Step one: Identifying a Legitimate Interest
What is the purpose of the processing operation?
illumin has three core constituencies which benefit from its processing operations: a) publishers who are seeking to better understand and monetize their audience in order to subsidize the content and services which are otherwise provided free to data subjects; b) advertisers who are seeking direct marketing strategies to enable them to more effectively find and reach their current and prospective customers; and c) data subjects who generally want access to free content and sometimes enjoy advertisements which are tailored to their interest.
The saving and communicating of users’ privacy choices in the form of TC Strings is performed for the purpose of ensuring and being able to demonstrate that users have consented to or not objected to the processing of their personal data, for various purposes and/or vendors.
In the context of Special Purpose 3, various interests may be identified as benefiting several categories of stakeholders: 1) The processing ensures that users’ privacy choices can be respected (i.e. the giving, refusing or withdrawing of consent by users and the exercise of their right to object) and that they do not have to make those choices again on each subsequent use of the relevant digital property. 2) The processing ensures that TCF participants are able to retrieve and observe those choices. 3) The processing contributes to demonstrating compliance with the accountability principle pursuant to Article 5(2) of the GDPR by TCF participants. 4) The processing can support Data Protection Authorities in their investigations and audits of TCF participants, in particular to verify that users’ privacy choices are appropriately respected.
Such interests, in line with Recital 47 of the GDPR and also supported by Opinion 06/2014 of the Article 29 Working Party 2 , may be considered to be legitimate.
Additionally, this assessment concords with the Belgian Data Protection Authority’s (APD) reasoning in their decision of February 2022 against IAB Europe and the TCF as stated in paragraphs 413, 414 and 415 and in particular “More specifically, the possibility of storing the preferences of users is an essential part of the TCF and the Litigation Chamber notes that this is done in the legitimate interest of the defendant as well as of third parties involved, such as the participating adtech vendors.”
Is the processing necessary to meet one or more specific organizational objectives?
Yes, the processing is necessary in order to achieve each organizational objective listed above. Direct Marketing is generally recognized as legitimate.
Is the processing necessary to meet one or more specific objectives of any Third Party?
Yes. As noted above – publishers, advertisers and data subjects. Targeted ads have been shown to produce more effective results.
In the context of the processing of TC String, Illumin has evaluated our method for retrieving and passing on the TC String. We only read the minimal portion of the TC String that is necessary to achieve our objective.
Does the GDPR, ePrivacy Regulation or other national legislation specifically identify the processing activity as being a legitimate activity, subject to the completion of a balancing test and positive outcome?
Yes. Direct Marketing is generally viewed as subject to the “legitimate interest” provided that those seeking to use it as their legal basis pass the balancing test. In order to balance the user’s right to privacy, illumin uses the TCF string to examine their consents and restrictions. Further, Illumin has reviewed our retention period of two years with respect to the TCF String and has found that it is the minimal amount possible to achieve our objective.
The Necessity Test
Why is the processing activity important to the Controller?
Publishers need viable revenue streams in order to keep producing quality content. Audience monetization is not a new concept – for decades, magazine publishers licensed or rented their subjection lists for direct marketing purposes. As more and more publishers move into the digital age, many of them don’t have subscription information (i.e., name, postal address, telephone number, email) and therefore need to rely upon data collected pseudonymously via User visits to web pages and mobile applications. Without this form of audience monetization, it would be difficult (and in some instances impossible) for many publishers to continue providing quality content for free.
In the context of the processing of TC String, it is as a first step important to assess whether the information contained in the TC String is strictly necessary to achieve the intended purpose. In that respect, the TC String captures the following information: 1) General metadata: standard markers that indicate details about the Publisher’s implementation of the TCF (e.g. the ID of the CMP that is used, the language of the UIs, whether the UIs use non-standard texts, such as custom stacks or illustrations) and a day-level timestamp of when users have made/updated their choices. 2) The user’s consent per purpose and per vendor when the legal basis is Consent (“1” meaning user’s consent and “0” meaning user’s refusal or withdrawal of consent) 3) The user’s right-to-object per purpose and per vendor when the legal basis is Legitimate interest (“1” meaning the user was informed and “0” meaning the user was not informed or the user’s objection to processing) 4) Publisher restrictions: metadata specific to the publisher’s implementation of the TCF, e.g. indicating a general prohibition for certain vendors to pursue a given data processing purpose. 5) Where applicable, the user’s choices for purposes that are not covered by the TCF or for vendors that are not participating in the TCF (“1” meaning user’s agreement and “0” no agreement).
Accordingly, the TC String contains only information that is strictly necessary to achieve the intended purpose of saving, communicating and observing users’ privacy choices.
This assessment is supported by the APD decision of February 2022, in particular in paragraphs 416, 417 and 418. The decision notably states the following: “The Litigation Chamber notes that the information processed in a TC String is limited to data that are strictly necessary to achieve the intended purpose.
In addition, based on the documents in this file and the parties’ defences, the Litigation Chamber has not been able to establish that the TC String is retained indefinitely.” The method for capturing users’ privacy choices in the form of a TC String is also aligned with the French Data Protection Authority’s (CNIL) recommendation on cookies and other trackers. Indeed, the regulator recommends that users’ privacy choices be recorded in the form of a boolean value for each purpose. The existence of non-binding guidance issued by Data Protection Authorities encouraging controllers to adopt the same method of processing to achieve the intended purpose is an important consideration for the LIA.
Why is the processing activity important to other parties the data may be disclosed to, if applicable?
As described above, the processing activity also enables advertisers to more effectively reach and target their current and prospective customers, and data subjects generally enjoy advertising which is targeted to their interests.
Is there another way of achieving the objective?
Publishers could charge fees for their content, but most data subjects are unwilling to pay fees for content. Moreover, contextual advertising requires the collection of much of the same types of personal data yet doesn’t generate the same CPMs for publishers as targeted advertising, and doesn’t allow publishers to monetize their audience via data licensing. Further, contextual advertising is generally not as effective for advertisers as targeting advertising. Hence, there is not another viable alternative. In connection with the TCF string, there is no other way to enable illumin to read privacy choices made by individual data subjects.
The Balancing Test
What is the nature of the data processed?
In the present case, the TC String is a string of characters that represent an abstract user’s privacy choices without directly attributing these to any specific user.
In fact, the combined state of these various privacy choices is not unique, as millions of users visit digital properties on the same day and can express the exact same preferences. The number of choices a user can make is always limited, and the other attributes of a TC String constitute stable, low entropy metadata data laid out in a fixed order (e.g. the language in which the information was presented or the day where the user preferences were expressed/updated).
Finally, the TC String does not encapsulate any special categories of personal data or personal data relating to criminal convictions and offences. Indeed, even if the TC String can be used for recording user’s choices for purposes that are not covered by the TCF or for vendors that are not participating in the TCF, the TCF is not intended nor has it been designed to facilitate the lawful processing of special categories of personal data or data relating to criminal convictions, and should therefore never be used to engage in these more strictly regulated processing activities. The nature of the personal data in question is therefore not sensitive in any way.
Would the individual expect the processing activity to take place?
There is great debate on this question as to user perceptions. Digital advertising is now moving into its 3rd decade and the average data subject is significantly more sophisticated than in 1997 regarding how data is collected and used by websites and others. Slider boxes announcing the use of cookies and similar tracking technologies have been ubiquitous across websites since at least 2012. And while imperfect, the eDAA AdChoices program has placed billions of icons on advertising messages over the past several years. Millions of data subjects have clicked onto the cookie slider boxes and the AdChoices icons in order to educate themselves on how data is being collected and user. And finally, privacy policies have become significantly more transparent and clear regarding the collection and use of personal data for targeted advertising purposes. Thus, it seems reasonable to believe that many data subjects are increasingly savvy about the data collection and use practices supporting targeted advertising and free content.
In the context of Special Purpose 3, the TCF Policies prescribe a minimum amount of information that has to be disclosed in the CMP UI to the data subject: 1) Name of the purpose, description and illustration, 2) Information about where the TC String is stored, 3) the retention period for each vendor, 4) Information about the specific legitimate interest at stake. Illumin shares that information in its platform privacy policy located at https://illumin.com/legal/technology/.
Does the processing add value to a product or service that the individual uses?
The value ad is indirect but important. As content creators are increasingly under pressure to deliver quality content without charging a fee. With respect to processing the TCF consent string, the value is in respecting the user’s consent choices.
Is the processing likely to negatively impact the individual’s rights?
A noted by the A29WP guidance on “profiling”, there is a potential harm to individuals to the extent that profiles may be used to discriminate against data subjects. However, the A29WP noted that a profile named “interested in shoes” is unlikely to negatively impact a data subject. As outlined in the DPIA, none of the segments created or utilized by illumin may be used to discriminate nor are they likely to negatively impact the fundamental human rights of data subjects.
First, and as stated under Part 1: Purpose test, the processing notably ensures that users’ privacy choices can be respected (i.e. the giving, refusing, or withdrawing of consent by users and the exercise of their right to object) and that they do not have to make those choices again on each subsequent use of the relevant digital property. It is therefore evident that data subjects benefit positively from the processing first and foremost.
Second, it is important to identify the likelihood of any risk that could materialize as a result of the processing, as well as the severity of its consequences. In the context of the Special Purpose 3, the TC String itself does not present any particular privacy risks for data subjects, as it merely reflects their privacy choices. It is moreover generally a service-specific and non-unique data point (as it is entirely possible that a multitude of users make the same choices on any given day – see “Nature of the personal data” above). It does not as a result introduce new vectors for cross-website tracking (such as fingerprinting). Additionally, Special Purpose 3 does not cover such processing activities, which are separately covered by Special Feature 2 and for which users are always given the choice to opt-in. Therefore, the processing does not entail any heightened privacy risks for data subjects; instead, it embodies the principle of data minimization, as confirmed by the APD decision of February 2022.
Is the processing likely to result in unwarranted harm or distress to the Individual?
No, as described above – per the DPIA.
Would there be a prejudice to Data Controller if processing does not happen?
The Publisher would be unlikely to be in position to produce quality content at low cost to the extent that the processing activity could not happen.
Would there be a prejudice to the Third Party if processing does not happen?
Similarly, advertisers would have more difficulty locating and targeting their current and prospective customers without this type of data.
Is the processing in the interests of the individual whose personal data it relates to?
Data subjects are generally reluctant to pay a monetary fee for content consumed via websites and mobile applications. Subsidizing the content via User data enables that content to remain free.
Are the legitimate interests of the individual aligned with the party looking to rely on their legitimate interests for the processing?
Yes.
What is the connection between the individual and the organization?
illumin does not generally interact directly with data subjects (other than to honor data subject access rights and to indirectly receive privacy preferences via the TCF String). But illumin helps facilitate audience monetization which benefits both publishers and data subjects.
What is the nature of the data to be processed? Does data of this nature have any special protections under GDPR?
illumin does not knowingly targeting persons under 18 years of age, and does not create segments which are considered sensitive (e.g., race, alienage, ethnicity, sexual proclivity). illumin also doesn’t use profiles which can be easily utilized to discriminate against data subjects. Moreover, the type of pseudonymous personal data utilized by illumin is the least sensitive type of personal data. IP addresses, mobile advertising IDs and cookie IDs may not be used to identify anyone directly without a subpoena.
Is there a two-way relationship in place between the organization and the individual whose personal information is going to be processed?
If so how close is that relationship? The relationship between the publisher and the data subject is symbiotic. The data subject gets free content and the publisher gets to charge a CPM for ads and engage in other legitimate audience monetization techniques.
Would the processing limit or undermine the rights of individuals?
No
Has the personal information been obtained directly from the individual, or obtained indirectly?
The information has mostly been obtained via the data subject’s computer or device and directly as a result of their interaction with the publisher. Both the publisher and advertiser recognize the importance of ensuring that their respective privacy policies outline the types of data collected and the use cases for this data.
Is there any imbalance in who holds the power between the organization and the individual?
In most (if not all) scenarios, the data subject will have multiple options to receive content. In contrast with the relationship between users and social platforms, the relationship between users and most websites and mobile apps is on a much more level playing field.
Is it likely that the individual may expect their information to be used for this purpose?
Given the relationship between the parties, and the products and services provided, it seems reasonable for most users to expect that information is being collected about them for advertising purposes. As described above, the cookie consent boxes, AdChoices icons and ubiquity of privacy notices outlining the ad supported content services makes it extremely likely that many users understand this value proposition.
Could the processing be considered intrusive or inappropriate? In particular, could it be perceived as such by the individual or in the context of the relationship?
Given the nature of the data being processed (pseudonymous personal data) and its relatively benign use (audience monetization and targeted advertising), the use of this data is relatively non-intrusive. This is one area where the digital media industry could do a better job of educating data subjects via more robust privacy policy disclosures.
Is a fair processing notice provided to the individual, if so, how? Are they sufficiently clear and up front regarding the purposes of the processing?
Privacy Notice and Notice outside privacy policies (i.e., AdChoices icons and cookie disclosure boxes) have significantly increased the transparency of personal data processing in the context of ad supported media.
Can the individual, whose data is being processed, control the processing activity or object to it easily?
Data subjects may object to processing of this data by visiting most publisher or advertisers websites and/or clicking onto the AdChoices icon which is present on most digital ads in the EU. illumin will be working with partners such as Evidon and the IBA EU initiative to ensure that data subjects will have ample opportunity to withdraw their consent. Users can opt out of all illumin advertising at illumin.com.
Can the scope of the processing be modified to reduce/mitigate any underlying privacy risks or harms?
Yes, we’ve taken steps to evaluate whether the scope of data collection is sufficient to guard against any risks or harms. As outlined in the DPIA, illumin doesn’t utilize data for profiles that create a high risk to the fundamental human rights of EU data subjects.
Safeguards and Compensating Controls
What are the safeguards and compensating controls put in place by your organization?
illumin utilizes the following controls: a) data minimization: we only collect the minimum data necessary to offer our services; b) security: we offer reasonable technical and operational measures in light of the relatively low level of sensitivity of the data we process; c) privacy by design: the privacy team (including the DPO) evaluates our profiling activities as we create new segments, and also does a review of all segments every three months; d) retention: we only retain data for SIX months from the last time our systems have seen a particular user; and e) access: we ensure that only those employees who’s core job functions require it to be in position to access the data, and f) we offer multiple paths for users to refuse our data processing activities, including via our privacy policy, the privacy policy of most of our publishers and advertisers, and via the AdChoices icon.
Moreover, the TCF Compliance for CMPs and Vendors protects the integrity of the Transparency and Consent Framework (“TCF”) and ensure that organizations who have signed up to the TCF comply with their commitments under the TCF Policies.
Outcome of the Assessment
What is the Outcome of the Assessment?
For the reasons stated above, we believe that all data processing currently engaged upon via the illumin Platform falls under the “legitimate interest” legal basis. A summary of our rationale is as follows:
- Pre-internet, digital publishers were able to monetize their audience subscription lists for direct marketing purposes utilizing legitimate interest. And advertisers were able to use that data for direct marketing purposes on the same basis. Data subjects typically had to pay subscription fees to access content.
- In the digital age, publishers still need to monetize their audiences in order to continue to provide free content and Advertisers continue to need to reach their desired audiences. Data subject have become increasingly reluctant to pay cash for digital content from websites and mobile apps.
- The types of data segments utilized by illumin (e.g., pseudonymous personal data) and the profiling activities are not generally considered high risk per the guidance of the A29WP.
- Users are increasingly savvy about the types of data being collected about them via websites for digital advertising. Moreover, transparency tools which explain the data collection practices of companies such as illumin are increasingly ubiquitous.
- illumin adopts reasonable controls to ensure that the data collected is secured and won’t fall into the hands of an entity that might be in position to harm the human rights of data subjects.
- Thus, the balance of interests leans towards to benefits generated for data subjects, publishers and advertisers outweigh the risks to the fundamental human rights of data subjects.
- Accordingly, illumin feels confident that the processing activities engaged upon via the illumin marketplace fall under the legal basis of legitimate interest.