Today I filed a formal complaint against #YouTube with the Irish Data Protection Commissioner for their illegal deployment of #adblock detection technologies.
Under Article 5(3) of 2002/58/EC YouTube are legally obligated to obtain consent before storing or accessing information already stored on an end user's terminal equipment unless it is strictly necessary for the provisions of the requested service.
In 2016 the EU Commission confirmed in writing that adblock detection requires consent.
This whole thread is a whole lot of hullabaloo about complaining about legality about the way YouTube is running ad block detection, and framing it as though it makes the entire concept of ad block detection illegal.
Nope, the point is that, at the moment, Google seems to look where it should not look to know if a user has an adblocker and they don’t ask for permission.
Let put it in another way: Google need to have my permission to look into my device.
But it doesn’t stop Google from refusing to serve you video until you watch ads.
Which is fine as long as Google can decide that I am using an adblocker without violating any law, which is pretty hard.
Of course Google could decide that it is better to leave EU and it law that protect the users, but is it a smart move from a company point of view ?
That is addressed in the source I linked, which is an industry groups advice to publishers on the implementation of ad block detector. They specifically say that having it listed in your ToS is a defensible strategy but could have some risk. To mitigate the risk, you can introduce either a consent banner, consent wall, or both.
It’s an interesting read, and something I wish I’d had a few years ago in a prior role when I wrote my organizations gdpr strategy, though I’m not an expert on EU specific law.
“Defensible strategy” doesn’t mean much until it goes to court and gets tested - just look at all those Cookie Popups in the early days with “user must uncheck everything to Reject” anti-patterns which ended up being ruled as not valid per the GDPR which is why nowadays all the major websites have “Reject All” buttons in those.
So far on everything that had not yet been explicitly clarified, when it did the ball has consistently fallen on the side of explicit user consent on colleting any “user identifying” data beyond that which is technically required for operation and Ad Blocking is not a tecnical requirement for the operation of a video sharing website.
Indeed, it ultimatelly will need to be tested in court. My point is that relying on an expectation that a court will rule that the collection of user private information for remote processing related to a functionality which is not technically required without explicit user consent is ok if there’s some entry somewhere in the ToS, is quite the wild bet as that would be a massive loophole on the GDPR, and further, even if that that did happen, relying on Commission not rush to close such a massive loophole is also a wild bet.
I suppose that’s my point though. Most of this thread, and the page linked have been asserting clear and unequivocal violation of gdpr, but that doesn’t appear to be true. It hasn’t been tested or ruled on authoritatively, and the technical mechanism makes s difference as well. There is room to equivocate.
My own personal opinion is that I doubt the EU policy makers or courts will treat the mechanism to ensure the delivery of ads with as much skepticism as they treat tracking, fingerprinting, and other things that violate privacy. Courts and policy interpreters often think of the intent of a law, and I don’t think the intent of GDPR was to potentially undermine ad supported business.
My goal in replying throughout the thread has been to address what feels like misinformation via misplaced certainty. I’m all for explicit consent walls, but most people in this thread don’t seem to be taking an objective look at things.
Nope, the point is that, at the moment, Google seems to look where it should not look to know if a user has an adblocker and they don’t ask for permission.
Let put it in another way: Google need to have my permission to look into my device.
Which is fine as long as Google can decide that I am using an adblocker without violating any law, which is pretty hard.
Of course Google could decide that it is better to leave EU and it law that protect the users, but is it a smart move from a company point of view ?
All they need to implement ad block detection is user consent, which they likely cover on their terms of service and privacy policy.
Source
Because of GDPR, in the EU user consent has to be explicitly asked for and given, not implicitly via some catch all in a 20 pages Terms Of Service.
Hence all the cookie pop-ups.
That is addressed in the source I linked, which is an industry groups advice to publishers on the implementation of ad block detector. They specifically say that having it listed in your ToS is a defensible strategy but could have some risk. To mitigate the risk, you can introduce either a consent banner, consent wall, or both.
It’s an interesting read, and something I wish I’d had a few years ago in a prior role when I wrote my organizations gdpr strategy, though I’m not an expert on EU specific law.
“Defensible strategy” doesn’t mean much until it goes to court and gets tested - just look at all those Cookie Popups in the early days with “user must uncheck everything to Reject” anti-patterns which ended up being ruled as not valid per the GDPR which is why nowadays all the major websites have “Reject All” buttons in those.
So far on everything that had not yet been explicitly clarified, when it did the ball has consistently fallen on the side of explicit user consent on colleting any “user identifying” data beyond that which is technically required for operation and Ad Blocking is not a tecnical requirement for the operation of a video sharing website.
Indeed, it ultimatelly will need to be tested in court. My point is that relying on an expectation that a court will rule that the collection of user private information for remote processing related to a functionality which is not technically required without explicit user consent is ok if there’s some entry somewhere in the ToS, is quite the wild bet as that would be a massive loophole on the GDPR, and further, even if that that did happen, relying on Commission not rush to close such a massive loophole is also a wild bet.
I suppose that’s my point though. Most of this thread, and the page linked have been asserting clear and unequivocal violation of gdpr, but that doesn’t appear to be true. It hasn’t been tested or ruled on authoritatively, and the technical mechanism makes s difference as well. There is room to equivocate.
My own personal opinion is that I doubt the EU policy makers or courts will treat the mechanism to ensure the delivery of ads with as much skepticism as they treat tracking, fingerprinting, and other things that violate privacy. Courts and policy interpreters often think of the intent of a law, and I don’t think the intent of GDPR was to potentially undermine ad supported business.
My goal in replying throughout the thread has been to address what feels like misinformation via misplaced certainty. I’m all for explicit consent walls, but most people in this thread don’t seem to be taking an objective look at things.
For some reason your link doesn’t load. Is it this? https://iabeurope.eu/wp-content/uploads/2019/08/20160516-IABEU_Guidance_AdBlockerDetection.pdf
Yep that’s it. I’ll double check the link in my post.
Edit: yep borked the link, fixed now. Thanks for letting me know!