Adblock detection and the EU GDPR

eu flag stars

Does not apply

The full current text of the EU GDPR is now available online.

After reading the entire document, what is clear is that the “personal data” protections afforded by the GDPR do not apply to the vast majority of anti-adblock defenses used by publishers (including BlockAdblock).

Why should we care about the GDPR?

WikiWand has puts it like this:

“The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations;”

There are few provisions that clarify the (non) application of GDPR “personal data” regulations to anti-adblock defenses beyond any doubt, but Section 26 is as clear as can be:

Section 26 – (emphasis mine)

“…The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information…”

Adblock detection does not involve “personally identifiable data”

As discussed in previous posts — the most common methodology for Adblock detection involves using javascript to verify the presence (or absence) or simple, non user-specific DOM elements.

Since basic javascript confirmation of DOM elements is neither personal nor identifiable — and more importantly does not require any external network communication whatsoever, the notion that Adblock “detection” constitutes a use of “personally identifiable data” — let alone personal data transmission — is clearly false. (As discussed previously)

The GDPR’s “personal data” protection measures by definition do not apply.

To summarize, when we talk about “Adblock detection”:

  • We are not talking about “personal data” as defined by the EU.
  • We are not talking about personal data transmission or communication to a server.
  • We are not talking about storage of personal data.
  • In no way are individuals identifiable as a result of Adblock detection.

Not only is the information anonymous and non-user specific — it never leaves the client.

Could there be some Adblock detection methods that do do things in a way that does violate the GDPR? Sure, that’s possible. Except I’ve never seen or heard of one.

Adblock detection is in the clear.

(But that’s not what should be concerning activists)

BlockAdblock clearly sits comfortably within EU regulations on the “personal data” grounds of the GDPR. By my reading, any claim that Adblock detection is “inherently illegal” under the GDPR is clearly false.

In my humble opinion Adblock detection under the GDPR isn’t what should be concerning privacy activists … what should probably concern all of us is the bombshell buried in the final sentence of Section 47.  Just a tip, folks.

Thanks for reading.

 

  • David King

    Any UK websites that allow us to register with them are obligated to remove all adverts anyway. Under S.11 of the DPA we can opt-out of all direct marketing by whatever means. Once we’ve registered for an online newspaper for example, the UK data controller will need to obtain our consent to serve us with third party direct marketing that is served to us while we’re logged in to the website. And if we opt-out under Section 11 of the DPA, then any adverts for the company will have to be removed.

    I clarfied this with the ICO back in 2008 but they never put it into guidance becuase they didn’t want to deal with the backlash. However, the law has changed recently and individuals can now claim compensation in the small claims court for any abuse of their data protection rights.