of the service. Now I say, you know, factual considerations. The interesting thing in this story is that the court of justice is supposed to only really deal with legal issues, the points of law, how do I interpret the law? And so they have a couple of factual considerations in this judgment of July 2023 in the meantime. But basically they have these factual positions and I don't really agree with all of them. And I think that the parts of part of the issue is they've taken a certain factual position and so now kind of how do you disagree with that? How do you question that when in fact it wasn't really their place to say that. So contract excluded from their perspective because they define the social media service in a particular way. How about legitimate interests, which is kind of a fallback provision. But it's not the only. It's not a fallback in the sense that you can use it in every single situation. You also have to document your justification for using it. And there the position of the Court of Justice was, well, you can't rely on that because the interests, the rights and freedoms of the individual, of the natural person, the data subject, prevail over the interest of META in this context to basically serve profile based advertising, again based on certain factual considerations that could be questioned by a national court. But it led to that idea. Well, actually none of those two legal grounds is available. So that leaves basically only one in practice because the other three legal grounds are not used by private entities in these contexts. So is legitimate interest, contract or consent in practice for private entities? And then you're faced with this idea, well, you need to have a freely given, specific, informed and unambiguous consent. How do you do that? Because the freely given aspect is the one that raises the biggest issue here. If I want to get to benefit from a service, but I have to give consent to profile based advertising in order to benefit from the service because it's a consideration for it. Is it really freely given? And there's a really specific provision in the GDPR that I think is underutilized and underappreciated, but that basically allows you to combine a contract and consent. Article 7.4GdPR is really specific, but basically it's one that allows you to say that consent is freely given if you can show that the processing is necessary for the contract. But so this is one that hasn't been explored sufficiently by the Court of Justice, I think. But then basically you end up with that situation where you need to give consent to profile based advertising because the Court of Justice seems to suggest that's the only way. And then you do have that issue of is it really freely given if it's bundled as part of the service? And that's led to that whole idea, well, how do we disassociate profile based advertising from the service itself? So you had the GDPR on the one hand and then on the other hand you had external pressure through other laws, notably the Digital Markets Act. But basically from a GDPR perspective that led to that question, well, how can Meta offer a service that allows for freely given consent? And that's when they turned to the idea of the pay or okay approach, the subscribe or ads. Because if you then use that, if you use this approach, actually you do have freedom. I as a user have the freedom to give my consent to profile based advertising or part of my freedom is the other option that I pay with my wallet. So I have that choice. Now there might be cases where from a financial perspective, I don't want to make that choice. I don't feel like I have really two options in practice because maybe I have less income, maybe I've already subscribed to other things like Netflix and Spotify, and maybe I don't have enough that I think I want to dedicate to digital services. All right, but you also always make a choice with every other service, whether it's digital or physical. You know, you can choose to go get your coffee at Starbucks or you could go, you fetch it at the local cafe and one of them might be pricier than the other. There are alternatives then that led to the discussion in the context of the regulators assessment of the subscriber as the pay or okay approach of Facebook and Instagram. Well, you know, there are no alternatives. There's, there's a strong presence on the market and so on. And that led to an opinion of the European Data Protection Board that said you can't, you Meta cannot require consent. They basically didn't say Meta, but they in practice it was for Meta and another number of other undefined large online platforms, whatever that means. But they basically said you can't require consent in these cases because you're too important. A very fun thing I think, because coming from the regulators, a lot of them have constantly said, you know, I'm not on Facebook, I'm not on instagram so they showed that we could live without them. But it's interesting because it shows that there's a disregard for the possibility of moving to an alternative, whether it's consciously that they're kind of avoiding that discussion or not. I think it's an interesting given and part of the conversation.
[36:50]
Alan Chappelle
You know, I'm not going to be here arguing the position of any particular EU data protection regulator, but I can understand the idea that a, you know, all the social platforms, really, all of big tech, have just been allowed to grow so large and are just such a big part of our, you know, current society that there is something to the idea that, you know, not being on one of them. All right, so, for example, LinkedIn, what would it do to our careers if we didn't feel comfortable, you know, broadcasting all of our wonderful thoughts and opinions on LinkedIn as a way to, you know, increase our visibility in the industry? Like, that would be hard to get rid of. And you and I, relative to others, you know, have a lot more power.
[37:36]
Peter Craddock
And this is, this is the interesting thing, because when you start to think about that, the first reflex is, I can't live without it. You know, I have been building my presence on LinkedIn through publications, you know, these in depth assessments and so on for years now. And so there's a lot of investment in the back end. That means that for me, it would be potentially more difficult to switch to something else, but nothing prevents me from then gradually going somewhere else as well. And so you have a number of people who have, over the years been cultivating a presence on multiple social media platforms. And then, you know, for instance, there had been several calls to quit Facebook, to quit Twitter, now, x, to quit LinkedIn. You know, there's always been something about this. So there's. The question that this raises is, do I then have to look at the subjective assessment of one particular person? And that is where things get really difficult. Because if we have to take into account the position of every individual, how can a business actually move ahead with any decision? How can a regulator take a common view about what is relevant? Because if we take the position of Alan And Peter, yes, LinkedIn is difficult for us to quit, but is that a relevant measure? And this is where you get into interesting discussions about how do you assess that?
[39:05]
Alan Chappelle
No, And I feel like we've now starting to gravitate into the we should open up a bottle of wine portion of the discussion here, because I sort of. I agree with you. If you're going to take a principled stand in life there are sometimes costs to that principled stand and that's just a reality. And so the idea that EU data protection law is going to remove the cost of taking principled stands, to me on its face seems a little absurd. Well, this has been a fantastic discussion. Before I let you go, I wanted to, we ask a lot of our guests, you know, what is your hobby or passion? And I'd love to hear yours, Peter.
[39:43]
Peter Craddock
Well, you know, I've got a hobby that is not too far removed from your not complete hobby, your semi professional one. Because I've been composing music for, I don't know, 20 odd years and every now and again, you know, I go behind my, I sit behind my, my piano keyboard and I start doing stuff and I actually recently composed a Christmas song, but it's not at all ready for, it's not been recorded but it's, you know, there are things like that that I do every now and again. And it's fun because it's is the kind of novelty act idea that you can have. You know, if I go to, to a family event, you know, I can always find a piano somewhere. There's bound to be something that you can do somewhere in the airport lounge or at an event or somewhere. And then you can just randomly start playing something that you've composed or just make it up as you go along. And, and so one thing I like to do then is if the, if there's a piano and now people saying, well, then I just randomly start accompanying them or figure out what it sounds like as we go along.
[40:53]
Alan Chappelle
Well, I hope at the next iapp. Trevor Hughes, if you're listening, and I know he is, bring a baby grand into the next reception at the IAPP event in Washington D.C. maybe even bring two. Peter and I will have a piano off.
[41:07]
Peter Craddock
Yeah.
[41:09]
Alan Chappelle
Peter, thank you so much. This has been a fantastic discussion. I really appreciate you coming on.
[41:13]
Peter Craddock
Thanks Adam. It's been great.
[41:16]
Alan Chappelle
That was a really fun conversation. We've got a bunch of other fantastic guests coming up on the Monopoly Report podcast over the next few weeks. Please subscribe to the show@monopolyreportpod.com or on Spotify, Apple, YouTube or wherever you listen to your podcasts. Peter, thanks so much for coming on. Thank you for listening to the Market podcast. New episodes come out every Friday and an insightful vendor interview is published each Monday. You can subscribe to our library of hundreds of executive interviews at Markitecture tv. You can also sign up for free for our weekly newsletter with my original strategic insights on the week's news at News Market tv. And if you're feeling social, we operate a vibrant slack community that you can apply to join@adtechgod.com.