“If you operate in the adtech space, it’s time to look at what you’re doing now, and to assess how you use personal data.” (the Information Commissioner’s Office)

The UK’s data protection regulator has addressed its concerns with how personal data is being used in real time bidding (“RTB”); the process of how advertising space on websites is bought and sold. The Information Commissioner has made clear that there should not be a choice between innovation and privacy – both can be achieved if the right approach is taken.

In its recently published report, the Information Commissioner’s Office (the “ICO”)  expresses the following concerns about data protection non-compliance by participants in the adtech industry:

1. The creation and sharing of individuals’ profiles are “disproportionate, intrusive and unfair” and are being repeatedly shared without the individual’s knowledge.
   The ICO feels that the vast amounts of data that is used in RTB which builds individuals’ profiles is disproportionate, intrusive and unfair. This is especially true given that individuals are often unaware that it is happening.
2. Privacy information provided to individuals is overly complex and lacks clarity.
   Whilst acknowledging the complexity of RTB, the concern expressed by the ICO is that the privacy information provided does not provide individuals with a clear picture of what happens to their data. In particular the ICO notes that organisations must document and be able to demonstrate how their processing operations work, what they do, who they share data with and individuals can exercise their rights. The very nature of RTB with its long and complex data supply chains makes this extremely challenging not least because the sharing of data with other parties varies according to the bid request. Indeed the ICO acknowledges that even if such information is made available whether individuals would read it, a common problem for privacy notices more generally.
3. Incorrect legal ground used for placing of cookies/tracking technologies.
   The ICO’s report states that market participants seem to be unclear about the rules governing the use of cookies, particularly the requirement to obtain an individual’s prior consent (meeting the GDPR threshold for consent) for the use of cookies, which is separate from (and additional to) the requirement for a valid lawful basis under the GDPR.
4. Challenging reliance on legitimate interests as legal ground for the use of personal data within RTB.
   The ICO’s report appears to confirm the direction of travel amongst European regulators, that consent is the most appropriate legal basis for the processing of personal data in the RTB context. Legitimate interests can only be used where the use of personal data is proportionate, has a minimal privacy impact and individuals would not be surprised or likely to object. The ICO considers this to be very unlikely to be the case due to the intrusive nature of processing within RTB.
5. Sharing individuals’ special category personal data without their explicit consent.
   Data protection law requires that in order to process data relating to health, political views, religion, ethnicity, race, or sex life in the RTB context, a special condition must be met, which in this case is explicit consent.  Whilst this is not the majority of personal data processed, the ICO makes it clear that this includes both the direct processing of such data or by inference. The ICO considers that existing consent mechanisms do not provide for this standard of consent and must be modified for the processing of particularly sensitive data or organisations must revisit whether they should process this data at all.
6. Lack of data protection impact assessments (“DPIAs”) being undertaken.
   The report makes clear that processing of personal data in the context of RTB is a perfect example of where DPIAs are considered mandatory for the purposes of data protection law.  In particular, they use new technologies, involve profiling on a large scale, track geolocation or behaviour, include data that is collected indirectly and may involve the use of data about children or other vulnerable groups. DPIAs are a key tool to identifying and mitigating privacy risks for organisations operating in this space.
7. Non-compliance with key data protection principles: technical and organisational measures; international transfers of personal data; data minimisation and data retention.
   The nature of data sharing within the process of RTB leads to a risk of “data leakage” which the ICO has concluded cannot simply be dealt with by putting contractual controls in place between parties sharing data. The ICO points to the important addition of the accountability principle under the GDPR which requires organisations to demonstrate how they comply with the data protection principles, for example through establishing processes and implementing policies to ensure such contractual standards are satisfied in practice.

The ICO’s concerns target the heart of the adtech industry. The report leaves the industry with six months to create innovative solutions which embed individuals’ privacy in the RTB process, with little guidance and suggested solutions on how this can be done in a compliant way.  Importantly, the ICO appreciates the value of RTB as an “innovative means” of advertising and has consciously taken a “measured and iterative” approach to its assessment of the adtech industry. The ICO also plans to continue to engage with the industry and other European data protection regulators. However it is looking to the ad tech industry and  expecting changes over the next six months to address the concerns summarised above – watch this space.

• Share this blog

• Twitter
• Facebook
• Linkedin