Adtech and data privacy: practical tips on dealing with challenges under the GDPR and EU ePrivacy rules

Author

Christopher Jeffery

Partner

London

Transparency and information: the devil is in the detail

What's the issue?

Transparency is a key requirement under the GDPR.

To meet the transparency and information criteria (as set out in Articles 13 and 14 GDPR), Adtech businesses must provide (or get publishers to provide for them) certain information to their users (usually through a privacy policy), covering the type of personal data collected including cookies, online identifiers, location data, and other similar technologies), where the data comes from, how it is shared and with whom, the lawful basis for processing as well as the purposes for such processing.

Adtech businesses acting as controllers sometimes struggle to fulfil these requirements, partly because they do not control the website or app which interfaces with the user and partly because of the sheer complexity of the ecosystem.

The data supply chain of the Adtech sector has become more complex than ever. In particular, the real time bidding process is now fully automated and digitalised, involving collecting and sharing a higher volume of user data. Some Adtech businesses struggle to clearly identify or segment the types of personal data they process relative to each purpose of processing.

This can be explained by the volume of data processed, technical issues (eg they don't have the tools to segment the data by purpose of processing) but also a deliberate choice to collect as much data as possible to the detriment of the quality of the data, for targeting, profiling or analysing the online behavior of their users.

The serving of a single ad to a single user can involve multiple related purposes: targeting, measurement, anti-fraud, attribution etc. and achieving transparency for each of these in the way the GDPR envisages is tough.

The information and transparency requirements apply irrespective of whether a controller has a direct relationship with the data subject. Publishers which collect data from their own users (first party data) and from third parties (third party data) struggle to fulfil the information and transparency requirements.

If the information and transparency requirements are not met, it also makes it hard for publishers to comply with the ePrivacy Directive including, where needed, the consent requirement (see below).

Failure to carry out proper due diligence on third parties may also lead to controllers using the data for a different purpose than originally envisaged and without an appropriate lawful basis. If this happens, they will be in breach of the GDPR and ePrivacy rules.

The GDPR provides limited exceptions to the information obligations on a data controller where personal data has not been obtained from the data subject (including where providing such information would be impossible or would involve a disproportionate effort), although the EDPB's guidelines are clear that they should be interpreted narrowly.

For example, where the source of the data cannot be attributed, Adtech businesses acting as controllers are expected to provide general information about the data and expressly justify why the information obligation cannot be met at the time of taking the decision.

If the circumstances change (eg a data mapping exercise subsequently allows the identification of the data sources) then it is unlikely that the controllers will be able to continue to rely on the exemption and the privacy notice should be updated accordingly.

The International Advertising Bureau Europe (IAB) created a consent and transparency framework to try and address these issues, although this has been criticised.

The draft revised version (version 2.0) purports to give more control to publishers and more granularity as to the different purposes of processing, to consent management platforms, vendors and advertisers, to help them meet their GDPR obligations. It is expected to be finalised shortly.

Practical steps

Have a comprehensive understanding of your data flows – businesses which have processes to verify the data they receive and a clear and exhaustive picture of their data flows and activities will be in a good position to fulfil their information and transparency obligations.
Review your privacy notice – privacy statements should be reviewed to ensure they are presented in a clear and transparent manner that is accessible to any user including children where appropriate. A privacy notice should be dynamic and be reviewed and updated on a regular basis to accurately reflect your data flows and processing activities.
Be precise – Our observation of market practice is that there is still a tendency to describe complex data use in vague, high-level words, more designed to make users feel comfortable than to tell them what is actually happening and without concrete examples of what can happen in practice. Phrases like "we and our trusted partners use your data to show you ads for products you might like", without further explanation, do little to get across the number and kinds of intermediaries which may process user data, the various things they may do with the data, or the impact the data sharing has on the wider online experience of the user on other sites and apps. There is good practice out there, but generally, the industry could revisit its practices and be more open and transparent. In fact, it needs to be in order to withstand the coming regulatory spotlight.
Consider using the IAB's consent and transparency framework – this may be appropriate as an industry-level attempt to wrestle with the challenges although be careful - its approach is not guaranteed to be approved by the regulators by any stretch.
Review your data sharing practices – where personal data is shared with third parties, you should expressly indicate who those third parties are in your privacy policy and review the access controls that you have implemented to ensure they do not use that personal data other than for the purposes agreed when collecting the data.
Carry out due diligence on third party data – personal data received from a third party should be cross-checked before being used. Where you don't have a direct relationship with the user, carry out due diligence on third parties you collect personal data from (where applicable) to ensure you identify the correct lawful basis for processing and can use the data for your own purposes.
Can you rely on an exemption to information provisions? You should only rely on an exception after you have carried out a careful assessment including considering the EDPB's guidance on transparency. Remember that you need to document your rationale in order to comply with your accountability obligations. Exceptions are interpreted narrowly by regulators and should not be used as a pretext to circumvent the information obligation.

Consent and legitimate interests

What's the issue?

Each processing operation must be underpinned by a lawful basis. Consent and legitimate interests are two of the lawful bases that can be used for processing personal data and the ones most likely to apply in an Adtech context (the EDPB seems to have rejected the possibility of relying on Article 6(1)(b) – necessary for performance of a contract).

Both legitimate interests and consent can present difficulties and there has been a considerable amount of scrutiny on the lawful basis issue (see our article for more).

The lawful basis assessment can have repercussions further down the data lifecycle. For example, it is not uncommon to see advertisers seek to rely on the same lawful basis as the relevant website provider in order to use the persona datal for their own purposes.

There is a risk that advertisers and other businesses which do not collect personal data directly, use personal data for which an assessment has not been correctly carried out, or in relation to which the lawful basis for processing personal data has not been specifically set out in the privacy policy. An assessment of the lawful basis is, therefore, a crucial step that all Adtech businesses should take, even if they only receive data from first parties.

Practical steps

Assess and document the lawful basis for processing – at the very least, you should review the lawful basis of your high risk processing activities (such as personal data and/or special category used for profiling, targeted or behavioural advertising, and decisions taken on an automated basis).
Ensure your privacy policy is clear - make sure that your privacy policy is specific about the lawful basis you use against each purpose for processing – generic statements are not sufficient. Be aware of the guidance from domestic data protection authorities which can take slightly different approaches to interpretation of the GDPR.
If you want to rely on legitimate interests – carry out and document the balancing test between your legitimate interests and the rights of the data subjects. Record the decision in your record of processing activities. This is particularly important in the Adtech space where legitimate interests is not an obvious choice and may attract regulator scrutiny.
If you want to rely on consent – go through each criterion and document why you (as a controller) believe that your consent collection mechanism meets the GDPR standard of consent. This may include carrying out due diligence on a third party provider if you use one.
Where consent is collected via an app, it should be collected before the app is downloaded and any data is processed. Run through the customer journey and implement beta versions before making it live. If you use a mobile app and collect location data for behavioral and targeted advertising:
> Collect consent before the app is downloaded and the collection of location data begins and inform the users that their data will be used for that purpose (informed consent). >Users should be able to download the app without the SDKs or the location feature automatically starting and have a genuine choice about whether to give consent in order to continue using the apps (freely given).
>The privacy notice (eg the pop-ups) should specifically set out the purposes of the processing (profiling and targeted advertising) and indicate that the data will be passed to named third parties.
Get GDPR consent for cookies – review the cookies you collect and use and ensure that the consent you collect for non-essential cookies is GDPR-compliant. You may also benefit from implementing a preference management centre to give users a genuine choice to enable or disable cookies that they do not wish to be placed on their devices. Avoid cookie walls as these do not always give the users any other option but to consent.

Commercial contracts and Data Processing Agreements

What's the issue?

Commercial contracts in the Adtech sector involve a range of commercial and technology issues. Data is often an important element of the transaction and data protection issues should be looked at as part of the wider negotiation strategy rather than in isolation.

GDPR-focused data addenda and Data Processing Agreements (DPAs) have been a source of much confusion and variation in practice because of the complexities of data use and sharing in the space. GDPR requires a level of self-analysis that the prior Directive did not.

It is one vertical where any clarity as to which platforms are processors, controllers or both is challenging – the pre-GDPR knee-jerk reaction that all vendors are processors, and Adtech platforms are just another type of vendor, quickly ran out of steam in the run-up to May 2018.

Even now, 12 months in, we see wide variations in how some of the settled Adtech categories of platform are regarded. We do not have scope here to dive into the detail, but suffice it to say there are more controllers in Adtech than one might think, as many platforms (not all) use personal data on users for their own purposes, or for the purposes of their clients generally, and often not just to deliver a service to the one client or partner they received the data from.

While not conclusive, the use of personal data for your own needs or for the benefit of multiple clients, points towards controller status.

There is, however, no general agreement on whether demand-side platforms, supply-side platforms, data management platforms, ad networks or ad exchanges (to name a few of the common categories in the space) are generally one or the other – they may be either or both and the answer may be different for different purposes of processing.

The major Adtech companies have, of course, been through the process, decided which category they fall into for different processing of personal data, and present template DPAs or equivalent to the market accordingly.

Things get messy when partners disagree on controller-processor classification. New entrants to Europe or to the market generally need to do the same, and ensure sales teams are 'on message' and understand enough GDPR to maintain a consistent line.

The net effect of the variation in GDPR-focused contracts is that there are huge numbers of GDPR-focused agreements out there and some of them will have mis-classified roles, leading to non-compliance and often friction in how data use is operationalised.

We expect this to shake out over time and for an increased level of clarity over Adtech roles under GDPR to emerge which will shapethe form the agreements should take.

Practical steps

Clarify your role and document accordingly – the uncertainty over status in the data processing cycle matters because if there is no clarity on what role you play, there is no clarity on the kind of contractual commitments you should be making to clients and partners which include that:

Processors should sign Article 28 commitments and, where standard contractual clauses are used to legitimise transfers outside the EEA, the controller-to-processor variant of the model clauses.
Independent co-controllers are not legally required to sign a contract when sharing personal data under GDPR, although emerging market practice is to give some kind of mutual compliance commitment, often coupled with a commitment to co-operate around GDPR issues that crop up (data subject requests etc).
Joint controllers need to allocate responsibility for GDPR compliance in a contract between them.
Controllers sharing personal data with non-EEA controllers should use the controller-to-controller variants of the standard contractual clauses if that is the method selected to legitimise the transfer.

The direction of travel

Adtech businesses are generally well aware of the regulatory challenges posed by GDPR, ePrivacy and other consumer-driven rules. The flow of complaints by privacy campaigners and regulatory investigations will add to the pressure on the industry to revisit its practices which may well have a huge impact on the Adtech ecosystem as a whole.