1. Explicit Tracking

Explicit tracking occurs when a user is identified by a tracking mechanism that assigns a unique identifier per user. A user’s device may emit a unique identifier for functional reasons which can be used to track them, or a tracking infrastructure may have caused the device to store and emit an identifier on request.

On the Web, cookies are one of the main methods used in explicit tracking. Cookies were invented in 1994 to provide an ability to retain state to the stateless HTTP protocol, and “[give] the Web a memory.”Footnote ⁴ They consist of text, often encoded or even encrypted,Footnote ⁵ that can be placed by a server in a user’s browser and examined later by a server. Cookies have a range of useful functions; without some ability for a website to store information in a browser, login status, for example, could not be reliably remembered the next time a user visits a site. It would also be challenging for e-commerce applications, such as retaining items in a basket online. However, the seamless and silent nature of cookies has also meant cookies can be used in ways that go beyond users’ expectations.

In the early days of the Internet—when nobody knew which users were dogsFootnote ⁶—content on webpages usually only came from a single source. Netscape Navigator 2.0 introduced the function of rendering two HTML files in a single browsing window in 1996 through frames, and so security features were needed to determine which frame could access which information in the browser. The Same Origin Policy, broadly put, means that documents in the browser, such as cookies, can only be accessed by servers sharing their protocol, for example, HTTP or HTTPS, domain, and port.Footnote ⁷ The intention for this was so that if one party places a cookie, another party cannot read it.

Driven by a desire to establish cross-site tracking, the advertising industry sought to circumvent the effects of the Same Origin Policy. Cookies that are not placed by the website publisher itself are often called third-party cookies. Say that somebody visits a website, www.A.com. It may seem that each element on that website comes from A.com. In reality, however, different elements of the website are often sourced from other domains. For example, a website may have a box for advertisements, or for recommended articles elsewhere on the web. In most cases, ads are shown on a website not by the website publisher itself—A, in our example—but by third parties. Those third parties can also place and read their own cookies, third party cookies. The website visitor usually does not see that their browser contacts these different domains; for the website visitor it seems like one website is being loaded from one domain. While a user may only see one URL in the address bar, visiting almost any site now entails querying tens or hundreds of other servers.

Some firms have spread their own tracking code with resounding success: Google calls home with unique identifiers for at least twenty-eight percent of all web page loads, while Facebook does the same for approximately fifteen percent.Footnote ⁸ The proportion is significantly higher in certain sectors, such as news, compared to others, such as banking. Trackers also differ by country—U.K. users are tracked more in this manner than Chinese web users, for example.Footnote ⁹

Yet firms with less infrastructure also established means to track users more broadly by using loopholes in the Same Origin Policy to combine the reach of their tracking. The prime mechanism this is carried out is through cookie syncing, also called cookie matching. In its most basic form, this involves a third-party with a cookie (“Tracker1”) making a user’s browser query a second third-party (“Tracker2”) with a URL which includes Tracker1’s identifier.Footnote ¹⁰ Because the user’s browser is querying Tracker2, Tracker2 is able to look at its own cookies on the site. As the query includes the ID that Tracker1 just saw from its own cookies, this has the effect of enabling Tracker2 to possess both identifiers at once, associating their own cookie ID with Tracker1’s cookie ID. The two organizations can share data through a back-channel server-to-server transferFootnote ¹¹ to connect the profiles they have built so far. This cookie syncing significantly widens the scope of tracked activity online by pooling the reach of multiple trackers.Footnote ¹² Even under conservative estimates of server-to-server transfers—based only on observed cookie syncing—fifty three firms observe more than ninety-one percent of users’ browsing behavior.Footnote ¹³ This figure is likely an underestimation; a recent study found evidence that as many as twenty-seven percent of advertiser-tracker relationships may be undetectable through cookie syncing analysis.Footnote ¹⁴

More recently, trackers have sought to evade restrictions on third-party cookies in a number of newer ways. In particular, they have been encouraging sites to edit their Domain Name System (DNS) records to effectively deliver third-party tracker resources from the same domain that is serving the website, making effectively blocking trackers without breaking the website a trickier task. This also creates a range of serious security risks, as first-party cookies often include cookies designed to log a user in to a website, and such configurations can mean that these cookies can be read by and sent to a third party other than the website operator.Footnote ¹⁵ As a result, the terms “first-party cookies” and “third-party cookies” have less meaning in a legal context; a case-by-case analysis will be required to understand which actors are involved in any particular cookie, as the domain name-based identity of the server laying it may not be the same as the organization utilizing its tracking potential across websites.

On mobile devices, app developers, which are analogous to website publishers, have more freedom to execute arbitrary code. As the Web is accessed through a browser, the browser has power to limit the ways a website can function. In contrast, app developers can specify the way their software works without being required to cede rendering and execution decisions to the browser. Instead, looser limits are applied at the level of the mobile operating system—for example, limiting access to sensors such as the camera or GPS—and through any conditions placed upon apps allowed to be distributed through official channels such as Apple’s App Store and Alphabet’s Play Store, which for most users will be the only way they install custom software.

The fact that app developers have more freedom than Web developers to determine who is able to track individuals means that active tracking, rather than passive tracking, is the main issue in the mobile sphere. Third-party services are integrated in apps for a variety of purposes, including crash reporting, to provide usage or engagement analytics, to integrate agile development methods such as A/B testing, to integrate with other services such as social networks, and to deliver advertising. Almost all of these services, with the exception of advertising services, only operate in the background of applications, and users are in general unable to detect and understand the extent to which the app is communicating with both the developer’s server or third-party servers.

Empirical studies into tracking apps are challenging and are mostly limited to the Android platform due to the inability to examine the innards of the heavily restrictive Apple iOS system. Studies seeking to survey app tracking at scale take a few different approaches.Footnote ¹⁶ Some researchers intercept traffic from hundreds of thousands of apps which are being either interacted with automatically by bots synthesizing real user input in a sandbox on a server,Footnote ¹⁷ or by using real user interactions, with traffic captured via user-installed VPNs.Footnote ¹⁸ One recent study identified 2,121 separate advertising tracking services in apps in the Android ecosystem, which can be grouped by ownership into approximately 292 parent organizations.Footnote ¹⁹ Another study found that 88.4 percent of apps contained a tracker owned by Alphabet (Google), 42.6 percent by Facebook, 33.9 percent by Twitter, 26.3 percent by Verizon and 22.2 percent by Microsoft.Footnote ²⁰ Thirty-percent of News apps, twenty-eight percent of Family apps, and twenty-five percent of Gaming & Entertainment apps contain trackers from more than ten distinct tracker companies.Footnote ²¹

Mobile devices hold a variety of unique identifiers tied to their software and hardware with different levels of permanence, such as the IMEI, IMSI and SIM number, operating system number, phone number, device ID, MAC address, and operating system-specific advertising identifiers.Footnote ²² Third-party plug-ins have a variety of direct and indirect ways to access these identifiers, and in practice access and transmit a wide variety of them.Footnote ²³ Such identifiers are also linked through a variety of means to track individuals across different devices, although exactly how this occurs in-the-wild is unclear.Footnote ²⁴

2. Inferred Tracking

Inferred tracking seeks to identify or profile an individual from observing their digital traces online and re-identifying a user through primarily probabilistic means. Unlike explicit tracking, these approaches are “stateless”—they do not change the behavior of user’s devices, nor store information on them directly. Inferred tracking is therefore substantially more challenging for an individual or device to defend against.

Fingerprinting is a core approach for inferred tracking. Early documentation of fingerprinting was provided by analysis from the Electronic Frontier Foundation’s Panopticlick tool, which uses modern fingerprinting techniques to determine how unique—and therefore how fingerprintable—your browser is.Footnote ²⁵ Browser fingerprinting is a moving target, as sophisticated techniques can circumvent proxies, reveal the particular version of a browser, and repurpose new Web technologies for fingerprinting as they emerge.Footnote ²⁶ Research has found evidence of fingerprinting on at least 4.4 to 5.5 percent of top websites, although these should be taken as lower bounds due to the difficult-to-observe nature of fingerprinting techniques.Footnote ²⁷ These methods interplay with explicit tracking mechanisms—if the user clears their cookies, for example, fingerprinting approaches can be used to re-establish or “respawn” deleted identifiers.Footnote ²⁸

Inferred tracking also plays an important role in cross-device tracking. Simulated cross-device tracking studies have estimated a significant ability to follow users from their mobiles to their desktops, even if they are not logged in to the same service—for example, if they are connected to the same router. Many companies advertise probabilistic cross-device tracking as a reason to install and use their trackers.Footnote ²⁹ Despite scholarly interest, the covert, stateless nature of fingerprinting and inferred tracking makes its prevalence, scope, and affect unclear.Footnote ³⁰

1. Consent

The GDPR states: “Processing shall be lawful only if and to the extent that at least one of the following applies: … [T]he data subject has given consent to the processing of his or her personal data for one or more specific purposes.”^{Footnote 56} The requirements for valid consent are strict under the GDPR. The GDPR’s consent definition says that consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.^{Footnote 57} Article 7, on the conditions for consent, makes the requirements for valid consent even stricter.

The following elements can be deduced from the GDPR’s consent definition: Valid consent requires (i) an indication of wishes, which is (ii) specific and informed, and (iii) freely given. We discuss each element in turn.

2. Necessity for Contractual Performance

Another legal basis in the GDPR is necessity for contract performance. Sometimes a controller can have a legal basis for processing if the processing is necessary for performing a contract.^{Footnote 77} In the words of the GDPR, a data controller can have a legal basis for personal data processing if “processing is necessary for the performance of a contract to which the data subject is party ….”^{Footnote 78} For example, a newspaper publisher does not need to obtain consent to process the name and address of a subscriber, as far as these personal data are required to deliver the newspaper to the subscriber’s home. The personal data is necessary to deliver the newspaper to the subscriber and thus to fulfil the contract.

Can a contract provide a legal basis for personal data processing for RTB? Almost certainly not. For this provision to apply, the processing must be genuinely necessary for performing the contract. CJEU case law has favored the data subject in interpreting necessity narrowly: “As regards the condition relating to the necessity of processing personal data, it should be borne in mind that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary.”Footnote ⁷⁹

The necessity requirement is related to proportionality, as confirmed in CJEU case law.^{Footnote 80} The CJEU has said that “the principle of proportionality requires that [measures] be appropriate for attaining the legitimate objectives pursued … and do not exceed the limits of what is appropriate and necessary in order to achieve those objectives.”^{Footnote 81} In sum, one should not too easily assume that data collection for RTB and targeted advertising is necessary for performing a contract.

Apart from the necessity requirement, there are legal requirements for entering into a contract. It is dubious whether those requirements are met when somebody merely uses a website or an app. From a legal perspective, the main requirement to enter a contract is that both parties want to enter a contract.^{Footnote 82} To illustrate, the Vienna Sales Convention says that “[a] statement made by or other conduct of the offeree indicating assent to an offer is an acceptance. Silence or inactivity does not in itself amount to acceptance.”^{Footnote 83} But somebody who visits a website or uses an app rarely intends the wish to enter a contract about tracking or RTB.Footnote ⁸⁴

Therefore, in most situations, internet users do not enter a contract with companies about trading personal data for ad targeting against the use of a service. Especially if a company collects or uses information about people without them being aware, it is hard to see how those people could have entered a contract with the company.^{Footnote 85} Indeed, the European Data Protection Board says that the legal basis of “necessity for contract performance” is not an appropriate legal basis for data processing for behavioral advertising; consent is always required for such advertising.^{Footnote 86}

3. Necessity for the Controller’s Legitimate Interests

Another legal basis that a controller can invoke for personal data processing is the legitimate interests provision.^{Footnote 87} Roughly summarized, a controller can rely on this provision when personal data processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, and those interests outweigh the data subject’s interests or fundamental rights. In the words of the GDPR:

The CJEU says that the legitimate interests provision implies three cumulative requirements: “[F]irst, the pursuit of a legitimate interest by the data controller or by the third party … ; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, that the fundamental rights and freedoms of the person concerned by the data protection do not take precedence.”^{Footnote 89}

First, are RTB and targeted advertising legitimate interests? Recital 47 gives “direct marketing purposes” as an example of legitimate interests.Footnote ⁹⁰ The recital thus gives an argument in favor of accepting RTB and targeted advertising as legitimate interests. Moreover, RTB companies can invoke their “freedom to conduct a business in accordance with Union law and national laws and practices,” as protected by the Charter of Fundamental Rights of the European Union.^{Footnote 91} The Advocate General of the CJEU confirms that online marketing relates to the freedom to conduct a business.^{Footnote 92} The European Data Protection Board emphasizes, logically, that only lawful practices can form a legitimate interest.^{Footnote 93} If RTB brings serious risks for people’s privacy and data protection rights, its lawfulness could be questioned. But for now, let us assume that the controller—a company doing RTB—has some legitimate interest.

The second question is: Is the processing necessary to pursue those interests? As noted in the previous section, the necessity hurdle is difficult to overcome. Whether RTB is necessary is debatable. Suppose that the company’s interest is making money with online advertising. In that case, there are many other ways of online advertising that do not entail much personal data collection. For example, contextual advertising does not require collecting data about people. Contextual advertising is the practice where ads are adapted to the context, or content, of a web page, exploiting the notion that content preferences may reflect consumer preferences.Footnote ⁹⁴ For instance, ads for local hotels on a website about tourism in Madrid.

However, a company might also argue that it specializes in behavioral advertising or in RTB. A counter argument could be that behavioral advertising is possible without large-scale data collection. Several systems have been developed for, in short, confidential ad targeting.Footnote ⁹⁵ Already ten years ago, researchers developed Adnostic, a browser plug-in that does not involve sharing one’s browsing behavior with a company. Adnostic builds a profile based on the user’s browsing behavior and uses that profile to target ads—all within the user’s device. Minimal information leaves the user’s device, as the behavioral targeting happens in the user’s browser.^{Footnote 96} Such techniques are entering practice, such as Google’s Federated Learning of Cohorts (FLoC) system for microtargeting within Chrome.Footnote ⁹⁷

Seeing that behavioral advertising is possible without sharing much data with companies, one could argue that large-scale data collection for behavioral advertising is disproportionate and thus not necessary. The requirements for necessity are indeed strict. However, DPAs rarely, if ever, follow that line of reasoning, perhaps because it risks prescribing certain means of processing.^{Footnote 98} Furthermore, current proposals, such as FLoC, require large-scale infrastructural control and coordination, such as shaping a browser and orchestrating a protocol through it, which is not within the power of all data controllers to achieve.Footnote ⁹⁹ Let us then assume, for argument’s sake, that some companies engaged in RTB can, in some situations, pass this necessity test.

That would bring us to a third question: Do the data subject’s interests outweigh the company’s interests? Few, if any, companies engaged in RTB could overcome this hurdle. The data subject’s interests include the fundamental rights to privacy and data protection.^{Footnote 100} Case law of the European Court of Human Rights confirms that people have a reasonable expectation of privacy regarding their Internet use.^{Footnote 101} Moreover, surveys consistently show that people see online tracking and related practices as a privacy invasion.^{Footnote 102}

Indeed, the European Data Protection Board suggests that data controllers cannot rely on the legitimate interests provision for personal data processing for targeted advertising: “[C]onsent should be required, for example, for tracking and profiling for purposes of direct marketing, behavioral advertisement, data-brokering, location-based advertising, or tracking-based digital market research.”^{Footnote 103} Several authors agree.^{Footnote 104}

The ICO confirmed in a 2019 report that “the nature of the processing within RTB makes it impossible to meet the legitimate interests lawful basis requirements.”Footnote ¹⁰⁵ The DPA adds that “the only lawful basis for ‘business as usual’ RTB processing of personal data is consent (i.e. processing relating to the placing and reading of the cookie and the onward transfer of the bid request).”Footnote ¹⁰⁶ Regardless of this array of explicit regulatory guidance on the inappropriateness of this lawful basis, empirical research finds that many RTB vendors in Europe still claim legitimate interest as a lawful ground.Footnote ¹⁰⁷

In conclusion, in almost all cases, the data subject’s consent is the only available legal basis for personal data processing for RTB and behavioral advertising under data protection law. Even in the far-fetched case that a company can rely on another legal basis for RTB, separate EU law still requires the company to ask consent, namely for the cookies and similar technologies. That cookie consent requirement is the topic for the next section.

4. e-Privacy Directive and Consent for Tracking

Apart from the GDPR, the e-Privacy Directive requires consent for the use of tracking cookies and similar technologies. The European e-Privacy Directive says—roughly summarized— that cookies may only be placed after a website visitor has given his or her informed consent, unless those cookies are necessary for communication or to provide a requested service.^{Footnote 108} A website must also ask the visitor consent if third parties—such as advertising networks or social media companies—place cookies on the visitor’s computer via the website.Footnote ¹⁰⁹

There are two exceptions to this consent rule. First, a website does not need to ask consent if a cookie is placed for the sole purpose of sending communication. For example, if a cookie is needed for the login procedure of an online bank, no consent is required. Second, consent is not required if a cookie is necessary to provide a service requested by the visitor. No consent is therefore required for cookies that are used, for example, for a virtual shopping cart. And no consent is required for a cookie that is placed when a visitor sets his or her language preferences for a website.

For the sake of readability, we speak of cookies, but the e-Privacy Directive applies to many more technologies. The rule applies as soon as a party places information—such as a cookie—on a user’s device or reads information from a user’s device. The rule therefore also clearly applies to, for example, flash cookies—also called local shared objects—and some forms of device fingerprinting.^{Footnote 110}

Consent in the e-Privacy Directive must be interpreted as consent in the GDPR.^{Footnote 111} Therefore, consent for cookies must comply with the GDPR’s strict requirements for consent, for instance, regarding sufficient information.

The CJEU adds that the information provided by the company operating cookies “must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed.”Footnote ¹¹² Moreover, “the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.”Footnote ¹¹³ The disclosure “must enable the data subject to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed.”Footnote ¹¹⁴

The CJEU confirms that opt-out systems do not lead to valid consent for cookies: “[C]onsent … is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent.”Footnote ¹¹⁵

If somebody gives consent for the placing of a cookie—as required by the e-Privacy Directive,—he or she does not automatically give consent for related personal data processing.Footnote ¹¹⁶ So even after a company obtained consent for dropping a cookie on someone’s device, the company still needs a legal basis for personal data processing if the company wants to use personal data for RTB or targeted advertising. If a company wants to use a tracking cookie for personal data processing for RTB or targeted advertising, both the privacy’s consent requirement and the GDPR’s requirement for a legal basis apply. In practice, a company could ask for consent for a cookie and consent for personal data processing in one consent request.^{Footnote 117}

5. Lifting the Ban on Using Sensitive Data

In many cases, there is yet another reason why RTB requires the consent of the data subject. As the UK’s Information Commissioner’s Office (ICO) notes, RTB often concerns the processing of special categories of data, also called sensitive data.Footnote ¹¹⁸ Special categories of data are data about, for instance, someone’s political opinions, health, or sexual preferences. In principle, the processing of such data is prohibited. The GDPR defines special categories of data as follows: “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, … data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.Footnote ¹¹⁹

RTB can lead to the processing of special category data in several situations. For instance, visits to certain websites—like Muslim news or Kosher recipes, for example—can suggest somebody’s likely religion. Visits to certain online newspapers can suggest someone’s political opinion, and visits to certain sites can give an indication of someone’s sexual preferences.

Determining whether special category data is being processed can be a nuanced task under data protection law. At one end of the spectrum, a controller might argue that they never intended to use such categories, nor made any specific variables to capture them, and therefore should be free of the obligations they entail. On the other end, processing of Web browsing data might result in different advertisements for those in groups that the special categories of data represent. Insofar as processing of high-dimensional data such as Web history should be expected to have the potential to reveal latent special category data, there is an argument that it should be treated as such, as were such data to leak, be transferred or misused, it has similar damaging properties to obviously special category data. However, such a view would see special category safeguards—often explicit consent—apply to a huge variety of datasets as, for example, religion may be inferred from names with relatively high accuracy. The challenges in navigating this trade-off are navigated warily by regulators. The ICO in recent guidance appear to indicate that they believe that special category conditions are triggered (i) where the use of a dataset is intended to infer such categories; and (ii) where a proactive assessment, “part of [a controller’s] obligation to implement data protection by design and by default,” reveals that, in practice, a model “learns to use particular combinations of features that are sufficiently revealing of a special category.”Footnote ¹²⁰

The ban on using special categories of data can only be lifted under certain specific exceptions. For instance, hospitals can process medical data.Footnote ¹²¹ For adtech and RTB, the only available exception is the data subject’s explicit consent.Footnote ¹²² Regulators have struggled to distinguish explicit consent from bog-standard GDPR consent. Implicit consent—as a contrast to active consent—is already prohibited under both the GDPR and the previous Data Protection Directive 1995.Footnote ¹²³ So what is left? The European Data Protection Board leans towards written consent, such as a signed or digitally signed document or statement, or a two-stage process with email verification, but do not provide clarity on the matter.Footnote ¹²⁴ At the very least, the consent obligations discussed in this article apply in the case where special category data is, or may, be processed.

In conclusion, for several reasons, a company doing RTB can only legally do so after the data subject’s consent. To avoid misunderstanding, we are not arguing that informed consent is a panacea, nor that consent requirements are the best way to regulate RTB and adtech. Under what conditions less consent-focused privacy and data protection law might protect privacy remains an interesting question—albeit one that falls outside the scope of this article.Footnote ¹²⁵

1. Consent Management Platforms

This understanding is part of the driver behind a recent trend within web tracking—the emergence of CMPs. Using these code libraries, which are embedded within webpages and, less frequently, within apps, a large number of third parties—the industry prefers the term ‘vendors’—simultaneously seek consent from a data subject in one action. Consent management platforms facilitate this single transactional moment, usually through user interface resembling a banner or a barrier. They emerged in early 2018 as the GDPR came into force, with the market characterized by a handful of major players.Footnote ¹³⁰

The attempt to get simultaneous consent can and does end up with consent sought for hundreds of vendors at once. A recent study used web scraping to look at the five largest CMPs in the field and found a median number of 315 vendors from whom consent is requested at once.Footnote ¹³¹ At the time of the study in late 2019, the largest CMP by market share, QuantCast, was nearly always configured to request consent for 542 vendors with a single click.Footnote ¹³² The identity of these vendors changes and fluctuates over time.Footnote ¹³³

The CMP approach has several problems which result in questions around its legality, which we will discuss below.

2. Inability to Withdraw Consent as Required by Law

CMPs seem to breach the GDPR’s requirement that consent be “as easy to withdraw as to give.”Footnote ¹³⁴ Let us have a look at the common standard for CMPs across the industry: The Transparency and Consent Framework (the “Framework”) coordinated by the IAB. The IAB is the industry body who coordinate the actors in much of the RTB ecosystem, enabling the processing to be carried out through the standardization, monitoring, and continued negotiation of the OpenRTB protocol. The IAB also seeks to assure DPAs that RTB is compliant with the law through contractually limiting and shaping the means and purposes of processing for actors within the ecosystem using the Framework. The latest version of the Framework is 2.0, and it is this version that is being analyzed here.

The Framework sets up a system whereby CMPs can be automatically queried by vendors embedded on a website to get the current data protection status of a visitor to that page, such as whether they have been disclosed the identity of that vendor, whether they have expressed their consent to that vendor, and similar variables. The idea is that if such a query to the CMP indicates the vendor is permitted to access and place information on the user’s terminal device and process their personal data, the vendor can proceed to do so.

There is a flaw with this system, however. Imagine a user who consents to the processing of personal data of TrackerA and TrackerB on Website1. TrackerA and TrackerB query the CMP embedded on the website, which informs them that consent has been established, and as a consequence, cookies are laid and read from their browser by TrackerA and TrackerB, and personal data that is collected linked to these identifiers is processed server-side. The user later revisits Website1, and altering their settings, refuses tracking by TrackerA and TrackerB. Again, both trackers query the CMP, which this time tells them they are not permitted to read data from the browser, nor permitted to process personal data on the basis of consent. Neither tracker therefore links the user who withdrew consent to the same, original time that user gave it.

Such a scenario does not pose problems in relation to the ePrivacy Directive, as, in accordance with the law, the trackers did not store or access data on the terminal device following the withdrawal of consent. It does, however, create a problem with the GDPR, as despite the consent being withdrawn, both trackers have not had this result actively communicated to them in relation to that user. They continue to—now illegally—process personal data despite the withdrawal of consent by the user.Footnote ¹³⁵

Another related problem can be observed when the user moves between websites. Assume the user has consented to TrackerA processing data on Website1, but on Website2, refuses consent to TrackerA. Under the Framework, Website2 can store this refusal locally, in its own cookie, rather than updating the global consent string that is stored across websites on a cookie linked to the IAB-managed consensu.org server. As a result, the later refusal of consent elsewhere does not pass across websites. Even if it did, it still suffers from the problem described above where the consent refusal in practice only relates to the accessing and reading of data on the terminal device, rather than the server-side processing in the tracking ecosystem.

The European Data Protection Board notes that “[i]f the withdrawal right does not meet the GDPR requirements, then the consent mechanism of the controller does not comply with the GDPR.”Footnote ¹³⁶ Consequently, it seems questionable whether the CMP consent mechanism has provided lawful consent since its introduction by the IAB in 2018 in its first Framework.

3. The Impossibility of Global Consent to RTB Infrastructure

The IAB, as part of its coordination function, has put its weight behind a global consent mechanism. Under these proposals, a cookie placed by a CMP via a subdomain of the IAB-controlled consensu.org would contain a global consent signal that a CMP accepts as valid across all websites. There is also the recently introduced notion of an “out-of-band” lawful basis, which supposes the possibility of a tracker to obtain a lawful basis outside of the Framework’s CMP system.Footnote ¹³⁷

An analysis of the interaction of consent and joint controllership gives reason to question the legality of this arrangement. The CJEU has held that in the context of embedded Web trackers, key technologies for RTB, a webpage will be a joint controller with the entity processing personal data using this tracker.Footnote ¹³⁸ The predecessor of the European Data Protection Board, the Article 29 Working Party, has said since 2010 that a website publisher and a tracking company are generally joint controllers, if the company operates tracking cookies via that website.Footnote ¹³⁹

At the time of writing, compliance with the CJEU ruling seems questionable, as companies such as Google still insist they operate independent controllership operations—an interpretation that seems hard to square with the CJEU judgment.Footnote ¹⁴⁰ Given that the facts specifically concern the technologies and commercial situations of the tracking infrastructures discussed in this article, it seems difficult for companies to question the applicability of the CJEU judgment to online tracking and RTB.

A consequence of the CJEU judgment is that every webpage–tracker combination constitutes a distinct controllership arrangement, even where the tracker company operates across multiple websites in relation to the same data subject. Consent necessary to legitimize this personal data processing—and the interaction with devices under the ePrivacy Directive—relates at least in part to a joint controllership situation. For example, two companies running a research project jointly on the basis of consent could not swap a joint controller out for another, which may not be trusted by the data subject, without re-establishing a lawful basis. If this were possible, it could even be envisaged in stages that a joint controllership arrangement would contain none of the original controllers that established consent in the first instance.

Global consent would hold that a publisher would, instead of collecting consent itself, look to an inherited cookie read by a third-party—the IAB domain consensu.org—and assume that consent as applicable to its own joint controllership operation. This, firstly, would directly contradict the finding of the CJEU in Fashion ID, which stated that “it is for the operator of the website, rather than for the provider of the social plugin, to obtain that consent, because it is the fact that the visitor consults that website that triggers the processing of the personal data.”Footnote ¹⁴¹ Furthermore, it would be invalid to equate the consent of one joint controllership operation with another, as in the former, the data subject was informed about a different set of controllers. In this new, separate controllership operation, different controller(s) are in play, and consequently the previous consent is not informed in relation to this operation.

Santos, Bielova, and Matte argue—on the basis of the judgments in Deutsche Telekom Footnote ¹⁴² and Tele2 and Others Footnote ¹⁴³—that consent can be transferred between publishers.Footnote ¹⁴⁴ They do not elaborate on this argument in detail, but the difference in circumstances and legal context between those judgments and the issue at hand make the argument unconvincing. Both cases relate to a specific aspect of the e-Privacy regime in a telecommunications context where consent is mandatory, relating to whether fresh consent is required to republish the information of a telephone subscriber in a public telephone directory owned by a news organization. The Court leans heavily in Deutsche Telekom on the Advocate General’s opinion. In teleological analysis, the Advocate General notes that a purpose of the public directory elements of the e-Privacy Directive is to ensure the existence of a comprehensive public directory, and that the provisions on transfer of consent must be interpreted in this context such that this purpose is not “severely compromised.”Footnote ¹⁴⁵ There is no equivalent EU legislation aiming at comprehensive online tracking—indeed, the GDPR specifically highlights online advertising as an example of an application where the “proliferation of actors and the technological complexity of practice” make it hard for data subjects to understand “by whom” data is processed.Footnote ¹⁴⁶ Taking an opportunity to inform data subjects of this away would appear to go against the specific aims of the law, rather than act in concert with it.

Lastly, it would be unwise for publishers to accept this situation, as they would incur significant liability for invalid consent gathered elsewhere. Global consent IAB cookies can—and are—forged, as the empirical study by Matte, Bielova, and Santos has demonstrated.Footnote ¹⁴⁷ The publisher accepting global consent would have no proof that consent was ever obtained. The publisher would also be liable as part of a joint controllership operation for a legal action undertaken on the basis of accepting this unverified consent signal, even were it to be theoretically possible to accept as valid. As a recent development, and since this article was initially accepted for publication, the Interactive Advertising Bureau appear to have rolled back their rush towards global consent by deprecating part of the required functionality.Footnote ¹⁴⁸

4. Too Many Parties for Valid Consent

Modern CMPs operate as to make even “the identity of the controller and the purposes of the processing for which the personal data are intended” too much information to feasibly expect the data subject to be able to read. This is problematic, as consent must be informed—a distinction that is clearer in the French text of the GDPR, which states that consent must be éclairée (enlightened or illuminated) rather than simply informé, which places the emphasis on the mental state of the data subject rather than the act of having provided information, regardless of its eventual use. Not including the time to operate the interface, or to click on nested privacy policies, a recent empirical study estimated that reading the basic data for all vendors would take on average forty minutes per website.Footnote ¹⁴⁹ This is clearly not conducive to placing the average data subject in an enlightened position. The Court has stated that information “must enable the data subject to be able to determine easily the consequences of any consent” and “ensure that the consent given is well informed.”Footnote ¹⁵⁰

Moreover, the overarching fairness principle of the GDPR places a focus on creating an enabling environment for autonomous choice and the exercise of data rights, conscious of information asymmetries in the digital environment.Footnote ¹⁵¹ Clifford, Graef, and Valcke argue that the fairness principle, and its corresponding manifestation in Article 7, “appears to establish a burden of care on controllers regarding their responsibility to ensure data subjects have been informed and understand the provided information.”Footnote ¹⁵² This is reinforced by the way the EU legislator specified—separately from Article 13 information requirements—the minimal information needed for consent to be informed comprise “at least of the identity of the controller and the purposes of the processing for which the personal data are intended.”Footnote ¹⁵³ This seems to be designed assuming that this information, at minimum, must be feasible for the data subject to assess before a consent choice.

As a consequence, with the number of vendors the RTB system requires, CMPs cannot be used to obtain valid consent. This view has recently been echoed by the U.K. Competitions and Markets Authority:

In conclusion, the GDPR and the ePrivacy Directive require consent for RTB. Current practices by companies engaged in RTB rarely, if ever, lead to valid consent. Indeed, it seems questionable whether it is possible at all to obtain valid consent for RTB.