The UK Information Commissioner’s Office (“ICO”) recently published an updated report on adtech, following a Fact Finding Forum held in March 2019 and consultation with industry players. The report focuses on whether and how organizations in the adtech sector can comply with the EU General Data Protection Regulation (“GDPR”) and the UK’s implementation of the e-Privacy Directive, known as the Privacy and Electronic Communications Regulations (“PECR”).
Much of the focus of the report was on the real-time bidding component of digital advertising, which is a process that allows for nearly instantaneous automated bidding for, and purchasing of, digital advertising space. In the ICO’s view, real-time bidding raises several issues under data protection law, including with respect to transparency, the processing of special category data, establishing an appropriate legal basis, and conducting data protection impact assessments (“DPIAs”). We have summarized a number of the ICO’s concerns about these issues below.
- Transparency: The ICO found that many controllers’ privacy notices lack sufficient clarity regarding what will happen to the data subject’s information in the digital advertising context. Providing genuine transparency is challenging on account of the complexities and volume of organizations involved in the adtech ecosystem.
- Special Categories of Personal Data: The ICO found that special categories of personal data such as race, ethnicity, sexual orientation and health information is actively used in the industry for segmentation purposes. Where special category information is involved, the GDPR requires explicit consent in support of the processing. Accordingly, the ICO stated that adtech businesses processing this type of data should modify their approach to obtaining consent or stop processing this type of data altogether.
- Legal Basis: The ICO has clarified that consent is likely the only available legal basis to rely on under the GDPR for the purposes of real-time bidding. Under the PECR consent is required prior to dropping of cookies. Following the implementation of the GDPR, this consent must now meet the GDPR’s consent standard (i.e., it must be freely given, specific, informed and unambiguous). The functioning of the adtech industry in the web context relies on dropping cookies. Generally, site publishers use cookie banners to collect the consent that is required under the PECR.
- Data Protection Impact Assessments: The GDPR requires organizations to conduct data protection impact assessments (“DPIA”) regarding personal data processing activities when certain criteria are met. The ICO noted that a number of its previously published criteria that may trigger the need to conduct a DPIA are in-play in the context of real-time bidding. These include the use of new technologies, profiling individuals on a large scale, invisible processing, and tracking of behavior and geolocation data. The ICO also highlighted the use of personal data of children or other vulnerable individuals for marketing purposes, profiling or automated decision making as a relevant trigger. The ICO commented that even though organizations are legally required to perform DPIAs, it has found that DPIA requirements have not been fully recognized by those engaged in real-time bidding, and DPIAs frequently have not been carried out.
The ICO has invited responses to the report from the adtech sector, emphasizing that its aim is to take a “measured and iterative approach” to the issues. The ICO also has recognized that adtech goes hand-in-hand with products and services desired by consumers, and acknowledged the importance of digital advertising to the availability of content online. In the short term, the ICO expects controllers in the adtech industry to “re-evaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the real-time bidding ecosystem.”