Data Protection Law
On 22 January 2021, the Information Commissioner’s Office (ICO) announced its resumption of an investigation into real time bidding (RTB) and adtech. The investigation had been put on hold by COVID-19. Simon McDougall, ICO Deputy Commissioner, commented in a statement that the “the complex system of RTB uses people’s sensitive personal data to serve adverts and should require people’s explicit consent, which is not happening right now.”
The ICO will continue its investigation with a series of audits focusing on digital market platforms. It will issue assessment notices to specific companies over the coming months, so that it can gauge the state of the industry.
What is adtech?
Adtech (short for advertising technology) is the umbrella term for the software and tools that help agencies and brands target, deliver, and analyse their digital advertising efforts. If you have come across the terms “programmatic” or “omnichannel,” then you may already know a little about what ad tech does.
Programmatic advertising, for instance, buys target audiences instead of time slots: Think about buying ad space that reaches a particular demographic wherever it is instead of buying a prime time TV spot and hoping the right people are watching.
Omnichannel marketing reaches target consumers across all channels — mobile, video, desktop, and more — within the context of how they’ve interacted with a brand (those first seeing an ad will receive a different message from those who have engaged with that brand a number of times). Adtech methodologies seek to deliver the right content at the right time to the right consumers, so there’s less wasteful spending.
What is real-time bidding?
Real-time bidding (RTB) is an automated digital auction process that allows advertisers to bid on ad space from publishers on a cost-per-thousand-impressions, or CPM, basis. CPM is what you pay for one thousand people to see your ad. Like an auction, the highest bid from relevant ads will typically win the ad placement.
On 20 June 2019 the ICO issued an update report into adtech and real time bidding. The report was unofficial and highlighted ways in which advertising technology was in many cases systemically breaking data protection and e-privacy laws. Particular concerns included:
- Adtech companies are not collecting personal data lawfully when dealing with customer cookies because instead of relying on consent (as stated in the Privacy and Electronic Communications Regulations (PECR)) they are using legitimate interest as their legal base. Even if legitimate interests were the correct base, a data processor would need to carry out a variety of tests and impose safeguards on data collected by that reasoning. A lot of adtech companies are therefore additionally failing to exercise their legitimate interest legal base correctly, regardless of the fact it is the wrong base to begin with.
- Explicit consent is not being obtained when processing special categories of data.
- Data Impact Protection Assessments are either not being carried out when necessary or being carried out incorrectly.
- Privacy notices are not giving data subjects the information they need to be informed under GDRP and PECR. They are also undermining the transparency principle expected of all data processers.
- Detailed profiles are being created on potential targets for advertising and are then shared among hundreds of bidders. The data minimisation and storage limitation principles are being undermined for this reason.
- Security measures to ensure personal data is protected and appropriate safeguards when transferring data internationally are often being undermined or ignored.
Progress so far
In January 2020, the ICO’s Executive Director for Tech Policy and Innovation published a blog about progress so far (Adtech – the reform of real time bidding has started and will continue). He noted the ICO’s continued concern about the issues already raised but added that the Internet Advertising Bureau (IAB UK) and Google are starting to make the changes needed.
The IAB UK has responded to pressure from the ICO and aims to make the sector more aware of data protection principles. It recognises the need to address issues related to cookies and special categories of data and will publish UK-focused guidance. (IAB UK sets out actions to address ICO’s real-time bidding concerns, 9 January 2020). The ICO has supported googles decision to phase out third party cookies over the next two years which is indicative of the changing landscape of online marketing.
Due to sensitivity of the work, the ICO will publish its final findings, once it has concluded its investigation. In the meantime, Mr McDougall advises organisations operating in the adtech space to urgently assess how they use personal data, in particular their compliance with obtaining individuals’ consent, reliance on legitimate interests, deployment of data protection by design and default and use of data protection impact assessments.
Using legitimate interests as a legal basis in adtech
Using legitimate interests as the legal base for adtech has become commonplace. This is unsurprising given that it means no mechanism to obtain or record consents is needed.
The ICO online guidance “When is consent appropriate?” says that ‘If you need consent under e-privacy laws to send a marketing message, then in practice consent is also the appropriate lawful basis under the GDPR’. The ICO Adtech Update expands on this:
- Trying to apply legitimate interests when GDPR-compliant consent has been obtained would be unnecessary and could confuse individuals.
- Where an individual has given consent they would expect processing to cease when they withdrew consent. However, an entity relying on legitimate interests might seek to continue processing in this scenario, which would be unfair.
The ICO Adtech Update also makes the point that reliance on legitimate interests for marketing activities is only possible if organisations are able to show that their use of personal data is proportionate, has a minimal privacy impact, and individuals would not be surprised or likely to object. The ICO considers that the processing involved in real time bidding (RTB) cannot meet these criteria and legitimate interests cannot be used for the main bid request processing. The ICO does not rule out use of legitimate interests for other purposes, such as a demand-side platform supplementing a bid request with additional information.
Data protection impact assessments (DPIAs)
Controllers should carry out a Data Protection Impact Assessment (DPIA) before beginning processing that is likely to result in a high risk to the rights and freedoms of individuals (Article 35, GDPR). The ICO has published a list of processing operations likely to result in such a high risk, for which DPIAs are mandatory. The ICO Adtech Update confirms that Real Time Bidding, as used in adtech, involves several such processing operations. The ICO draft Direct Marketing Code states that the type and volume of processing that you can undertake in the online world, and the risks associated with that processing, mean it is highly likely that a DPIA will be required before processing begins.
The GDPR requires that personal data collected must be limited to what is necessary in relation to the purposes for which it is processed. The ICO Adtech Update states that the creation of detailed profiles, repeatedly updated with information about individuals’ online activities, is disproportionate for the purposes of targeted advertising. It is also intrusive and unfair, in particular as individuals are often unaware that the processing takes place and the privacy information provided does not clearly inform them what is happening.
Data integrity and confidentiality
Under the GDPR personal data must be stored securely. The ICO Adtech Update noted that real time bidding often involves sharing personal data with adtech companies in non-EU jurisdictions, resulting in international transfers. Further participants have no real control over the other adtech companies with whom data is shared. Contractual controls are insufficient; appropriate monitoring and technical and organisational controls are also required.
Data controllers must be able to demonstrate their compliance with the GDPR. The ICO Adtech Update notes that the complexities of the adtech ecosystem mean that many adtech companies will find it difficult to understand, document and be able to demonstrate how their processing operations work, what they do, who they share any data with and how any processors are vetted and controlled; and how they can enable individuals to exercise their rights.
Accuracy and storage limitation
Other GDPR requirements include that data must be accurate and kept up to date and that personal data must be kept for no longer than is necessary. The ICO Adtech Update highlights the fact that because of the vast number of adtech companies involved in real time bidding it is difficult to ensure compliance with these principles. The ICO Cookie Guidance states that it is necessary to check that the duration of any cookies is appropriate; any default durations should be reviewed.
Here to help
Adtech has revolutionised the marketing industry and was firmly in place before the introduction of GDPR in 2018. It is now the ICO’s aim to bring this boom industry in line with UK data protection law. If you have any questions on adtech and data protection, data protection law more generally or on any of the issues raised in this article please get in touch with one of our data protection lawyers.