- Are publishers legally responsible for the actions of their vendors?
- Can publishers allow vendors to ignore consumers’ privacy consent choices?
- What is a publisher’s responsibility to prevent user data leakage?
- Will recent fines motivate more publishers to enforce privacy compliance comprehensively?
Publishers frequently ask us whether they’re really responsible for their vendors’ use of user data, particularly if they use a consent management platform (CMP) or are participating in an IAB privacy framework. The short and inconvenient answer is “yes.” We'll explain why and then show you some solutions you can implement today.
You may have noticed an increase in privacy enforcement activities by European Union (EU) courts and regulatory agencies: there have been several large fines issued to publishers for privacy issues related to inappropriately sharing user data or failing to ensure that vendors were complying with the General Data Protection Regulation (GDPR) law. As a result, it is more important than ever for publishers to manage the data flows, and especially the vendors, on their sites.
Some GDPR Context for Publishers
The GDPR restricts businesses from tracking EU citizens without a valid legal basis. In practice, publishers usually rely on Consent, and their ad tech vendors usually rely on Consent or Legitimate Interest as their preferred legal bases. To put it briefly, EU users must be offered notice of data collection/processing practices, and be given a granular (purpose-specific) opportunity to opt-out or object to this data collection and use.
The GDPR only went into effect three years ago, and enforcement actions are slowly but consistently catching up. Not surprisingly, we’re starting to learn more about how courts and enforcement agencies interpret publisher obligations under the GDPR, and publishers will want to take note of what this means for them.
Big or Small, GDPR Wants All
The GDPR assigns responsibility for compliance to every member of the supply chain, including publishers and their vendors. The EU regulators were clear about their intentions in drafting the GDPR: they will pursue any organization regardless of size.
Who’s Responsible, Who’s Liable, and at What Cost?
European regulatory and enforcement agencies have made it extremely clear in recent years that publishers can be held responsible for the actions of their vendors. Let’s review just a handful of the applicable cases.
The CNIL confirmed that publishers have “a share of responsibility” for their partners’ cookie placement, and clearly stated that publishers cannot allow vendors to place cookies before consent has been established. What’s more, the CNIL pointed out that it does not differentiate whether the cookies originated from Le Figaro or their partners, therefore holding the publisher responsible for 3rd party cookies delivered through their site. In addition, it found that publishers must ensure that their vendors are respecting user choice. Despite the CNIL being located in France, 60% of its judgments have applied to companies outside of France.
- In July 2021, France’s CNIL fined news publisher Le Figaro €50,000 because they allowed their vendors to collect and process data without a valid legal basis, and because the publisher didn’t verify the behavior of their vendors.
- The CNIL confirmed that publishers have “a share of responsibility” for their partners’ cookie placement, and clearly stated that publishers cannot allow vendors to place cookies before consent has been established. What’s more, the CNIL pointed out that it does not differentiate whether the cookies originated from Le Figaro or their partners, therefore holding the publisher responsible for 3rd party cookies delivered through their site. In addition, it found that publishers must ensure that their vendors are respecting user choice. Despite the CNIL being located in France, 60% of its judgments have applied to companies outside of France.
- In March 2021, the Spanish Data Protection Agency (AEPD) issued a record €8.15 million sanction to Vodafone España for failing to monitor their partner’s use of the data they shared. That’s the largest fine the AEPD has ever imposed. In this case, Vodafone was considered a controller of the consumer data that was shared with a partner, and they did not ensure that their vendor used data in accordance with user consent and preferences.
- In July 2019, Europe’s highest court found that publishers were jointly responsible with one of their vendors, Facebook, for violations of the GDPR. In particular, because the publisher had allowed Facebook’s “Like” button code on their page, both the publisher and Facebook share responsibility for GDPR compliance. And what’s more, the Court found that consumer advocacy organizations were allowed to bring claims against publishers for these violations, opening the door to a large number of lawsuits that publishers must defend themselves against. Read the case here.
The Fines are Escalating:
- In August 2021, the Irish Data Protection Commission (DPC) fined the messenger app company WhatsApp €225m under GDPR regulations. This was the highest fine ever issued by the IDP and the second-highest fine under EU GDPR rules to date (Amazon’s fine being the highest). The 2018 investigation into the Facebook subsidiary WhatsApp culminated in a fine related to “whether WhatsApp supplied enough information to users about how their data was processed and if its privacy policies were clear enough.” The court considered the lack of clarity a breach of the GDPR regulations.
- In July 2021, Luxembourg’s Commission Nationale pour la Protection des Données (CNPD) issued a fine of €746m to Amazon citing that the retail and tech giant’s processing of personal data did not comply with EU (GDPR) law. “The fine comes following rising regulatory scrutiny of large tech companies due to concerns over privacy and misinformation, as well as complaints from some businesses that the tech giants have abused their market power.”
Cumulative GDPR fines to date: Insights provided by EnforcementTracker.com
Statistics: Fines imposed over time
The following statistics show how many fines and what sum of fines have been imposed per month so far. The first overview contains a cumulative summary, that is, all fines accumulated up to each month. The second overview contains the sum and number of fines per month.
Note: Only fines with valid information about year and month that are already included in our database are taken into account.
- Course of overall sum and number of fines (cumulative):
Image source: https://enforcementtracker.com
The cases above highlight a clear trend of EU regulatory bodies toward holding publishers accountable for the actions of their vendors as well as for obtaining appropriate legal bases for data processing on their behalf.
Publishers’ vendor contracts won’t protect them from being fined if a data processing vendor allows data leakage, misuse of the user data, or even when an ad tech vendor drops a third-party cookie on a user through the publisher’s site before confirming consent. In the above cases, the non-compliance issues were related to the vendor’s actions or mishandling of the data, leaving the publisher (the data controller) liable for sanctions.
How Can Publishers Mitigate Third Party Privacy Risk?
The above examples of fines and judgments make it clear that regulators see adtech and their publisher partners as needing to step up their privacy compliance game. Enforcement authorities look at what is actually happening on the publishers' sites.
Privacy compliance is challenging, but it doesn’t have to be costly. Here’s what you can do to minimize your risk:
- Monitor your CMP implementations to eliminate confusing dark patterns and ensure that clear notice and choice is given to your users. Companies have been fined for not providing comprehensive or transparent notice to users. See our recent blog post about CMP dark patterns.
- Tighten up your vendor contracts so vendors have liability for actions that violate the GDPR. This will not address all of your risks, but it can address some of the big ones and give you a better idea of where your overall risk lies.
- Consider doing a Data Protection Impact Assessment (DPIA), as required by the GDPR, to ensure that you are making measured and balanced choices about the data you collect, share, and use.
- Don’t wait until fines are issued more frequently or penalties escalate before enforcing comprehensive privacy compliance on your site. Recent GDPR enforcement cases show that you will be held responsible for your vendors’ actions.
- Use Privacy Compliance by Confiant to help ensure that your vendors are behaving as you’d expect. As demonstrated in the Le Figaro publisher fine, publishers are expected to verify the compliance of their vendors, and Confiant can help you with this, as well as give you the evidence you need to begin a constructive conversation with your vendors.
How Confiant Can Help
Confiant’s mission is to make the digital world safe for everyone, and that includes helping our publishers protect themselves from privacy risk.
Privacy Compliance by Confiant examines a publisher’s site in real-time to identify whether ads respect the user’s preferences and the expectations of the law, mirroring (but going far beyond) the techniques used by regulatory enforcement agencies to root out non-compliance. If an EU citizen reaches the publisher’s site and has not consented to tracking, the record of that consent mismatch is reported to the publisher in their dashboard, empowering them to understand any violations, identify which entities are non-compliant, and address the issues immediately. Publishers have the option to receive alerts about non-compliant ads or block them automatically, providing an added safety net for the publisher. It was designed to provide the information and controls that publishers need. Even the smallest of sanctions in the examples above far outweighs the cost of the solution that could help publishers avoid the penalties.