Adtech and real time bidding: ICO prepared to take action

In a recently published blog, the Information Commissioner’s Office (“ICO”) provided an update on its review of the adtech sector and noted that, whilst two key organisations are starting to make changes and many have engaged with the ICO, “some appear to have their heads firmly in the sand.” This follows the ICO’s report, published in June 2019, identifying a number of concerns in the adtech sector and particularly in relation to ‘real time bidding’ (“RTB”).¹ The ICO gave the industry six months to work on the issues raised and continued to engage with relevant stakeholders. It now anticipates that it will need to take formal regulatory action in some instances. The underlying message is simple: engage and make changes or be prepared to face the ICO’s regulatory powers. Given the strong criticisms identified in the ICO report and blog, one can expect that the ICO will be prepared to levy substantial fines when it comes to GDPR² contraventions.

What are adtech and RTB?

In essence, adtech describes the tools used to analyse and manage information for online advertising campaigns.³

The RTB process involves a website publisher auctioning an advertising space on its webpage which is being viewed by a user and an advertiser buys the space with the specific aim of reaching people like that user. The process can involve many players and happens in milliseconds. In order for the potential advertiser to assess which users they wish to target, they need access to information about the specific user. That information can range from basic information, such as the device being used to access the webpage, to very detailed information, including websites visited, perceived interests and search history.

Issues under both PECR⁴ and GDPR are raised in respect of adtech. The use of cookies (and similar technologies) is regulated under PECR, whilst the information collected from cookies could constitute personal data which is regulated under GDPR.

What are the ICO’s concerns?

Consent

One of the ICO’s main concerns is the lack of clarity regarding consent (required under PECR) and an appropriate lawful basis for processing of personal data (required under GDPR). Under PECR, an organisation must obtain consent to set all cookies except those that are “strictly necessary.” Post-GDPR, that consent must be to the GDPR standard; that is, it must be a freely given, specific, informed and unambiguous indication of the data subject’s wishes by a statement or clear affirmative action. The ICO made this clear in its cookies guidance of last year.⁵

However, many organisations still do not properly request consent. Even a quick cursory browse of various websites shows that the vast majority still display the “By continuing to use this website you consent to our use of cookies” banner or the like. The ICO has made it quite clear that it does not consider this type of ‘implicit consent’ as being valid. Instead, the user must actively opt-in to the cookies and be given transparent information about them.

On the GDPR side, the ICO notes that many typically rely on ‘legitimate interests’ as their lawful basis for the processing of any personal data collected via the cookie. The ICO criticised the approach of viewing legitimate interests as the easy ‘catch-all’ option and reiterated that the legitimate interests lawful basis requires a balancing exercise to which proper and thorough thought must be applied. The ICO’s view is that the nature of processing within RTB makes it impossible to meet the legitimate interests requirements.

As outlined in its cookies guidance, the ICO says that, if consent is required for the cookie, in practice consent is also the most appropriate lawful basis for the processing of personal data under the GDPR. This is because trying to apply another lawful basis such as legitimate interests when you already have GDPR-compliant consent would “be an entirely unnecessary exercise, and would cause confusion for your users.”

Organisations therefore need to look at how they are collecting cookie consent and ensure that consents they collect address both the setting of the cookie and the processing of the personal data involved.

Special categories of data

The ICO was also particularly concerned about the use of special categories of data within the RTB process. It is possible that a bid request would include information regarding a user’s political views, religion, ethnicity, mental health and physical health, for example. For the processing of such types of data in the adtech context, the user must give explicit consent (as no other lawful basis would be appropriate).

Given the obvious sensitivities of such special categories of data, organisations should carefully review whether any such data is collected, processed and shared and consider the impacts of removing this data from the process.

Transparency

Transparency is also a key issue. It can be a difficult task in any privacy notice to balance providing sufficient information to the user to satisfy the right to be informed, whilst ensuring that information is clear, concise and easy to understand. In particular, in the context of adtech the number of different players and complex nature of the system renders it almost impossible to provide the information required, in a lot of cases simply due to not having nor being able to obtain said information. Further difficulties arise in respect of recipients where the nature of RTB means that the first party has no means of determining with which third parties the data will be shared. In such a case, there may be either no information provided, or a long list of organisations with whom information ‘might’ be shared.

The crucial point here is that many individuals are not aware that the processing for adtech takes place and are either not told, or are not clearly informed.

Industry engagement will be required to work on a solution to this, so it will be difficult for many organisations to give the requisite information at this point. In the meantime it is suggested that organisations review the information that they can give and ensure it is as clear as possible.

Multiple parties

The nature of the RTB auction process also means that multiple parties receive information about a user when actually only one will ‘win’ the bid. There is then no guarantee of how the other parties will process that data. In that regard, contractual controls can only do so much. The ICO was critical of solely relying on the contractual controls approach and suggested that this should be backed up by appropriate monitoring and ensuring technical and organisational controls are in place.

Data Protection Impact Assessments

One of the ICO’s other major concerns was the lack of Data Protection Impact Assessments (“DPIAs”) being undertaken. DPIAs are mandatory in certain circumstances and the ICO has published a list of examples for when a DPIA should be undertaken. RTB matches a number of examples on that list. However, the ICO stated that it has “seen no evidence to date that the DPIA requirements are fully recognised by all participants in RTB.”

Organisations should therefore review the ICO’s guidance on DPIAs and consider whether they need to undertake such assessments.

What action can we take?

Given the ICO’s stance, it would be sensible for those involved in the industry to take whatever steps they can, and document such steps, to be as compliant as possible. Whilst wholesale engagement and change will be needed in respect of the overall workings of the sector, there are some steps that organisations can take even at this stage:

• Undertake a cookie audit and identify personal data being processed;
• Check cookie consent collections;
• Review lawful basis for processing of personal data;
• Review information given to users and consider changes that can be made;
• Review contracts and partners and consider what monitoring or audit steps can be undertaken;
• Consider undertaking Data Protection Impact Assessments.