Re: Industry concern about the removal of Article 10, and dilution of Article 8, in the ePrivacy Regulation

Dear Colleague,

I represent Brave, a rapidly growing Internet browser with offices in San Francisco and London, and employees across Europe. Brave is at the cutting edge of Internet innovation. Brave’s CEO, Brendan Eich, is the inventor of JavaScript, and co-founded Mozilla/Firefox. Now, Brave is pioneering crypto-tokens to provide privacy friendly advertising to sustain online publishers. We are currently testing this with the Dow Jones Media Group.

We write to support the privacy protections in the proposed ePrivacy Regulation, and to express our concern about two items:

1. We believe that it would be a mistake to remove the Article 10 “Privacy By Design and By Default” protections.

2. We also believe that it would be a mistake to dilute Article 8’s prohibition against making access to a service conditional on consent for non-essential processing (“cookie walls”), which the proposed changes to Recital 20 (and Recital 21 in the previous text) would do.

These changes would harm the online economy, and the protection of fundamental freedoms.

As technology and online industry leaders with a strong commitment to the Digital Single Market, we believe that the protection of the fundamental rights to privacy and data protection enshrined in the European Charter is entirely compatible with sophisticated advertising technology – provided that that technology handles personal data correctly. It is not tenable for any publisher, adtech vendor, or trade body, to claim that they must track people in order to generate revenue from advertising.

The economic benefit of behavioral tracking to publishers’ advertising businesses is questionable. IAB Europe, an adtech/targeting industry trade body, recently funded a lobbying study on “The economic value of behavioral targeting in digital advertising” that claimed that European publishers rely on tracking for their advertising revenue. However, IHS Markit, which produced the study for IAB Europe, recently confirmed in writing to us that the report inflated publisher revenue that results from this dangerous form of advertising, because it included Google and Facebook’s revenues as “publisher revenue”, without disclosing this in the report – despite the fact that these two companies are not publishers, and now have taken 71% of online advertising spending in Europe.

Publishers fare better when not using this form of advertising. “Behavioral” ads only earn publishers 25-40% of the money spent on an advertising campaign, whereas other online advertising (such as “network” or the more lucrative “direct sold” advertising) earn a publisher between 70% and 95% of a marketer’s ad budget. This is the cost of the “adtech tax”. It not only harms fundamental freedoms, but is eroding publisher revenue over time.

For example, when The Guardian​ bought ads on its own site through an auctioning system for behaviorally targeted ads, it received only 30% in revenue of the sum it paid as a buyer. The majority of this money goes not to publishers, but to adtech firms.

For these reasons, we are convinced that making access to a service conditional on consent for online behavioral advertising, as may be suggested by the proposed change to Recital 21, is counter productive.

Online behavioral advertising (known as “RTB”) is a data breach.

It is also worth bringing to your attention the infringement of fundamental freedoms that is caused by tracking-based advertising. Every time a behaviorally targeted ad is served on a website, the system that selects the ad broadcasts the website visitor’s personal data to hundreds or thousands of companies.

These personal data include the URL of every page a user is visiting, their IP address (from which geographical position may be inferred), details of their device, and various unique IDs that may have been stored about the user previously to help build up a long term profile about him or her.

This is a vast and ongoing data breach – as is evident if one reads the publicly available “openRTB specification” that dictates how this system works. It is a data protection free zone.

Despite the grace period leading up to the GDPR, the adtech industry has built no adequate controls to enforce data protection among the many companies that receive data.

We would be delighted to provide further information, or to meet and brief you, to assist in your deliberations.

The digital economy requires a foundation of trust to enable innovation and growth. The enormous growth of adblocking (to 615 million active devices by late 2017) across the globe proves the terrible cost of inadequately regulating the tracking-based advertising system. Therefore, we urge you to restore the “cookie wall” prohibition in Recital 20, and to restore the Privacy by Design protections in Article 10, as you convene at the WP TELE meeting on 17 July.

Sincerely,

Dr Johnny Ryan

Chief Policy & Industry Relations Officer

Brave Software