The pop-ups that ask internet users – often in misleading ways – to accept cookies are illegal, a Belgian regulator has ruled.
“You can't ask people to agree to a data breach,” Johnny Ryan, an employee of civil rights advocacy group Irish Council of Civil Liberties, explained.
Ryan filed a formal complaint back in 2018 against the system that funnels personal data from internet users to businesses, De Morgen reports.
“I used to work in the online advertising industry and saw the biggest data leak ever,” Ryan said.
“Information about what everyone is watching, reading, listening to and where we are is being sent to thousands of companies without us having any control over what happens to that data. What they did as an industry was completely illegal, but they tried to hide it under cookie banners.”
Pop-ups asking users to agree to cookies are misleading
It was Ryan's initiative that eventually led to the Belgian Data Protection Authority (DPA) ruling earlier this month that the Transparency & Consent Framework (TCF) most commonly used in Europe is illegal.
This system, in which pop-ups ask website visitors to agree to cookies in an often misleading way, takes personal data and uses it in online auctions for advertising space that take place in mico-seconds behind the scenes of a website. This is the reason why people often see personalised ads on pages that are chosen based on their age, gender, search history or other factors.
- ‘Accept all cookies’: Data Protection Authority wants to know what it means
- Public agencies’ data storage to be scrutinised by European regulators
The European association of digital advertisers, IAB Europe, must pay a fine of €250,000 and will have two months to come up with changes to the current system. After that, the advertisers will get another six months to modify websites for compliance.
All illegally collected data since 2018, the year the European privacy legislation came into force, must be destroyed.
Effects of personalised ads are hard to measure
According to researcher Evert de Haan of the University of Groningen, the effects of personalised advertising are not easy to measure: “The chance that someone clicks on a banner is on average about one in five thousand. That makes it difficult to see statistically significant differences between groups.”
The most convincing evidence that personalised advertising is effective comes from an experiment on a website of the Chinese multinational Alibaba, says Professor Ting Li of Erasmus University.
Normally, visitors to the website are shown suggestions of products based on their personal data. During the experiment, which lasted one day, this was not the case for a randomly selected group of over half a million customers, who were instead shown random suggestions.
As a result, they clicked four times less on the suggestions, left the website faster and bought more than 80% less than users who saw personalised ads.
DPA in Netherlands advises contextual advertising
The Dutch Personal Data Authority advises a switch to contextual advertising, whereby advertisements are linked to the content of the websites on which they appear: for example, advertisements for car brands accompany an online newspaper article about cars.
The Dutch public broadcaster began doing this in 2019 and saw positive outcomes.
“The number of ads went down significantly, but the revenue per ad went up,” said privacy officer Joost Negenman.
“In the whole chain, an awful lot of money stays with intermediaries. If you make a direct link between the advertiser and the platform, almost the entire amount that the advertiser spends can also go to the platform.”
Regardless of whether a switch is made to contextual advertising or something like advertorial, whereby advertising text is disguised as a news article or journalism, Johnny Ryan said the one thing is clear: “The alternative is illegal. This should be the end of pop-ups.”