AI and Adtech Spark Concerns About Personal Data Consent, Panelists Say
The emergence of AI and adtech is forcing a rethink of gathering and managing consent for use of personal data, speakers said Tuesday at a #RISK Digital UK/EU webinar.
Sign up for a free preview to unlock the rest of this article
Using the legal basis of legitimate interest under the General Data Protection Regulation (GDPR) to train AI models isn't a free pass, but consent isn't a viable alternative, said Taina Baylao, Infineon Technologies staff specialist for data protection. It's impractical to obtain consent for AI model training, she said. In addition, legitimate interest can only be used for regular data, not special data such as health or biometric information, which may have to rely on consent.
Given that the European Commission is tinkering with GDPR requirements (see 2505210007), Baylao was asked: Could the regulation be amended to make it easier for AI systems to comply?
The GDPR wasn't meant to be amended every time a new technology arrives, and changing it for AI creates uncertainty, Baylao responded.
"We need to be creative" in future regulations to keep up as AI is applied in new situations, Baylao said. That includes issues such as how to collect consent and how data subjects are informed.
A company could, for example, create on its website a list of all the places where it's collecting data and allow data subjects to make data-access requests. She added that it's more about transparency than consent.
Adtech Increasingly in Regulators' Sights
Meanwhile, speakers said GDPR compliance has become challenging for adtech companies, which use technology to buy or sell ad space online, said Orrick privacy compliance attorney Sundeep Kapur. Such ads are generally targeted at users, but there are also contextual ads, which rely less on personal information and more on content, he said.
Targeted ads are where most of the regulatory scrutiny is, Kapur noted. Such ads can send data to publishing platforms when a user visits, upload contact details directly to publishing platforms to target users or rely on the publisher's first-party data to target, he said.
By contrast, some advertisers employ only content on a page that a user interacts with, Kapur noted. The user then receives an ad because of the webpage she visited. Regulators worldwide see this as a more privacy-safe type of advertisement because nothing about the data subject is inferred, he said.
In the EU, consent is required for activities in the adtech ecosystem and for processing data for targeted ads, Kapur noted. Consumer-facing entities, such as publishers and advertisers, are responsible for securing consent. In the U.S., however, people must opt out of targeted ads or information sharing.
Businesses that deploy adtech technologies must know exactly what data is collected and placed on their pages or apps, Kapur advised. The adtech ecosystem is extremely opaque, so companies should have compliant transparency disclosures. Regulators are starting to look at unexpected uses of data, so companies should be transparent about what they tell consumers, he added.
Another key issue is what "strictly necessary" means in relation to tracking and consent, panelists said.
Organizations access information via cookies, tags and other technologies, and many of these are things people rely on for convenience, such as for online shopping, said Pillinger Privacy Director Simon Pillinger. What we're willing to accept now in terms of tracking is probably different from what it was before the GDPR arrived, in 2018, said James Leaton Gray, director, The Privacy Practice.
Tracking has become far more structured since 2018, with the Interactive Advertising Bureau, for example, creating the transparency and consent framework (TCF), said Leaton Gray (see 2506010001). Even pre-GDPR, when the U.K.'s Privacy and Electronic Regulations were being revised, there were four "buckets" for permissible personal data collection: strictly necessary information, analytics, marketing and internal content, he noted. Now, due to litigation, there are 10 buckets, but the original four remain valid.
How do you define "strictly necessary"? One analogy, said Pillinger, is that a car can operate without a spoiler, but gas is vital. Or, said Leaton Gray, one could take a risk-based approach, which weighs how likely it is that a regulator will scrutinize your data collection or your customers will complain: That is, how much are you willing to insist that you really need the personal data and accept the consequences of that decision?