ICO: Update Report into Ad Tech and RTB
18 September 2019
On 20 June 2019 the UK’s data protection regulator issued a progress report setting out her initial concerns about the use of personal data in the ad tech sector – which she describes as “immature in its understanding of data protection requirements” – in particular when it comes to real time bidding (RTB).
Whilst the report does not have the status of guidance and is not legally binding, it does indicate where the Commissioner expects to see change and the timescales. It comes after months of research and stakeholder engagement by the ICO (including at its recent Fact Finding Forum), as well as concerns raised by individuals.
The report forms part of what the Commissioner describes as a “measured and iterative approach”, where her Office can act “decisively and transparently” but at the same time observe the market’s response and provide for a period of adjustment. After all, the Commissioner acknowledges the complexities and economic significance of the online advertising ecosystem, but she is equally clear that “the rules that protect people’s personal data must be followed.”
The ICO’s concerns
In summary, at this stage the Commissioner’s concerns are that:
1. Participants do not understand the role of the Privacy and Electronic Communications Regulations (PECR) and how it impacts on lawful basis. She reminds us that PECR takes precedence over the GDPR when using cookies or similar technologies which store or access information stored on user devices; and that PECR requires prior consent when placing and reading a cookie (albeit to the GDPR standard of consent). In the Commissioner’s view, no exemptions to this PECR requirement for consent apply in the context of online advertising. So where ‘legitimate interests’ is relied on to place / read a cookie instead of obtaining the consent required by PECR, that processing of personal data is unlawful.
2. Even if it were possible for ‘legitimate interests’ to be relied on for processing personal data beyond setting cookies, in the Commissioner’s view consent is “most appropriate” as an Article 6 lawful basis given the risk of confusion for individuals and possible unfairness (e.g. if consent is withdrawn but processing continues based on ‘legitimate interests’). The Commissioner is also concerned that participants do not fully understand what ‘legitimate interests’ requires (i.e. it involves taking on additional responsibility for the processing by means of a ‘legitimate interests assessment’ and implementing appropriate safeguards) as some have seen it as the easy option.
3. Special category data (which carry an even greater risk and therefore need more protection) are being processed without an Article 9 condition, as fields in bid requests which relate to politics, religion, ethnicity, mental / physical health and the like are being used for segmentation and targeting. The Commissioner is clear that the only applicable Article 9 condition is ‘explicit consent’ (i.e. no other Article 9 condition can be relied on).
4. Information provided to individuals lacks clarity, including when it comes to identifying who data will be shared with and even how the RTB protocols work when it comes to processing personal data. Whilst the Commissioner acknowledges that the provision of information in the online environment can be challenging, she is concerned that very detailed user profiles are being created, widely shared and repeatedly augmented with information about the online activities of those users. Her view is that this is “disproportionate, intrusive and unfair” – especially given limited user awareness about what is happening.
5. The scale of data sharing in the data supply chain, where one bid request can result in personal data being processed by hundreds of organisations – including those not on a vendor list or which are outside of the EEA – means that there’s a risk that personal data do not remain subject to appropriate protections and controls in relation to, for example, security and retention. On contractual controls, the Commissioner is clear that a contract-only approach is not sufficient: it needs to be backed up by due diligence on an ongoing basis.
6. There is a lack of understanding about when data protection impact assessments (DPIAs) are required, despite the presence of criteria which make them mandatory, both under the GDPR and the ICO’s own list of processing operations which it considers are likely to result in a ‘high risk’ to individuals. As a result, the Commissioner has little confidence that the risks associated with RTB are being fully assessed or mitigated.
RTB is not the only aspect of ad tech the Commissioner is looking into, and her concerns are not limited to those mentioned in the report. However, by focusing on RTB (and the IAB and Google protocols in particular) she is anticipating that there will be a transformational effect on online advertising practices more widely.
The Commissioner has prioritised two of the above areas of concern for further analysis and exploration: (a) processing special category data without explicit consent; and (b) the complexity of the data supply chain.
Next steps to enhance her Office’s understanding involve targeted information-gathering activities (especially around the profiling aspects of the data supply chain, controls in place and DPIAs undertaken), continued engagement with key stakeholders (including a further fact-finding forum in the autumn), cooperation with other data protection authorities, and a possible industry sweep in six months’ time.
Meanwhile, the Commissioner expects ad tech data controllers to “re-evaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the RTB ecosystem.”