Watch this (adtech) space – ICO report on adtech and real time bidding

The UK Information Commissioner’s Office (ICO) has issued an update report on adtech and real time bidding (RTB). The regulator has identified several areas as needing improvement, and sees this as just the start of its engagement with the adtech sector on the data protection implications of the RTB system. Here is our view on what businesses can do now to prepare for the changes ahead.

The ICO has issued its 25-page Update report on adtech and real time bidding. This is the culmination of a fact finding event hosted by the ICO, and it engaging with different stakeholders of the adtech industry, industry research, and concerns received from consumers.

What is RTB and what data protection risks are involved?

RTB is a type of online advertising (and a form of programmatic advertising) that uses adtech to enable advertising inventory to be bought and sold in real time on an impression by impression basis, generally involving auction pricing. The ICO report focuses on the use of RTB on publishers’ websites or via publishers’ apps by public auctions.

The General Data Protection Regulation (GDPR) governs those aspects of the process that involve personal data processing, including requiring compliance with the data protection principles, data protection by design and default and carrying out data protection impact assessments (DPIAs) for high risk processing.

As digital advertising is powered by cookies or similar tracking technologies, the Privacy and Electronic Communications Regulations (PECR) also apply. PECR requires organisations to provide clear and complete information about the purposes of any cookie that stores information (or accesses data stored) on user devices, and obtain prior consent (to the GDPR standard).

The ICO has identified a number of risks involved in RTB from a data protection perspective, including:

• profiling and automated decision-making;
• large-scale processing (including of special categories of data);
• use of innovative technologies;
• combining and matching data from multiple sources (with ‘data matching’ or ‘enrichment’ common in RTB);
• tracking of geolocation and/or behaviour; and
• invisible processing.

Many of these risk factors identified by the ICO will trigger the requirement to carry out a mandatory DPIA.

In addition, the ICO has raised concerns about:

• the large number of organisations with which personal data is shared as part of the RTB process – as controllers, joint controllers or processors; and
• how many individuals do not really understand how those organisations process their personal data.

What is the ICO focusing on?

The two areas the ICO have decided to prioritise at this stage are:

• transparency and consent, and in particular the implications for processing of special category data (which requires “explicit consent”), and
• the data supply chain, and specifically the issues caused by relying solely on contracts for data sharing.

What is the ICO planning to do next?

The UK Information Commissioner, Elizabeth Denham, has said:

“We want to take a measured and iterative approach, before undertaking a further industry review in six months’ time… With that in mind, we’ll continue engaging with the sector, further exploring the data protection implications of the real time bidding system. We’ll continue collaborating with Data Protection Authorities in other European countries too, who are also looking at complaints in this area.”

What should businesses relying on RTB do now?

Based on the areas identified by the ICO in the report as priority areas, we recommend that businesses involved in RTB focus on the following:

• DPIAs - Carry out a DPIA if this has not been done already, or revisit your existing DPIA to ensure that it remains current and comprehensive.

Pay particular attention to addressing how the risk factors identified above can be mitigated.

• Special category data - Consider if the use of special category data in RTB can be limited or excluded (in the absence of a viable solution for obtaining explicit consent).

There may be valid reasons to process sensitive data in order to exclude advertising of specific products or services to certain vulnerable groups of people or to ensure advertisers’ ads do not appear on unsuitable websites. However, the hurdle of needing users’ explicit consent to use special category data for RTB will still need to be overcome for advertisers to be able to do this compliantly. (See ‘Legal bases for processing’.)

• Transparency - Ensure that privacy notices contain clear and comprehensive information about how people’s personal data is used in this context (including about profiling).

The fact that the complexity of the RTB process makes this a challenge does not excuse businesses from meeting this requirement. It simply means that businesses may need to consider more novel ways of getting this information across so it is easily understandable by consumers.

• Legal bases for processing - Review the legal bases for processing that your business relies on under the GDPR and the PECR rules.

Be aware that the specific cookies rules under PECR take precedence over GDPR – therefore, even if legitimate interests can be relied on under GDPR, cookies consent is still required under PECR. The ICO says that, in practice, this means that consent is also the most appropriate legal basis under the GDPR, and the opportunities to use legitimate interests are limited.

Initiatives are currently underway for industry-wide frameworks to manage transparency and consent within the adtech ecosystem (eg, the IAB Europe-led Transparency and Consent Framework (TCF)). The ICO considers further work is needed before the TCF and Google’s Authorized Buyers frameworks will be compliant as regards transparency and fair processing (for consent to be free and informed), and also to meet the stricter explicit consent requirements (for special category data processing).

It appears that the ICO might have based its report on the previous version of the TCF rather than the updated TCF v2.0. If so, the compliance gap may not be as vast as it is portrayed in the report, at least as regards transparency and consent. It is important that key stakeholders remain engaged with this process to ensure that any industry-wide initiative is both fit for purpose and addresses the regulator’s concerns.

• Profiling - Be careful to ensure that profiles created do not involve processing that is disproportionate, intrusive and unfair in the context of the processing of personal data to deliver targeted advertising.

(Related to ‘data minimisation below’) particular care should be taken to ensure that profiles built using ‘enrichment’ from multiple data sources or ‘data matching’ are not intrusive. Also, privacy notices should make users aware that profiling is taking place and clearly inform them what is happening.

• Data minimisation / anonymisation - Consider options for minimising the amount of personal data that is included in bid requests.

The ICO is concerned that excessive personal data is collected as part of the bid process (and then shared with too many parties). Using non-personal data would get around the issues of complying with the GDPR (which only applies to personal data), but businesses could derive less value from this.

The ICO also has plans to further consult with IAB Europe and Google about the detailed schema they use in their frameworks to identify whether specific data fields are excessive and intrusive, and possibly agree (or mandate) revised schema. Businesses should therefore pre-empt this by analysing the minimum amount of personal data that is reasonably required to fulfil the intended advertising outcome and look to work within these parameters.

• ‘Data leakage’, security and retention – Implement technical solutions, rather than just relying on policies and contractual terms.

The ICO raised concerns that processing as part of RTB is such that it leads to the risk of ‘data leakage’, whereby data is either unintentionally shared or used in unintended ways. Multiple parties receive information about a user (including very detailed profiles), but only one bidder will ‘win’ the auction to serve that user an ad. According to the ICO, this all happens without the individual’s knowledge.

The ICO suggests that organisations rely on standard terms and conditions (or policies) as between themselves but the ICO has criticised this as insufficient to meet the GDPR requirements. Businesses should therefore ensure that these are backed up with appropriate monitoring and technical and organisational controls, including regarding:

• retention / deletion of bid data by unsuccessful bidders; and
• security, including measures to secure data in transit and at rest, and to ensure the GDPR’s international transfers requirements are met where bid data is sent outside the EEA.

A consistent industry approach is needed but, until then, businesses should look to implement their own best practice standards internally and require the same from the parties that they deal with.

• Governance – Ensure your business has good data governance and accountability.

Ensure that your business understands, documents and can demonstrate:

• how its processing operations work;
• what it does;
• third parties that it shares any data with; and
• how it can enable individuals to exercise their rights.

Given the clear warnings given by the ICO, businesses should “watch this space” very carefully and ensure that they make appropriate forward-thinking adjustments to address the regulator’s stated concerns and priorities.