back button


A potential future for the Ad Tech industry: consent without tracking walls

May 25, 2018byJulie Tamba

Publishers and actors of the Ad Tech sector targeting the EU currently face one of the biggest challenges they have ever encountered, one that may require them to change profoundly their model. Namely? Unambiguous positive consent.

Some background

Publishers (both online and offline) have traditionally been able to provide their readers with free contents by selling advertising space. Initially, the best way for an advertiser to reach its potential customers was to select the publisher in view of their audience.

In the Internet age, this practice has been complemented by a new tendency which quickly became a massive trend: collecting data about the users in order to build profiles allowing serving them targeted advertising, thus increasing the impact of a campaign. Not all users would see their ads, only the potentially interested ones: for the same number of impressions, you get more clicks, leads or actions.

To achieve this, publishers would allow third parties to collect personal data from their websites and/or to track their users for example thanks to cookies, usually without informing much the users about it. This is the story up until 2016.

The new paradigm

In April 2016, a new European legislation was adopted which happened to be a game-changer. The so-called “General Data Protection Regulation” – which everyone has heard about – is EU-wide and even exceeds this territorial scope for companies targeting the EU. Its sanctions rise up to 20 million euros or 4% of a company global turnover. Publishers, advertisers and their intermediaries all share the responsibility and may be found liable under its obligations.

Thus, the first wave of panic washed over the industry.

Consent is needed

Moving on to the next step, the EU is currently discussing the future rules that will add to the General Data Protection Regulation in the sector of electronic communications. Sanctions would also rise up to 20 million euros or 4% of a company global turnover. Once adopted, the “ePrivacy Regulation” will require obtaining and demonstrating consent of the users to have cookies implemented and to be served with targeted advertising.

Actually, this requirement for consent is not new in the European sector of electronic communications, since consent is already required to implement cookies and to send commercial e-mails: what really changes is its definition.

The risks of implicitness and conditionality

It is now defined under the GDPR as any “freely given, specific, informed and unambiguous indication of the data subject’s wishes, by a statement or by a clear affirmative action“. This obligation to demonstrate a clear affirmative action apparently rules out any kind of tacit or implicit consent which happened to be a classic strategy on Internet, roughly “If you know what we do and you access our service, well, it means that you agree”.

On the other hand, who would make a positive action to accept cookies and targeted advertising, especially if by doing nothing you can access the service without them?

The EU Parliament indeed amended in October 2017 the ePrivacy proposal to explicitly ban so-called tracking walls by stating: “No user shall be denied access to any information society service or functionality, regardless of whether this service is remunerated or not, on grounds that he or she has not given his or her consent”. Should this amendment eventually disappear in the final version, it remains that consent must be freely given to be valid, so that any compelled positive action – for example because service is conditional to consent – will at the end of the day amount to no action at all.

Now the second wave of panic strikes in as this could mean a serious knock for certain actors.

How to get positive consent?

In January 2018, DIDOMI sent a letter to the Working Party 29 asking it to specify its draft guidelines on consent. We did it because we considered that both the notions of unambiguous positive action and conditionality were insufficiently clear, so that any wrong interpretation of said notions by an actor would put it at risk of being fined.

The notion of unambiguous positive action

The draft guidelines initially excluded “scrolling a website” or “merely proceeding with the website” as constituting an unambiguous positive action. It was therefore unclear whether or not obtaining information followed by a click on a website – as authorized by the previous interpretations of the Working Party and the CNIL – could still constitute a valid consent. The last version of the guidelines on consent published in April now states that “merely continuing the ordinary use of a website is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation”.

This basically means that this (and any other kind of acceptance through navigation) will not be allowed anymore:

The notion of conditionality

The draft guidelines indicated that requiring consent to provide a service is not a problem if there is an alternative allowing having the service delivered by the same provider without consenting to the use of personal data for additional purposes. It specified “However, both services need to be genuinely equivalent including no further costs”.

We therefore asked the WP 29 if “providing a service including further costs may be a legitimate alternative to the same service including consenting to the use of personal data” where such use of personal data brings a remuneration which is essential to the provision of the service (like this is the case for most providers of free contents online). The last version of the guidelines on consent published in April eventually removed the words “including no further costs”.

In other words, something like the pop up below could possibly be fine, where consent to additional purposes would decrease the quantity of advertisement or the subscription to be paid. Of course, advertisement and subscription must remain reasonable if the consent is refused, otherwise they would be considered as detrimental and could invalidate the consent.

This is most likely where the EU wants the Ad Tech industry to go: not towards bankruptcy, but towards transparency and active choices of the persons.

Related articles

March 29, 2018byJulie Tamba

An interpretation of Google new consent requirements for publishers

We wrote a few articles in the last months regarding consent, including on how consent should be obtained (e.g. may clicking on the website be considered a sufficient positive act ?) or why it should be obtained  (e.g. which geolocation uses or marketing communications will require consent ?). Taking into account this framework, we thought it would be…

Read more

Ad Tech





targeted advertising

April 20, 2018byRomain Gauthier

Didomi now supports the IAB Europe consent framework

Didomi is proud to announce that our Consent Management Platform (CMP) is now officially registered with the IAB Europe’s GDPR consent framework. We’re one of the first CMPs to fully support the framework. The IAB Europe Consent Framework The IAB Europe Consent Framework aims at standardizing consent flows between advertising partners. Online advertising involves a…

Read more






tailored advertising

targeted advertising

February 9, 2018byJulie Tamba

(French) Consentement GDPR en pratique – Partie 3: les mineurs

Consentement des mineurs : une bonne chose de faite ? Mercredi 7 février 2018 a été adopté par l’Assemblée Nationale un amendement ajoutant à la loi Informatique et Libertés un article 7-1 relatif au consentement des mineurs au traitement de leurs données personnelles. Consentement lié à l’offre directe de services de la société de l’information aux enfants…

Read more




Informatique et Libertés


personal data

December 13, 2017byJulie Tamba

GDPR consent in practice – Part 2: Methods

After reviewing when it is opportune to obtain consent, it is time to take a closer look at ways to obtain consent. How should consent be obtained? Consent is defined by the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement…

Read more


European Union



personal data

December 12, 2017byJulie Tamba

GDPR consent in practice – Part 1: Opportunity

As a follow up to the article on whether collecting user geolocation require consent, it has to be examined more generally when and how consent should be obtained. The first part of this topic focuses on simple guidance regarding the opportunity to obtain consent. When should consent be obtained? It is important to underline that,…

Read more




personal data