On 22 January 2021, the Information Commissioner’s Office (ICO) announced its resumption of an investigation into real time bidding (RTB) and adtech. The investigation had been put on hold by COVID-19. Simon McDougall, ICO Deputy Commissioner, commented in a statement that the “the complex system of RTB uses people’s sensitive personal data to serve adverts and should require people’s explicit consent, which is not happening right now.”

The ICO will continue its investigation with a series of audits focusing on digital market platforms. It will issue assessment notices to specific companies over the coming months, so that it can gauge the state of the industry.

What is adtech?

Adtech (short for advertising technology) is the umbrella term for the software and tools that help agencies and brands target, deliver, and analyse their digital advertising efforts. If you have come across the terms “programmatic” or “omnichannel,” then you may already know a little about what ad tech does.

Programmatic advertising, for instance, buys target audiences instead of time slots: Think about buying ad space that reaches a particular demographic wherever it is instead of buying a prime time TV spot and hoping the right people are watching.

Omnichannel marketing reaches target consumers across all channels — mobile, video, desktop, and more — within the context of how they’ve interacted with a brand (those first seeing an ad will receive a different message from those who have engaged with that brand a number of times). Adtech methodologies seek to deliver the right content at the right time to the right consumers, so there’s less wasteful spending.

What is real-time bidding?

Real-time bidding (RTB) is an automated digital auction process that allows advertisers to bid on ad space from publishers on a cost-per-thousand-impressions, or CPM, basis. CPM is what you pay for one thousand people to see your ad. Like an auction, the highest bid from relevant ads will typically win the ad placement.

ICO report

On 20 June 2019 the ICO issued an update report into adtech and real time bidding. Whilst not official ICO guidance, the report identified areas in which the current real time bidding system for programmatic advertising breaches data protection and e-privacy law. In particular the report highlighted:

  • Processing of personal data is taking place unlawfully at the point of collection with adtech companies relying on legitimate interests for placing and/or reading cookies (rather than obtaining the consent the Privacy and Electronic Communications Regulations (PECR) require). Also, adtech companies are unable to demonstrate that they have properly carried out the necessary legitimate interests tests and implemented appropriate safeguards.
  • Processing of special category data is taking place unlawfully as explicit consent is not being collected.
  • Adtech companies may not be carrying out the data protection impact assessments (DPIAs) required.
  • Privacy information provided to individuals lacks clarity whilst also being overly complex. The consent frameworks examined by the ICO (including the IAB Europe Transparency & Consent Framework) ensure neither transparency and fair processing for GDPR purposes generally, nor free and informed consent for GDPR and PECR purposes.
  • The profiles created about individuals are extremely detailed and are repeatedly shared among hundreds of organisations for any one bid request, all without the individuals’ knowledge. These practices risk breaching the requirements for data minimisation and the storage limitation principles.
  • Adtech companies are inconsistent in their use of technical and organisational measures to secure personal data and do not sufficiently consider how the law applies to international transfers which take place during real time bidding.

Progress so far

In January 2020, the ICO’s Executive Director for Tech Policy and Innovation published a blog about progress so far (Adtech – the reform of real time bidding has started and will continue). He noted the ICO’s continued concern about the issues already raised but added that the Internet Advertising Bureau (IAB UK) and Google are starting to make the changes needed.

The IAB UK has agreed a range of principles that align with the ICO’s concerns, and is developing its own guidance for organisations on security, data minimisation, and data retention, as well as UK-focused guidance on the content taxonomy. It will also educate the industry on special category data and cookie requirements, and continue work on some specific areas of detail (IAB UK sets out actions to address ICO’s real-time bidding concerns, 9 January 2020). Google will remove content categories, and improve its process for auditing counterparties. The ICO also endorses Google’s proposals to phase out support for third party cookies within the next two years. Other UK advertising trade bodies will also produce guidance for their members.

Moving forward

Due to sensitivity of the work, the ICO will publish its final findings, once it has concluded its investigation. In the meantime, Mr McDougall advises organisations operating in the adtech space to urgently assess how they use personal data, in particular their compliance with obtaining individuals’ consent, reliance on legitimate interests, deployment of data protection by design and default and use of data protection impact assessments.

Using legitimate interests as a legal basis in adtech

Relying on legitimate interests may be more workable than obtaining consent for the large number of behind the scenes ad tech companies involved in buying, selling and serving advertising. Using legitimate interests rather than consent means that there is no obligation to keep consent records and, perhaps less importantly, that data portability rights (a user’s right to be able to move data between suppliers) are not triggered.

However, the ICO states in its online guidance “When is consent appropriate?” that “If you need consent under e-privacy laws to send a marketing message, then in practice consent is also the appropriate lawful basis under the GDPR”. The ICO Adtech Update expands on this:

  • Trying to apply legitimate interests when GDPR-compliant consent has been obtained would be unnecessary and could confuse individuals.
  • Where an individual has given consent they would expect processing to cease when they withdrew consent. However, an entity relying on legitimate interests might seek to continue processing in this scenario, which would be unfair.

The ICO Adtech Update also makes the point that reliance on legitimate interests for marketing activities is only possible if organisations are able to show that their use of personal data is proportionate, has a minimal privacy impact, and individuals would not be surprised or likely to object. The ICO considers that the processing involved in real time bidding (RTB) cannot meet these criteria and legitimate interests cannot be used for the main bid request processing. The ICO does not rule out use of legitimate interests for other purposes, such as a demand-side platform supplementing a bid request with additional information.

Data protection impact assessments (DPIAs)

Controllers should carry out a Data Protection Impact Assessment (DPIA) before beginning processing that is likely to result in a high risk to the rights and freedoms of individuals (Article 35, GDPR). The ICO has published a list of processing operations likely to result in such a high risk, for which DPIAs are mandatory. The ICO Adtech Update confirms that Real Time Bidding, as used in adtech, involves several such processing operations. The ICO draft Direct Marketing Code states that the type and volume of processing that you can undertake in the online world, and the risks associated with that processing, mean it is highly likely that a DPIA will be required before processing begins.

Data minimisation

The GDPR requires that personal data collected must be limited to what is necessary in relation to the purposes for which it is processed. The ICO Adtech Update states that the creation of detailed profiles, repeatedly updated with information about individuals’ online acitivities, is disproportionate for the purposes of targeted advertising. It is also intrusive and unfair, in particular as individuals are often unaware that the processing takes place and the privacy information provided does not clearly inform them what is happening.

Data integrity and confidentiality

Under the GDPR personal data must be stored securely. The ICO Adtech Update noted that real time bidding often involves sharing personal data with adtech companies in non-EU jurisdictions, resulting in international transfers. Further participants have no real control over the other adtech companies with whom data is shared. Contractual controls are insufficient; appropriate monitoring and technical and organisational controls are also required.

Accountability

Data controllers must be able to demonstrate their compliance with the GDPR. The ICO Adtech Update notes that the complexities of the adtech ecosystem mean that many adtech companies will find it difficult to understand, document and be able to demonstrate how their processing operations work, what they do, who they share any data with and how any processors are vetted and controlled; and how they can enable individuals to exercise their rights.

Accuracy and storage limitation

Other GDPR requirements include that data must be accurate and kept up to date and that personal data must be kept for no longer than is necessary. The ICO Adtech Update highlights the fact that because of the vast number of adtech companies involved in real time bidding it is difficult to ensure compliance with these principles. The ICO Cookie Guidance states that it is necessary to check that the duration of any cookies is appropriate; any default durations should be reviewed.

Here to help

Adtech has revolutionised the marketing industry and was firmly in place before the introduction of GDPR in 2018. It is now the ICO’s aim to bring this boom industry in line with UK data protection law. If you have any questions on adtech and data protection, data protection law more generally or on any of the issues raised in this article please get in touch with one of our data protection lawyers.