UK data protection regulator demands companies in the RTB ecosystem re-evaluate privacy notices, use of personal data, and lawful basis.

By Robert Blamires, Calum Docherty, Laura Holden, and Lucy Tucker

The UK Information Commissioner’s Office’s (ICO’s) latest report into adtech and real time bidding (RTB) (the ICO Report) provides a stark assessment of the adtech sector’s use of personal data in RTB scenarios. The ICO Report notes widespread compliance concerns that, in some cases, the ICO does not consider “will be addressed without intervention.” Organizations in this field should expect potentially more vigorous investigations and enforcement action if the ICO’s concerns are not addressed.

RTB is an online ad-buying process by which advertising space on websites is bought and sold via an instantaneous “programmatic” auction. During the auction process, a wide range of data (mostly originated from cookies) can be shared with multiple advertisers who place real time bids for relevant ad space. 

The ICO Report sets out the ICO’s key areas of concern, in particular a lack of:

  • Transparency/clarity in privacy notices
  • Lawful bases for processing
  • Explicit consent for processing sensitive category data
  • Limits on data processing to what is strictly needed in an RTB context
  • Appropriate protection for personal data in this ecosystem, including an over-reliance on contractual commitments

The ICO Report also emphasizes that the vast number of personal data profiles created and shared in RTB scenarios appear to the ICO to be “disproportionate, intrusive and unfair, particularly when in many cases data subjects are unaware that this processing is taking place.

The ICO’s short-term plan to address these concerns involves continuing to:

  • Obtain submissions from relevant companies on their management of bid request data
  • Consult with the Interactive Advertising Bureau Europe (IAB) and Google about the schema they are using in their respective RTB frameworks to identify whether data fields are excessive and intrusive
  • Share information with other European data protection regulators

The ICO stated that it may also undertake a further industry review in six months and follow up with an additional report. In the meantime, the ICO stressed that it expects data controllers in the adtech industry to re-evaluate their approach to: (i) privacy notices; (ii) use of personal data; and (iii) the lawful basis they apply within the RTB ecosystem, stating that it “want[s] to see change in how things are done.

The ICO’s concerns go to the heart of the RTB ecosystem and whether its infrastructure is capable of alignment with data protection compliance. However, practical steps that concerned organizations in this space could consider include:

  • Conducting data protection impact assessments in relation to the use of bid request data
  • Reviewing and updating privacy notices
  • Reviewing the lawful basis organizations rely on for processing bid request data, in particular any consent mechanisms
  • Reviewing the ICO’s recent guidance on the use of cookies and similar technologies, as discussed in Latham’s recent blog post
  • Preparing to respond to queries from the ICO as part of its industry review

In-depth

The ICO Report provided an overview of the adtech landscape, describing the key players and the use of personal data in the many stages of the RTB process and data supply chain, with a focus on public auctions in programmatic advertising. The ICO described how RTB is facilitated by protocols governing how data is collected and shared, and how adverts are served, considering, for the purposes of the ICO Report:

The ICO highlighted that personal data is processed throughout the adtech ecosystem, from the transmission of bid requests through to the creation and augmentation of customer profiles, giving rise to numerous risks of non-compliance. Such risks are heightened by the fact that “many individuals have a limited understanding of how the ecosystem processes their personal data” and led the ICO to comment that such operations are “likely to result in a high risk to the rights and freedoms of individuals.”

The ICO focussed in particular on the following key issues:

  • Lawful basis: The lack of clarity around the appropriate legal basis for processing personal data under the General Data Protection Regulation (GDPR), and how this aligned with the requirements under the E-Privacy Directive, as implemented in the UK through the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
    • Under the GDPR: Controllers require a lawful basis under Article 6 to process personal data, and an additional lawful basis under Article 9 to process special category data (relating to health, ethnicity, political opinions, etc.). The ICO did not analyze in detail to what extent data in the adtech ecosystem constitutes personal data, but seems to have taken a broad approach.
    • Under the PECR: Organizations need to provide notice of the purposes of any cookie or similar technologies, and obtain prior consent (to a GDPR standard) to use cookies or similar technologies. The ICO found that most controllers focussed on GDPR instead of PECR, and that the requirements were “at best not fully understood or at worst ignored.” The ICO stated that for the purposes of compliance with the applicable obligations under PECR in this context, whether the information being stored or accessed is personal data is irrelevant.
  • The ICO broke down its analysis further depending on the type of personal data processed:
    • Non-special category personal data: The ICO indicated that meeting the “legitimate interests” lawful basis requirement when processing within RTB is impossible, emphasizing that this is only a viable condition when the “use of the personal data is proportionate, has a minimal privacy impact and individuals would not be surprised or likely to object.” The ICO concluded, therefore, that consent is required under Article 6 GDPR. While this perspective accords with the Google Authorized Buyers’ Framework (which mandates consent as the lawful basis of processing), it diverges from the IAB approach (which suggests not only consent, but also legitimate interest as the lawful basis of processing).
    • Special category data: The ICO emphasized that processing special category data “constitutes the area of greatest potential harm to individuals,” that controllers cannot rely on legitimate interests to process this data, and that “the only applicable condition is explicit consent”. The ICO identified that Open RTB and TCF, as well as the Google Authorized Buyers’ Framework, contain fields for advertisers that relate to special category data, and concluded that the current consent requests provided under both protocols are non-compliant and should be modified to collect explicit consent. Failing this, special category data should not be processed.
  • Lack of transparency: The ICO acknowledged the challenges of providing the transparency information required by Articles 13 and/or 14 of the GDPR, including that “organisations cannot always provide the information required, particularly as they sometimes do not know with whom the data will be shared,” but also stated that that this does not mean that the requirements can be ignored. Unfortunately the ICO Report does not provide organizations faced with these inherent challenges with practical guidance on how to comply with these requirements.
  • Accountability & data supply chain: Linked with transparency concerns, the ICO expressed its view that RTB market participants may not always fully understand how RTB frameworks function or how the processing of personal data works in this context, preventing them demonstrating compliance with the GDPR under the accountability principle. In addition, the complex data supply chain results in security and data sharing issues, and the ICO considers that contractual obligations are insufficient to discharge controllers’ GDPR obligations to protect personal data. This reflects previous ICO guidance that it is not sufficient to rely on mere contractual indemnities when sharing personal data with an unspecifiable number of companies, without fully evaluating and addressing the risk of these counterparties, and a controller’s role under the GDPR must involve active monitoring of what happens to personal data once shared.
  • Data protection impact assessments (DPIAs): The ICO Report reminds controllers that the ICO has published a list of processing operations likely to result in a high risk that necessitate a DPIA and highlighted that RTB “attaches to a number of examples on this list,” such as the use of new technologies, large-scale profiling, “invisible processing,” tracking of geolocation or behavior, and use of personal data of children or vulnerable individuals for marketing. The ICO considers therefore that organizations involved in RTB are “legally required to perform DPIAs.”

The ICO concludes with next steps that:

  • Following continued engagement to obtain more information, the ICO may undertake a further industry review in six months’ time and that the scope and nature of such an exercise “will depend on [the ICO’s] findings over the forthcoming months.
  • Following these initial activities, the ICO will continue to focus on both RTB and adtech in general, and may issue a further update report in 2020.

In the meantime, the ICO emphasizes that it expects data controllers in the adtech industry to re-evaluate their approach to privacy notices, use of personal data, and the lawful basis they apply within the RTB ecosystem.

The ICO Report has, unsurprisingly, generated attention in the industry, with the IAB issuing a press statement welcoming the ICO Report, but also highlighting the opportunity “to clarify some of the misconceptions in the Report’s description of the features and functionality of [its framework].”

The ICO Report is also part of a pattern of increased regulatory scrutiny on the adtech industry, including the French supervisory authority’s recent action against Google for invalid consent for targeted marketing, as well as its decisions in four cases on targeted advertising and privacy consent practice, and updated guidance from the Dubai International Financial Centre regarding marketing practices. In addition, the ICO has also recently published new guidance on cookies, clarifying the standard for consent in relation to the use of cookies (including the application of transparency requirements to the use of third-party cookies, such as those provided by advertising networks).

Latham will continue to monitor these developments.