The ICO issues an Opinion on the privacy challenges impacting the adtech industry

The content of the Opinion

This Opinion is a reminder of the ICO’s position that current approaches adopted within the adtech industry are not compliant with data protection law. However, perhaps more concerning for those providing or using adtech solutions is that the Commissioner believes new solutions in development - in part in response to the ICO’s 2019 report on adtech and RTB (the ‘Report’) - still leave much to be resolved. This Opinion and its “privacy standards” are called a “warning” in the press release (here).

The Opinion is wide ranging, and cuts between summarising the state of play and a closer look at some key areas where there are specific concerns. The Commissioner explicitly repeats and reiterates points already made, signposts specific guidance and refers to previous work.

A consistent theme is the ICO’s cross-over with the Competitions and Markets Authority (‘CMA’), another regulator with a history of investigations into the adtech sector. The Opinion reflects the tensions at play between achieving compliant privacy solutions as against cultivating a fair and competitive landscape in the complicated adtech ecosystem. The ICO does believe that these differences can be reconciled and the two regimes, and their respective objectives, are not “tradeable”.

ICO observations on adtech

Reflections on work to date

The Opinion reflects on the progress made by the industry since the ICO’s Report. In short, the Opinion states that the proposed alternatives are not yet sufficiently “mature” to assess in detail, but they equally have not “fully shown how they demonstrate […] compliance”. It notes that the Report remains valid and should apply to any new adtech initiatives proposed today.

Recent developments

Reflecting on adtech developments, the Opinion gives a brief overview of the market, noting that there are “significant tensions” with efforts to replace the use of cookies and other technologies – in particular between the adtech market, browser operators and mobile platform operators. In doing so, the Opinion refers to:

• browser updates by the likes of Apple, Brave Software, Microsoft and Mozilla which attempt to limit tracking online;
• operating system and mobile changes to limit tracking online, such as Apple’s App Tracking Transparency (ATT) framework; and
• efforts to remove third party cookies with new technologies, with particular attention devoted to Google’s Privacy Sandbox.

In doing so, the ICO makes two points:

1. it warns against new technologies that might emerge without the required privacy safeguards, that essentially “repackage” the perceived concerns that exist within the adtech ecosystems today; and
2. that it may choose to assess the impact of browser and software developments in more detail in due course. From the narrative of the Opinion, it appears that the ICO is placing this work out of scope for now but may revisit this in future.

Google Privacy Sandbox

One main element of the Opinion is the ICO’s reflections on Google’s Privacy Sandbox. The tone here shifts to remind readers of existing ICO guidance on the use of cookies and similar technologies, and their likely application to Privacy Sandbox. It equally notes that Google’s proposals are all at very different stages of development and maturity.

The ICO sets out that it needs further information from Google on how its proposals will meet data protection law and PECR requirements. In addition, in the context of the introduction of Privacy Sandbox, the ICO warns the industry more broadly that new technologies should not “introduce additional privacy threat vectors or lead to increased use of fingerprinting or both”.

Reflections on user preference tools and identifier-based trackers

A brief overview of emerging tools covers those aimed at improving user choice and users’ ability to express preferences with online tracking, and pays particular attention to the IAB’s Transparency and Consent Framework, the Global Privacy Control, RESPECTeD Advanced Data Protection Control and Identifier-based trackers. The Commissioner’s reflections here are critical, do not pick out any success stories, and note that the ICO may re-examine this market in more detail, and in collaboration with other authorities, at a future date.

Concerns with misconceptions and data protection

The Opinion covers “several issues or misconceptions” surrounding adtech which the Commissioner attempts to dispel and clarify. These points were initially identified in the ICO’s joint statement with the CMA in May 2021, and they all have a competition connection. These areas seem quite elementary for organisations familiar with the use of data in adtech, but are clearly issues the ICO regularly encounters given the Commissioner dedicates 11 pages to these misconceptions:

• First and third-party cookies – the Commissioner rejects a view it claims is held by some, that first party cookies are inherently lower risk than third party cookies. The Commissioner acknowledges that the terms have different meanings in different contexts, but emphasises that risk ultimately depends on the nature, scope, context and purpose of data processing.
• Purpose limitation – the Commissioner warns that organisations must avoid “function creep” by using data for a purpose beyond that for which it was originally collected. The Commissioner mentions that this applies both when organisations are considering sharing data with external organisations or within an organisation’s business units. The Commissioner argues that specific consent is required where a new purpose is unexpected or would have unjustified adverse impacts on an individual.
• Group vs independent disclosure – here the Commissioner refers to larger platforms that may be able track users across their multiple services, unlike smaller independent market participants. It notes that data protection law does not automatically allow “unfettered processing” and questions whether larger platforms can rely on legitimate interest as a legal basis to share data to the extent that they do. In this vein, the Commissioner recommends that organisations consider what consent requirements exist under PECR if processing involves the use of cookies.
• Privacy as a ‘shield’ – the Commissioner warns that large platforms sometimes use data protection law as an excuse not to share data with authorities or other market participants. Here, the Commissioner directs attention to existing ICO guidance to allow platforms to share data with authorities safely. The Commissioner then makes a passing comment at the competition concerns around the use of data, noting the lack of data sharing by large platforms and potential data access policies being contemplated by the ICO and CMA.

The Commissioner’s expectations

The Commissioner outlines a set of expectations for adtech and recommendations for future development in the market. It is not clear how the Commissioner intends organisations to delineate between these, and they seem to be more reflection points instead of fully fledged red lines.

Principles

The Opinion outlines principles which the Commissioner expects any adtech solution, proposal or initiative to meet in order to align with core principles of data protection:

• Data protection by design should be incorporated during the design phase of any initiative;
• User choice should allow meaningful control and the ability to exercise data subject rights;
• Accountability should exist across the lifecycle of the processing supply chain and include transparent responsibilities for market participants;
• Purposes of data processing should be clearly articulated, necessary and proportionate; and
• Reducing harm by ensuring that privacy risks are addressed (such as through DPIAs).

Recommendations

The Commissioner believes that proposals looking to replace cookies and similar technologist need to “raise the standards of data protection and privacy, and not dilute them”. Again, the Commissioner refers to the value of DPIAs to help organisations achieve this, and states that developers of new solutions “should not replicate or seek to maintain practices that do not comply with the law”.

To aid this, the Commissioner sets out key steps developers can take to address risks prior to deployment:

• demonstrate and explain design choices;
• be fair and transparent about the benefits;
• minimise data collection and further processing;
• protect users and give them meaningful control;
• demonstrate necessity and proportionality;
• consider lawfulness, risk assessments and information rights; and
• mitigate risks of processing special category data.

Bird & Bird analysis

In light of the above, Bird & Bird has picked out key takeaways from the Opinion and the key questions they pose:

• Frustration - the Commissioner is clearly not happy with what the Commissioner perceives as a lack of progress, and the tone is one of frustration. The Commissioner sees various misconceptions shaping the development of what were expected to be pro-privacy solutions and proposals. Further, the Commissioner sees some of these proposals as simply old systems relabelled and repurposed with the same potential harms for individuals.
• Delay – it has been 2 years since the ICO’s published its initial Report, and progress has not been anything like what the ICO would have hoped for back in June 2019. This is not overly surprising given the ICO put the investigation on hold in May 2020 as it had to deal with urgent COVID-related queries, only restarting it in January 2021. Given the initial clout of the Report at publication, the signalled pause on this work to the wider industry and the of lack public-facing follow up this year, seems to have taken some of the wind out of the ICO’s sails. However, the CMA has independently continued its own market study into digital advertising which advanced work in this area and developed into a study on mobile ecosystems and market developments during 2020 and 2021.
• Relevance of the Opinion – given that the current Commissioner is leaving her role, it will be interesting to see how her successor, John Edwards, approaches this investigation and whether he builds on this Opinion. Further to this, there is the added complexity of the Department for Digital, Culture, Media and Sport inquiry into data protection and how this will shape the ICO’s influence over the development of the UK adtech industry.
• Interaction with CMA – the Commissioner’s closing comments on next steps include finding what is almost the ‘Goldilocks’ point for the adtech ecosystem. The tensions involved in finding this point will apply just as much to finding the balance of data protection law and competition law in the development of an adtech service, as it will between the ICO and CMA advancing their own priorities. The delay and lack of action on the ICO’s part, when the CMA has started a formal investigation into Privacy Sandbox and has significant enforcement powers, may encourage providers to take note of any CMA wish list ahead of the Commissioner’s.
• Repackaging comments – the Commissioner repeatedly asks developers not to “repackage” current practices and relabel them as new ones without a shift in the status quo. The creation of a new digital ecosystem that perfectly balances data protection and competition concerns is a tall order without any specific guidance from regulators. New proposals will have to build on the foundations in the ecosystem, which is likely to mean some compromise if the Commissioner wants radical change soon.
• Market realities – as the Opinion notes, the adtech ecosystem was created quickly and not necessarily cultivated with privacy in mind. However, there are risks with missing the commercial drivers here and pursuing a purist view of what adtech should, and should not, be. This tension between ensuring a “vibrant digital economy” and enabling online services to remain “free at the point of use” is acknowledged by the Commissioner.

Next steps

The ICO’s concluding remarks emphasise the importance of maintaining competition across the digital economy, but that this should not be at the expense of privacy. It notes that “privacy positive developments should be sustained and amplified in this context, not eroded in the interests of creating “better” market dynamics”.

The ICO will continue to receive further input from organisations and monitor future developments, in particular it will:

• assess the Google Privacy Sandbox; and
• continue to assess data protection developments in ‘web and mobile ecosystems’ in partnership with CMA.

Please get in contact with Bird & Bird if you would like to better understand the Commissioner’s Opinion and how the ICO and CMA’s ongoing work could impact the adtech ecosystem.