On 20 June 2019, the UK Data Protection Authority, the Information Commissioner, published an update report on her office's review of adtech and real time bidding (‘RTB’) which is a form of auctioned online advertising.
The report - which is a progress update rather than formal guidance - raises very significant concerns about the compliance of adtech with the General Data Protection Regulation (‘GDPR’) and the Privacy and Electronic Communications Regulations (‘PECR’). Headline points include:
The Commissioner is asking adtech controllers to re-evaluate their practices. But while the report outlines the deficiencies, it does not provide any innovative solutions for meeting the lawful bases and transparency requirements in RTB. This leaves a significant question mark over the extent to which RTB is compatible with GDPR and PECR.
What is Adtech & Real Time Bidding:
Broadly speaking, adtech means the various advertising technologies which analyse and process personal data for the purpose of serving online advertising to individuals. ICO's report focuses in particular on RTB a subset of adtech involving the buying and selling of online advertising space in real-time for displaying adverts on webpages and apps.
RTB and adtech more generally involves web and cross device-tracking which are one of the regulatory priorities outlined in the Commissioner’s Technology Strategy for 2018-2021.
While RTB is the focus of the report, it is not the only aspect of adtech which the Commissioner is reviewing.
What are ICO's key Concerns?
Data controllers involved in RTB need a lawful basis for processing personal data. However, the Commissioner ‘identified a lack of clarity from a significant number of controllers regarding the appropriate lawful basis for processing’.
The Commissioner clarifies the interaction between the PECR and the GDPR and specifically how the consent rules for the placing of cookies or similar technologies (e.g. SDK, pixels, tags, browser fingerprinting) on an individual's device (or the reading of information from those technologies) require the user’s prior consent. This won’t be a surprise to most in the adtech industry.
However, the Commissioner goes on to state that in her view consent is the most ‘appropriate lawful basis’ for the associated subsequent processing of cookie data for the purposes of RTB. This view is, according to the Commissioner, in line with previous guidance notably the European Data Protection Board opinion on the interplay between GDPR and the e-Privacy Directive, the Article 29 Working Party opinions 02/2010 on online behavioural advertising and the Article 29 Working Party opinion 06/2014 on the notion of legitimate interest.
Accordingly in the view of the Commissioner, the lawful basis for RTB of personal data is consent i.e. consent for both the placing of the cookie or similar technologies and also for processing of the bid request.
This is a restrictive approach which will be a blow to many in the industry who were hoping for a broader role for legitimate interest in adtech post GDPR, particularly in light of recent positions from other regulators such as the French Data Protection Authority which suggested that legitimate interest may be permissible for the subsequent processing of Cookie data. This approach will also cause problems for any publisher which allows advertising cookies or similar to be placed on a site/app where under 13s use the site/app. This is because Article 8 of the GDPR provides that if an online service is provided to a child (in the UK, under 13) where the lawful basis to process personal data is consent, that such consent must be given by the person with parental authority for the child.
Even if an argument for reliance on legitimate interest could be constructed, the Commissioner’s view is that many controllers in this space (i) lack a proper understanding of what legitimate interests requires, (ii) view it as the ‘easy option’ compared to consent, and (iii) are not carrying out legitimate interest balancing tests or implementing appropriate safeguards in practice.
Organisations outside adtech should also be concerned by the restrictive approach to legitimate interests underlying the Commissioner's update. The Commissioner states that legitimate interests is only suitable for use where there the processing has "minimal privacy impact" – a statement which is inconsistent with the authoritative guidance on legitimate interests given by the Article 29 Working Party in its Opinion 06/2014 on the notion of legitimate interests, which acknowledged that "the purpose of the Article 7(f) balancing exercise is not to prevent any negative impact on the data subject. Rather its purpose is to prevent disproportionate impact. … For example, the publication of a well-researched and accurate newspaper article on alleged government corruption may damage the reputation of the government officials involved and may lead to significant consequences… but it could still find a basis under Article 7(f)."
Bid requests can include the processing of special category data such as data relating to a person’s politics, religion, ethnic origin, and physical and mental health. Representations had been made to the ICO from the adtech industry that such data would not be used for profiling, but rather to alert advertisers to the nature of the website being visited so that the advertiser can prevent adverts being displayed on unsuitable platforms.
However, as part of its review, ICO had seen and references in the update report certain published protocols suggesting that special category data is used for both targeting and exclusion. In any event, in ICO's view the purpose of the processing is not determinative. The collection of such data as part of a bid request indicates the controller is processing special category data either directly or by inference.
The only lawful basis for processing special category data for the purposes of targeting online advertising would be the explicit consent of the individuals. In ICO's view, none of the public interest conditions under the Data Protection Act 2018 are applicable. Accordingly, ICO advises that either controllers collect explicit consent for special category data or not process this information at all.
In the RTB context, the ICO considers that privacy notices are often not detailed enough to give an individual an accurate overview of what happens to their data. For the ICO, the complexity and opacity of the adtech ecosystem does not exempt controllers from the transparency obligations under GDPR.
These obligations include specifically naming third party recipients of the personal data where those third parties are relying on the consent obtained by the first party (generally the website or app publisher). The ICO rightly notes that this poses significant practical challenges given the nature of RTB, where the first party may not always have a means of determining which third parties the data will be ultimately shared with.
The IAB TCF seeks, among other matters, to address the transparency challenges under GDPR by providing individuals with an approved vendor list, currently covering 450 organisations. However, according to the Commissioner, the jury is out, as to whether the IAB TCF vendor list ‘is of practical use to individuals’.
The ICO also highlighted further gaps with the TCF notably that even if a publisher uses the framework, personal data may still be shared with parties not participating in the framework included on the vendor list. ICO express concern with this, and with data leakage arising from the extensive data sharing in RTB more generally.
Furthermore, detailed user profiles which are continually enriched and shared between thousands of organisations in the ecosystem are also, according to the Commissioner, ‘disproportionate, intrusive and unfair’ particularly where individuals have not been properly informed that their data may be used in this way.
The sharing of personal data in the adtech ecosystem is on a massive scale with many controllers having no direct relationship with the individual to whom the data relates. As the Commissioner notes one visit to a website, prompting one auction among potential interested advertisers, can result in an individual’s personal data being seen by hundreds of organisations.
Historically, adtech players had looked to rely on contractual warranties to ensure that the data being shared was compliant with data protection legislation.
However contract alone is not enough. In accordance with the GDPR principle of accountability, controllers need to be able to ‘demonstrate’ compliance and pointing to a contractual warranty is not, alone, sufficient to meet this test. Instead, controllers need to monitor partners to ensure that data is fairly and lawfully collected and appropriate technical and organisational measures are in place.
The Commissioner’s commentary around the limitation of contract is becoming an increasingly common theme in data protection and reflects comments made in other recent enforcement decisions such as the French CNIL’s comments in the Vectaury case (see our article here), and the ICO’s monetary penalty against Facebook for Cambridge Analytica (see our article here).
As part of its review, the ICO consulted with a number of ongoing adtech privacy initiatives including the IAB TCF and proposals from the privacy focussed browser Brave. According to the report, industry initiatives do not yet sufficiently address ICO’s concerns in their current state. Indeed, the ICO also concludes that the model offered by Brave, whose complaint to ICO partially triggered this review, is also not good enough. The ICO does not rule out that such frameworks may address its concerns in the future – although as one of the ICO's comments is that data sharing on this scale is fundamentally excessive, it seems that what the ICO is seeking is a wider change in the industry model.
According to the Commissioner, a DPIA is mandatory where personal data is processed for the purposes of RTB. This is because such processing meets a number of the high risk processing activities identified by ICO in their guidance on DPIAs, such as profiling individuals on a large scale, engaging in invisible processing, and tracking individuals’ behaviour. ICO have ‘little confidence’ that the risks posed by RTB have been properly assessed in this way.
The update report also expresses similar concerns with respect to the GDPR obligations of data minimisation and retention controls.