The American media behemoth behind Vogue, Vanity Fair, Allure, Glamour, the New Yorker, and GQ, among other titles, might be blatantly running afoul of the law in the European Union in an effort to ensure that it is not prevented from serving personalized ads to online readers. NOYB/European Center for Digital Rights claims in the complaint that it filed with the French Data Protection Authority on Thursday that publisher Condé Nast is altering online users’ explicit opt-outs of being tracked and served with ads in connection with the French arm of its Vanity Fair title, and sharing such “fake consent” preferences with major ad partners in violation of a sweeping EU data protection and privacy law.
According to Vienna-based NOYB’s complaint (that stands for “None of Your Business”), as first reported by Law360, Condé Nast “uses cookies and other tracers [on] Vanityfair.fr in order ‘to personalize [the] content and [the] advertisements’” that appear for users of the website.
In furtherance of this effort, the New York-based media titan – by way of its Vanity Fair France property – alerts those who visit the website that it shares “information relating to the navigation of users within the site with its [advertising] partners,” and as mandated by the General Data Protection Regulation (“GDPR”) – which requires online users to consent to the use of their data before they may be served with personalized advertising – enables “users to select their ‘Cookie Settings.’”
The problem, according to NOYB, is that it appears that even when individuals “clearly express opposition” to having their data used by Condé Nast, the publisher is doing so anyway. Citing an instance that took place on December 3, 2019, the data privacy non-profit claims that an unnamed individual “deleted all navigation data before visiting the Vanityfair.fr website,” used Vanity Fair’s “Cookies Settings” feature to “deactivate” all cookies (“not wishing to consent to the installation of cookies on [his] terminal equipment”), and then “clicked on a link redirecting it to the [Vanity Fair] news article ‘Melania Trump’s Christmas decorations are once again inspiring internet users.’”
Despite the fact that the unnamed individual “was adequately informed [by Vanity Fair France] of the possibility of opposing the placement of cookies” and “clearly expressed opposition … to the placement of cookies on his terminal equipment,” NOYB claims that by using a cookie-identifying extension called “CookieGlasses,” it found that Vanity Fair had transmitted a false “consent” or “authorization to install cookies” on his behalf to “no less than 375 companies,” there enabling those 300-plus companies “to install cookies on the terminal equipment of the [unnamed] person … in the absence of any form of valid consent.”
In short: the individual’s “exercise of the right” to opt of such tracking for the purpose of targeted advertising “was effectively denied.”
According to NOYB, these “processing operations by Condé Nast … as publisher of the website Vanityfair.fr,” amount to infringement of the GDPR, which requires that consumer data be used in “a lawful, fair and transparent manner.” As such, the GDPR states that tracking “may take place only if [a] the user has expressed […] his consent that may result from the appropriate parameters of his connection device or any other device placed under his control.”
More than that, NOYB states that violations of the GDPR can, in fact, give rise to criminal – in addition to civil – liability, and based on Condé Nast’s alleged “dissemination [of] inaccurate personal data,” NOYB claims that the published “committed criminal offenses relating to the processing of personal data.”
With the foregoing in mind, NOYB has asked the French Data Protection Authority to “fully investigate” the matter, “take the necessary measures” to ensure that such alleged conduct does not continue, and “impose effective, proportionate and dissuasive fines” on the responsible parties. Monetary penalties under the GDPR can reach up to 4 percent of annual global turnover or €20 million for entities that run afoul of its requirements, whichever is greater.
Condé Nast’s alleged wrongdoing comes as part of a larger wave of bad acts that see publishers engaging in consent-string fraud, a practice in which “vendors [are] injecting fraudulent consent strings” – i.e., code that communicates whether a user has said “yes” or “no” to allowing their data to be used – “into the digital ad ecosystem” in the wake of the passage of the GDPR, according to Digiday.
In an article in October, Digiday’s Jessica Davies stated that “consent-string fraud is not yet a problem widespread enough to warrant focusing on finding ways to throttle it entirely.” However, if the conduct alleged in NOYB’s complaint against Condé Nast – which was filed along with complaints against two other companies, French eCommerce page CDiscount and movie guide website Allocine.fr, citing similar issues – is any indication, that very well might be changing.
A rep for Condé Nast was not immediately available for comment.