On 20 June 2019, the UK Data Protection Authority, the Information Commissioner, published an update report on her office's review of adtech and real time bidding (‘RTB’) which is a form of auctioned online advertising.
The report - which is a progress update rather than formal guidance - raises very significant concerns about the compliance of adtech with the General Data Protection Regulation (‘GDPR’) and the Privacy and Electronic Communications Regulations (‘PECR’). Headline points include:
- Lawful Basis for Personal Data: CONSENT only?
Data controllers involved in RTB need a lawful basis for processing personal data. However, the Commissioner ‘identified a lack of clarity from a significant number of controllers regarding the appropriate lawful basis for processing’.
The Commissioner clarifies the interaction between the PECR and the GDPR and specifically how the consent rules for the placing of cookies or similar technologies (e.g. SDK, pixels, tags, browser fingerprinting) on an individual's device (or the reading of information from those technologies) require the user’s prior consent. This won’t be a surprise to most in the adtech industry.
However, the Commissioner goes on to state that in her view consent is the most ‘appropriate lawful basis’ for the associated subsequent processing of cookie data for the purposes of RTB. This view is, according to the Commissioner, in line with previous guidance notably the European Data Protection Board opinion on the interplay between GDPR and the e-Privacy Directive, the Article 29 Working Party opinions 02/2010 on online behavioural advertising and the Article 29 Working Party opinion 06/2014 on the notion of legitimate interest.
Accordingly in the view of the Commissioner, the lawful basis for RTB of personal data is consent i.e. consent for both the placing of the cookie or similar technologies and also for processing of the bid request.
This is a restrictive approach which will be a blow to many in the industry who were hoping for a broader role for legitimate interest in adtech post GDPR, particularly in light of recent positions from other regulators such as the French Data Protection Authority which suggested that legitimate interest may be permissible for the subsequent processing of Cookie data. This approach will also cause problems for any publisher which allows advertising cookies or similar to be placed on a site/app where under 13s use the site/app. This is because Article 8 of the GDPR provides that if an online service is provided to a child (in the UK, under 13) where the lawful basis to process personal data is consent, that such consent must be given by the person with parental authority for the child.
Even if an argument for reliance on legitimate interest could be constructed, the Commissioner’s view is that many controllers in this space (i) lack a proper understanding of what legitimate interests requires, (ii) view it as the ‘easy option’ compared to consent, and (iii) are not carrying out legitimate interest balancing tests or implementing appropriate safeguards in practice.
Organisations outside adtech should also be concerned by the restrictive approach to legitimate interests underlying the Commissioner's update. The Commissioner states that legitimate interests is only suitable for use where there the processing has "minimal privacy impact" – a statement which is inconsistent with the authoritative guidance on legitimate interests given by the Article 29 Working Party in its Opinion 06/2014 on the notion of legitimate interests, which acknowledged that "the purpose of the Article 7(f) balancing exercise is not to prevent any negative impact on the data subject. Rather its purpose is to prevent disproportionate impact. … For example, the publication of a well-researched and accurate newspaper article on alleged government corruption may damage the reputation of the government officials involved and may lead to significant consequences… but it could still find a basis under Article 7(f)."
- Lawful Basis For Special Category Data: CONSENT ONLY!
Bid requests can include the processing of special category data such as data relating to a person’s politics, religion, ethnic origin, and physical and mental health. Representations had been made to the ICO from the adtech industry that such data would not be used for profiling, but rather to alert advertisers to the nature of the website being visited so that the advertiser can prevent adverts being displayed on unsuitable platforms.
However, as part of its review, ICO had seen and references in the update report certain published protocols suggesting that special category data is used for both targeting and exclusion. In any event, in ICO's view the purpose of the processing is not determinative. The collection of such data as part of a bid request indicates the controller is processing special category data either directly or by inference.
The only lawful basis for processing special category data for the purposes of targeting online advertising would be the explicit consent of the individuals. In ICO's view, none of the public interest conditions under the Data Protection Act 2018 are applicable. Accordingly, ICO advises that either controllers collect explicit consent for special category data or not process this information at all.
- Lack of Transparency
In the RTB context, the ICO considers that privacy notices are often not detailed enough to give an individual an accurate overview of what happens to their data. For the ICO, the complexity and opacity of the adtech ecosystem does not exempt controllers from the transparency obligations under GDPR.
These obligations include specifically naming third party recipients of the personal data where those third parties are relying on the consent obtained by the first party (generally the website or app publisher). The ICO rightly notes that this poses significant practical challenges given the nature of RTB, where the first party may not always have a means of determining which third parties the data will be ultimately shared with.
The IAB TCF seeks, among other matters, to address the transparency challenges under GDPR by providing individuals with an approved vendor list, currently covering 450 organisations. However, according to the Commissioner, the jury is out, as to whether the IAB TCF vendor list ‘is of practical use to individuals’.
The ICO also highlighted further gaps with the TCF notably that even if a publisher uses the framework, personal data may still be shared with parties not participating in the framework included on the vendor list. ICO express concern with this, and with data leakage arising from the extensive data sharing in RTB more generally.
Furthermore, detailed user profiles which are continually enriched and shared between thousands of organisations in the ecosystem are also, according to the Commissioner, ‘disproportionate, intrusive and unfair’ particularly where individuals have not been properly informed that their data may be used in this way.
- The Data Supply Chain Is over extended
The sharing of personal data in the adtech ecosystem is on a massive scale with many controllers having no direct relationship with the individual to whom the data relates. As the Commissioner notes one visit to a website, prompting one auction among potential interested advertisers, can result in an individual’s personal data being seen by hundreds of organisations.
Historically, adtech players had looked to rely on contractual warranties to ensure that the data being shared was compliant with data protection legislation.
However contract alone is not enough. In accordance with the GDPR principle of accountability, controllers need to be able to ‘demonstrate’ compliance and pointing to a contractual warranty is not, alone, sufficient to meet this test. Instead, controllers need to monitor partners to ensure that data is fairly and lawfully collected and appropriate technical and organisational measures are in place.
The Commissioner’s commentary around the limitation of contract is becoming an increasingly common theme in data protection and reflects comments made in other recent enforcement decisions such as the French CNIL’s comments in the Vectaury case (see our article here), and the ICO’s monetary penalty against Facebook for Cambridge Analytica (see our article here).
- All Industry Initiatives: Could Do Better
As part of its review, the ICO consulted with a number of ongoing adtech privacy initiatives including the IAB TCF and proposals from the privacy focussed browser Brave. According to the report, industry initiatives do not yet sufficiently address ICO’s concerns in their current state. Indeed, the ICO also concludes that the model offered by Brave, whose complaint to ICO partially triggered this review, is also not good enough. The ICO does not rule out that such frameworks may address its concerns in the future – although as one of the ICO's comments is that data sharing on this scale is fundamentally excessive, it seems that what the ICO is seeking is a wider change in the industry model.
- Data Protection Impact Assessments (‘DPIA’) Are a Must Do
According to the Commissioner, a DPIA is mandatory where personal data is processed for the purposes of RTB. This is because such processing meets a number of the high risk processing activities identified by ICO in their guidance on DPIAs, such as profiling individuals on a large scale, engaging in invisible processing, and tracking individuals’ behaviour. ICO have ‘little confidence’ that the risks posed by RTB have been properly assessed in this way.
The update report also expresses similar concerns with respect to the GDPR obligations of data minimisation and retention controls.
- Next Steps
The ICO will continue to investigate the data protection considerations of RTB and will undertake further information-gathering and engagement with stakeholders. The ICO advises adtech controllers to re-evaluate their approach to privacy notices, the lawful bases for their processing and their use of personal data – and to expect follow-up research.
In the foreword to the report, the Commissioner acknowledges that this is a complex area and that online advertising funds much current content and the Commissioner promises taking a ‘measured and iterative approach’ before undertaking a further review in six months time. Although the Commissioner concludes her preface noting that "companies do not need to choose between innovation and privacy", it is difficult to reconcile the more measured language of the foreword with the later comments which suggest fundamental concerns about many aspects of RTB.