ICO Opinion: Data protection and privacy expectations for online advertising proposals
10 December 2021
On 25 November 2021 the ICO issued an Opinion  on its expectations for online advertising, its latest update to its thematic review  of the adtech industry which commenced in 2019. The latest Opinion builds on concerns initially identified by the ICO  in 2019 and sets out the privacy standards that the ICO expects adtech vendors to meet when developing new products so that people’s online privacy is safeguarded.
Adherence to the principle of data protection by design and default has never been more important for adtech, as the industry looks to grapple with privacy challenges faced by existing technologies, such as third party cookies, which are being decommissioned in favour of new technologies. Here we look at some of the key takeaways from the latest Opinion.
Responsibility for compliance
Compliance with the principles of the UK GDPR rests with the controller (and to a lesser extent processors). The ICO recognises that the role of some adtech vendors may be unclear and that vendors may be neither controllers nor processors (and therefore that such vendors are not directly responsible for ensuring that their products comply with data protection law). Here the ICO gives the example of “a producer of products, services or applications that process personal data but do not either take specific decisions about such processing (as a controller does) or undertake that processing on behalf of another (as a processor does)”. This would likely include technologies that are used to collect user consents – so-called consent management platforms or CMPs – and CRM technologies where data is hosted on the relevant controller’s servers.
However, as a matter of good practice the ICO points out that recital 78 of the UK GDPR says that vendors should be encouraged to “take the right to data protection into account during design and development... to ensure that organisations using the products can meet their obligations”.
Therefore Adtech vendors should, when developing new products even if they are neither controllers or processors, look to undertake Data Protection Impact Assessments (DPIAs) to ensure that from the outset products meet the requirements of data protection law. While it will be for the customer of the product, as controller, to satisfy themselves that the product is compliant, such product DPIAs are a useful tool for the sales team to have in their armoury, so that they can assist potential customers in understanding that products are privacy-friendly and proactively assist customers with due diligence.
IAB Transparency & Consent Framework (TCF)
In 2019 the ICO gave its initial view of the IAB Europe’s TCF, the most widely adopted initiative aimed at tackling the inherent challenges faced by adtech vendors in informing people of, and obtaining consent for, their use of tracking technologies and personal data processing. The ICO noted that they have not seen “compelling evidence” that IAB TCF (or other industry initiatives) sufficiently address the ICO’s concerns, including transparency, fair processing and free and informed consent.
Since 2019 there have been further iterations of IAB TCF that have sought to improve the framework. However, the ICO says that these iterations have not significantly addressed the issues raised. In particular, the ICO notes that IAB TCF permits reliance on legitimate interests in respect of certain non-essential cookie use (and data processing activities). These statements are a further blow for IAB TCF which is also facing challenges in Belgium.
It remains to be seen how the IAB TCF will respond, although to overcome these challenges it seems inevitable that processing based on legitimate interests will need to be eliminated or at the very least significantly reduced. The legitimate interest challenge is also evident in the ongoing e-Privacy Regulation debate. Different EU Member States have polar opposite views and, while the draft text of the e-Privacy Regulation is the subject of trilogue negotiations with the European Parliament, we have seen very little progress on resolving the legitimate interest issue - and many more issues besides.
Offer meaningful choice for tracking and profiling
The diminishing role of legitimate interests is not confined to IAB TCF. The ICO makes clear in this Opinion that it expects any proposal aimed at allowing individuals to express their preferences to offer meaningful choice. Users must be provided with the opportunity to decide not to be tracked or profiled. Online tracking can take place, but only where the purposes are legitimate, individuals are made aware of the processing, given meaningful control and can exercise their rights.
As noted above, the ICO expects genuine choice to be offered in respect of tracking. ‘Tracking’ is not defined by data protection legislation, although certain players in the industry have sought to formulate their own definition of tracking. The ICO has now provided its own description of tracking, saying that “online tracking is a term that describes or refers to different processing activities, undertaken by different means, for different purposes… online tracking can therefore be considered as processing activities involving the monitoring of individuals’ actions, especially over a period of time (including the behaviour, location or movements of individuals and their devices), in particular to build profiles about them; take actions or decisions concerning them; offer goods and services to them; evaluate the effectiveness of services they use; and analyse or predict their personal preferences, behaviours and attitudes”.
Given that some of the language (underlined above for emphasis) used by the ICO in this description is the same language that’s used in the definition of ‘profiling’ set out in Article 4 of the UK GDPR, it seems that ‘online tracking’ may be regarded as any profiling activities that are undertaken through the use of adtech. The ICO’s description casts the net wide and, given that the ICO say genuine choice needs to be provided in respect of any tracking, goes further than many would like – for example “evaluation of the effectiveness of services they use” arguably captures ad measurement processing which many may feel goes too far.
As noted above, many of the issues identified by the ICO in this Opinion have already been identified by the ICO in its 2019 report. The ICO says that it continues to see evidence of these issues and sets out a list of “real world consequences” and harms that these issues produce, including a loss of control, a lack of awareness through invisible processing, an inability to exercise rights, and manipulation and influence over people’s behaviour, preferences and attitudes.
The ICO expects these issues to be remedied and harms to be mitigated. Indicating that the ICO may regard existing proposals as merely 'papering over the cracks', the ICO cautions that “proposals that essentially repackage the fundamental issues highlighted in the 2019 report do not fit with the Commissioner’s expectations”. It is clear that organisations will need to do more to offer choice (obtain consents where appropriate or opt-outs where relying on legitimate interests) and to bring processing activities – particularly online tracking – to user’s attention, and DPIAs (by all, including the publishers on the sell-side, the advertisers on the buy-side and the adtech vendors in the middle) will be key to demonstrating to the ICO – and other organisations in the adtech ecosystem – that products are built from the ground up with data privacy and individual rights at the forefront.