The UK Information Commissioner’s Office (“ICO”) recently published an updated report on adtech, following a Fact Finding Forum held in March 2019 and consultation with industry players. The report focuses on whether and how organizations in the adtech sector can comply with the EU General Data Protection Regulation (“GDPR”) and the UK’s implementation of the e-Privacy Directive, known as the Privacy and Electronic Communications Regulations (“PECR”).

Much of the focus of the report was on the real-time bidding component of digital advertising, which is a process that allows for nearly instantaneous automated bidding for, and purchasing of, digital advertising space. In the ICO’s view, real-time bidding raises several issues under data protection law, including with respect to transparency, the processing of special category data, establishing an appropriate legal basis, and conducting data protection impact assessments (“DPIAs”). We have summarized a number of the ICO’s concerns about these issues below.

  • Transparency: The ICO found that many controllers’ privacy notices lack sufficient clarity regarding what will happen to the data subject’s information in the digital advertising context. Providing genuine transparency is challenging on account of the complexities and volume of organizations involved in the adtech ecosystem.
  • Special Categories of Personal Data: The ICO found that special categories of personal data such as race, ethnicity, sexual orientation and health information is actively used in the industry for segmentation purposes. Where special category information is involved, the GDPR requires explicit consent in support of the processing. Accordingly, the ICO stated that adtech businesses processing this type of data should modify their approach to obtaining consent or stop processing this type of data altogether.
  • Legal Basis: The ICO has clarified that consent is likely the only available legal basis to rely on under the GDPR for the purposes of real-time bidding. Under the PECR consent is required prior to dropping of cookies. Following the implementation of the GDPR, this consent must now meet the GDPR’s consent standard (i.e., it must be freely given, specific, informed and unambiguous). The functioning of the adtech industry in the web context relies on dropping cookies. Generally, site publishers use cookie banners to collect the consent that is required under the PECR.

    Because cookies operate by collecting and communicating personal data under the GDPR (particularly data that identifies the device and data that relates to the behavior or preferences of the individual operating that device), there is a separate requirement under the GDPR to establish a legal basis for the processing that real-time bidding entails. In its report, the ICO states that the scenarios where legitimate interests could be relied upon as a legal basis under the GDPR for real-time bidding are limited and, as such, it is likely that consent will be the only available legal basis for those in the ecosystem conducting “business as usual” real-time bidding. A number of third-party consent management platforms have been created to help adtech players verify that the appropriate information has been provided to the data subject, and consent collected where required, before they use the personal data for advertising purposes. These platforms generally function by presenting website or application visitors with a pop-up that allows them to opt in to the sharing of their personal data with third parties that conduct advertising. This pop-up provides publishers and advertisers the opportunity to provide required disclosures to data subjects and collect consent where required. Where consent is obtained, this signal is transmitted through the adtech ecosystem so that each party using the data can be made aware of what the data subject has or has not consented to. In its report, the ICO generally deemed these consent mechanisms to be insufficient from a data protection law perspective and questioned their practical utility given the number of participants in the adtech ecoystem.
  • Data Protection Impact Assessments: The GDPR requires organizations to conduct data protection impact assessments (“DPIA”) regarding personal data processing activities when certain criteria are met. The ICO noted that a number of its previously published criteria that may trigger the need to conduct a DPIA are in-play in the context of real-time bidding. These include the use of new technologies, profiling individuals on a large scale, invisible processing, and tracking of behavior and geolocation data. The ICO also highlighted the use of personal data of children or other vulnerable individuals for marketing purposes, profiling or automated decision making as a relevant trigger. The ICO commented that even though organizations are legally required to perform DPIAs, it has found that DPIA requirements have not been fully recognized by those engaged in real-time bidding, and DPIAs frequently have not been carried out.

The ICO has invited responses to the report from the adtech sector, emphasizing that its aim is to take a “measured and iterative approach” to the issues. The ICO also has recognized that adtech goes hand-in-hand with products and services desired by consumers, and acknowledged the importance of digital advertising to the availability of content online. In the short term, the ICO expects controllers in the adtech industry to “re-evaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the real-time bidding ecosystem.”