“Data vampires” ignoring GDPR

Web advertisers are blatantly ignoring legislation designed to protect consumers' privacy and in some cases deliberately misleading people into accepting ad cookies.

A year on from the introduction of the General Data Protection Regulation, even big-name advertisers continue to flout the law. Two out of three websites don't comply with regulations because data is their lifeline.

"You have all the ad tech players, whether it's publishers or the Interactive Advertising Bureau (IAB) partners or Google or Facebook or whoever... they need to make money from the data they collect, it's how they make a living, selling the data on because everybody wants it," said Joyce Allen, founder of BCS-accredited information rights training firm Freevacy.

General Data Protection Regulation (GDPR) Seven steps to GDPR compliance Data analytics in the GDPR era

"They are all as bad as each other it really doesn't matter who they are."

We looked into the privacy settings of a range of websites and confirmed that, across the board, privacy policies and cookie settings failed to adhere to the regulations. In some instances, the sites are even being deliberately designed to mislead consumers about the choices they make.

"Some of these [cookie] explainers are made as difficult to understand as possible, I would argue, in order to urge people to suffer from consent fatigue and just click 'Accept all'," said Pat Walshe, director of Privacy Matters, a data protection consultancy. "Often the language and the choices they present are essentially what amount to dark patterns that enable data vampires."

Walshe gave examples that included multilayered consent that left some permissions switched on, such as Scotland's The National newspaper, where visitors can switch off all five listed categories of advertiser data sharing, but clicking Save would still give permission to partners listed in a small link below.

"With The National, even if you rejected every single one of the categories presented to you, at the bottom of that there's something called 'Vendors'," Walshe said. "If you're not aware that's there and merely disable all of the categories to opt out, you'd think you're covered, but then go to 'Vendors' and what you find is that not all of the vendors are defaulted off. You'll still be trapped."

The National declined to comment.

Encouraged by the big players

Deceptive practices are widespread, even among the biggest names. Last year, Google was accused of misleading practices by the European Consumer Group (BEUC), a collective of national privacy organisations.

According to BEUC's Every Step You Take report, Google used deceptive click flows to push users into accepting location tracking. The company also hid enabled-by-default settings for web activity on separate pages and gave misleading and unbalanced information about what data was collected.

Google has since moved to address some of the criticisms, but according to BEUC the company's actions exemplify an industry-wide disregard for clarity. "When it comes to one of the leading giants in this sector, Google, research by our member organisations revealed the use of misleading practices," a BEUC spokesperson told us.

"Google uses various tricks and practices to ensure users enable location-tracking features and does not give them straightforward information about what this effectively entails."

Google disputed some of the BEUC findings at the time and declined to comment further.

BEUC research found such practices were widespread. "It found that two out of three companies were in breach of the law," the BEUC spokesperson continued. "For example, they installed tracking cookies before the user had given permission.

"Some websites have improved their practices since last year, but the problems related to the use of online trackers are still far from being addressed."

The requirement to make users opt in to, rather than opt out of, ad tracking is one of the key parts of GDPR that companies routinely ignore, according to BEUC.

"Often the problem is not only about how difficult it is to opt out but about the fact that users are not asked to opt in when they should be," the BEUC spokesperson said. "Even if they are asked to opt in, this is not done in a way that would deliver valid consent under the data protection rules."

What's the punishment?

The Every Step You Take report led to official complaints being launched against Google and the company was also hit with a 50 million fine by French data watchdog CNIL for "lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation".

The Irish data watchdog has also opened 17 investigations into malpractice by various companies, including most recently against advertising giant Quantcast over concerns about its personal data aggregation and profiling.

However, according to Allen, this action is exceptionally rare and the inaction of official data protection bodies such as the UK's ICO is another factor that plays into the industry's hands.

"If you take the herd mentality, it's that somebody else will get the penalty," she said. "While there is someone else that might get the penalty, people are thinking 'well, they're bound to look at Facebook and Google before they look at us'.

"So they will carry on doing what they are doing, some bits good, some bits bad and some bits hidden, and they will keep doing that until there's case law."

The ICO has said it plans to look into the ad-tech industry more closely in future, but for the time being there is almost zero threat of punishment for breaking the rules. "We have an impasse where the public don't know whether to let collection happen, the companies can't afford to lose their revenue streams, changes cost money and the regulators are looking but haven't done anything specific," said Allen.

"There will be court cases and when there are then the ad-tech companies and publishers will have to start to create a different set of rules to follow."