UK Adtech receives new guidance to address the privacy challenges of Real Time Bidding in programmatic advertising

United Kingdom

On 12 May 2020, the Data & Marketing Association (DMA) and the Incorporated Society of British Advertisers (ISBA) jointly published “The Seven-Step Ad Tech Guide” (the Ad Tech Guide, available here) to help address the privacy challenges of Real Time Bidding (RTB) in programmatic advertising, produced in consultation with the UK Information Commissioner’s Office (ICO). The practical step-by-step guide is designed to highlight and address the privacy concerns raised by the ICO in its investigation into RTB and the Adtech industry (a summary of the ICO’s work on Adtech is available here) and seeks to ensure specifically UK organisations involved in the programmatic delivery of digital advertising adhere to the legal requirements of the GDPR and UK Privacy and Electronic Communications Regulations (PECR).

If you are interested in reading an introduction to Adtech, RTB and the privacy concerns raised by the ICO in its June 2019 update report of the investigation into Adtech and RTB, see our Law-Now on this topic (available here).

The DMA and ISBA are hosting a webinar “Digital Advertising Guidance” on 26 May 2020 to introduce and discuss the Adtech Guide with a panel of industry figures and a representative of the ICO as part of its launch. See the DMA’s website (link here) for details on how to join.

The Seven Steps

To ensure organisations adhere to the legal requirements of the GDPR and PECR and address the privacy concerns raised by the ICO in its investigation into RTB and the Adtech industry, the DMA and ISBA suggest organisations follow seven steps (these steps are summarised in turn below).

The Adtech Guide is designed to be practical and easy-to-use and contains various, useful reference materials, including:

  1. detailed glossaries for cookies and Adtech terms;
  1. cookie notice / information requirements;
  1. conditions for consent; and
  1. Adtech supplier due diligence and audit checklists with specific questions focused on the processing of personal data relevant to Adtech platforms.

Step 1 – Education and Understanding

From the DMA and ISBA’s perspective (in consultation with the ICO), Step 1 involves demystifying and improving understanding of the complex ecosystem of the Adtech industry, the various types of suppliers that operate in it (including sell side platforms, demand side platforms, Data Management Platforms (DMP) and Consent Management Platforms (CMP)), cookies and legal obligations under the GDPR and PECR. 

This section of the Adtech Guide provides a detailed description of the Adtech ecosystem, the process of programmatic digital advertising and various components from a technical perspective, and an overview of the financial profile of programmatic advertising and RTB in the UK (absent the impact of Covid-19). It also introduces cookies, the consent and other legal requirements for cookies under the GDPR and PECR, mandatory information for cookie notices and cookie governance best practice. In particular, the DMA and ISBA recommend cookie scans and cookie audits, that cookie scanning and management software solutions are implemented and CMPs are engaged – ideally one which has been verified by IAB Europe’s CMP Compliance Programme.

The DMA and ISBA consider the accountability principle under the GDPR and suggest that for the Adtech industry to demonstrate compliance, organisations should have in place the following technical and organisational measures:

  1. taking a “data protection by design and default” approach –measures to address data protection risks must be in place throughout the lifecycle, not just at the beginning;
  1. written contracts with their data processors;
  1. maintaining records of processing;
  1. implementing appropriate security measures;
  1. carrying out data protection impact assessments (DPIAs);
  1. adhering to codes of conduct and signing up to certification schemes (where possible); and
  1. major advertisers should consider creating a cross-functional data governance group. Their development and oversight of a programme to achieve accountability should be linked to a compliance dashboard which evaluates achievement against this goal and remains up-to-date. 

This section also includes a list of training providers for programmatic advertising and data protection training.

Step 2 – How to Use Special Category Data

The ICO has raised its concerns that special category data is currently being processed unlawfully in the Adtech sector as explicit consent is not being obtained. To the extent any programmatic advertising activity involves special category data, Step 2 involves understanding the high-risk nature of this personal data, suggests marketers consider whether they really need to use any special category data at all for their activity and sets out the legal requirements for obtaining explicit consent.

To tackle what the ICO considers a widespread concern, Step 2 states that generally any processing of special category data in the Adtech ecosystem is high risk under the GDPR and a DPIA should be conducted prior to any processing. In addition, Adtech organisations need to demonstrate that they have obtained the explicit consent (a higher standard under GDPR; implied consent is not valid) of the data subject to the specific processing of specific special category data. Therefore, explicit consent is required for any data processing that may be proposed to take place (from the data capture phase through to the profiling stage to create customer segments) and special category data which has been inadvertently captured must be explicitly excluded from processing.

We consider that this is a particularly crucial area for the Adtech industry to take care in navigating given the greater protections required under the GDPR for special category data given its sensitive nature, and the potential risk of stronger regulatory action for its unlawful processing.

Step 3 – Understanding the Data Journey

Step 3 provides that organisations must develop a record of processing activity (as required under the GDPR) and details the mandatory information, including data transfers to third countries, data retention policies and data processing purposes, and the information recommended to be in the record. The DMA and ISBA recommend use of the publisher-specific record of processing template created by the Association of Online Publishers (available here).

This section explores the difference between first party data (data an advertiser captures directly from its customers) and third party data (data an advertiser acquires regarding customers without a direct relationship with them) and how typically DMPs and other data aggregators process and amalgamate browsing habits of individuals across websites to create audience profiles and segments for advertisers. This section highlights the data protection concerns over the difficulty of tracing the provenance of such third party data and the necessary scope of consent obtained from data subjects by these third parties for the specific processing concerned, particularly following the introduction of the GDPR and the requirement to collect GDPR-level consent for making use of cookies.

The section also provides details of IAB Europe’s Transparency and Consent Framework (TCF), including information on a new iteration of IAB UK’s Gold Standard which will launch later in 2020 and acknowledges IAB UK’s commitment to continue to develop the TCF and collaborate with the ICO and other European data protection authorities (announcement available here). TCF has been designed to standardise the provision of information notices about the scope of personal data processing, and the transmission of ‘signals’ about user choices and transparency related to data processing, which will allow the digital advertising supply chain to function in a GDPR-compliant way.

The DMA and ISBA detail various platforms, browsers and products offered by advertising partners and suppliers relevant to capturing and managing personal data derived from cookies, but state that it is advisable that a DPIA should be conducted before embarking on an Adtech project using such products.

Step 4 – Conduct a DPIA

The ICO noted that use of DPIAs was limited in the Adtech industry, the DPIAs it had reviewed in the industry were inadequate and organisations involved in Adtech should be conducting DPIAs for their data processing activities (which in most cases passes the ‘high-risk’ threshold, triggering the requirement for a DPIA under the GDPR). As such and as a matter of best practice, Step 4 provides that Adtech organisations should conduct a DPIA in advance of any relevant processing (advertisers should of course adhere to the DPIA requirements concerning special category data discussed at Step 2 above).

This section provides detailed information on how to conduct DPIAs, DPIA guidance and templates developed for all UK organisations by the ICO and DPIA guidance and templates developed specifically for publishers by the Association of Online Publishers.

Advertisers should note in particular the recommendation for organisations to have a mechanism in place for change control to ensure, when implementing changes involving the processing of personal data, any risks identified in the DPIA are properly mitigated and regular reports are created on the latest status of identified risks (categorised as red, amber or green according to importance / urgency) and a list of remediation actions (split by function, system and third-party processor) for discussion at governance meetings. A Project or Programme Manager should be appointed to oversee and facilitate the change control process from a data protection and DPIA perspective.

Step 5 – Audit the Supply Chain

The ICO has highlighted that Adtech organisations cannot rely on contracts in the supply chain to provide assurance around the use of personal data, a contractual audit paper trail supporting the authorisation of use is not sufficient to justify many personal data use cases in Adtech and much of the personal data used within digital advertising is not audited or investigated in any meaningful manner. The DMA and ISBA specifically urge caution for any organisation that loses sight of the personal data or takes another organisation’s warranty about the scope of the consent attached to personal data.

Therefore, Step 5 states that organisations should conduct due diligence on supplier contracts during negotiations and conduct periodic audits of Adtech suppliers from a data protection perspective in order for organisations to seek the necessary level of assurance regarding their Adtech suppliers’ compliance with data protection laws.

This section includes checklists of suggested initial questions to ask suppliers when performing due diligence and audits, provides guidance for the frequency of audits across suppliers and states that, in the absence of an approved data protection certification scheme from the ICO for demonstrating compliance with the GDPR at present, it would be best practice for Adtech organisations to align with ISO 27701, the standard extension ISO 27001 into privacy and personal data, as a proxy for an approved scheme.

Step 6 – Assess Advertising Effectiveness

The ICO has raised concerns over the significant amount of personal data that is collected in the Adtech ecosystem and queried whether it is necessary to use all personal data collected for the processing activities involved in, and to achieve the outcomes of, programmatic advertising. Step 6 provides that organisations should measure and model advertising and marketing effectiveness to understand the benefits, risks and returns of their processing activities and better inform their requirements for personal data to buy / sell advertisement and target audiences.

This section details various techniques and resources available for measuring programmatic advertising activities. Organisations should note in particular the DMA and ISBA’s warning that organisations will need to adapt and adjust their measurement tools in future as legislative and industry changes will mean that certain types of measurement date which are currently available will become unavailable over time.

Step 7 – Alternatives to Behavioural Advertising

The DMA and ISBA foresee the decline of targeting practices based on third party cookies. Step 7 explores alternative targeting practices and solutions which are less intrusive from a privacy perspective, most notably the resurgent contextual targeting process (which avoids the processing of personal data when creating targeting segments), edge computing, vertical advertising networks and the key suppliers and platforms for each.

This section also considers various industry initiatives which seek to address privacy concerns in the programmatic advertising and RTB space, such as Google Chrome Sandbox, IAB Project Rearc, The 5th Cookie and The World Wide Web Consortium.

Comment

UK businesses at all levels of the Adtech ecosystem should pay close attention to the recommendations from the DMA and ISBA in the Adtech Guide, which have been subject to consultation with, and received the green light from, the ICO. The ICO will certainly look at organisations’ and the industry’s reaction to, and compliance with, these recommendations, which are packaged in an easy-to-use and digestible manner, and are designed for a broad audience (hint: at the very least forward the conditions for consent and cookie information notice ‘cheat sheets’ to your marketers!).

As the Covid-19 pandemic and related lockdown impact advertising spend in the short term and the UK Adtech industry faces the risk of at least a short-term decline in revenue, businesses should note the more cost- and time-intensive recommendations of the Adtech Guide, most notably supplier data protection audits, engaging CMPs and cookie scanning and cookie auditing software providers, conducting DPIAs, implementing appropriate security measures and aligning with relevant ISO security standards. You must ensure these programmes are sufficiently resourced and budgeted as these will need to be completed / implemented to meet your data protection obligations.

Although the ICO announced its decision on 7 May 2020 to pause its investigation into RTB and the Adtech industry (announcement available here), Adtech players should continue to prioritise efforts to adhere to the ICO’s calls to action. The ICO aims to restart its investigation in the coming months “when the time is right” and businesses would be remiss to take their foot off the gas when it is so uncertain and unpredictable when the time will ever be “right” in the current context.