The advertising technology sector has changed considerably over the past twenty years. Publishers, vendors, advertisers, ad exchangers and other actors operating in the Adtech ecosystem now have sophisticated data strategies in place to better target their audience.
With the introduction of data privacy and consumer protection legislation in the EU (and most recently the GDPR), Adtech businesses are facing an increasing number of data privacy challenges and are exposed to greater scrutiny from regulators and privacy campaigners as to whether their data privacy practices meet GDPR standards.
Transparency is a key requirement under the GDPR.
Adtech businesses acting as controllers sometimes struggle to fulfil these requirements, partly because they do not control the website or app which interfaces with the user and partly because of the sheer complexity of the ecosystem.
The data supply chain of the Adtech sector has become more complex than ever. In particular, the real time bidding process is now fully automated and digitalised, involving collecting and sharing a higher volume of user data. Some Adtech businesses struggle to clearly identify or segment the types of personal data they process relative to each purpose of processing.
This can be explained by the volume of data processed, technical issues (eg they don't have the tools to segment the data by purpose of processing) but also a deliberate choice to collect as much data as possible to the detriment of the quality of the data, for targeting, profiling or analysing the online behavior of their users.
The serving of a single ad to a single user can involve multiple related purposes: targeting, measurement, anti-fraud, attribution etc. and achieving transparency for each of these in the way the GDPR envisages is tough.
The information and transparency requirements apply irrespective of whether a controller has a direct relationship with the data subject. Publishers which collect data from their own users (first party data) and from third parties (third party data) struggle to fulfil the information and transparency requirements.
If the information and transparency requirements are not met, it also makes it hard for publishers to comply with the ePrivacy Directive including, where needed, the consent requirement (see below).
Failure to carry out proper due diligence on third parties may also lead to controllers using the data for a different purpose than originally envisaged and without an appropriate lawful basis. If this happens, they will be in breach of the GDPR and ePrivacy rules.
The GDPR provides limited exceptions to the information obligations on a data controller where personal data has not been obtained from the data subject (including where providing such information would be impossible or would involve a disproportionate effort), although the EDPB's guidelines are clear that they should be interpreted narrowly.
For example, where the source of the data cannot be attributed, Adtech businesses acting as controllers are expected to provide general information about the data and expressly justify why the information obligation cannot be met at the time of taking the decision.
If the circumstances change (eg a data mapping exercise subsequently allows the identification of the data sources) then it is unlikely that the controllers will be able to continue to rely on the exemption and the privacy notice should be updated accordingly.
The International Advertising Bureau Europe (IAB) created a consent and transparency framework to try and address these issues, although this has been criticised.
The draft revised version (version 2.0) purports to give more control to publishers and more granularity as to the different purposes of processing, to consent management platforms, vendors and advertisers, to help them meet their GDPR obligations. It is expected to be finalised shortly.
Each processing operation must be underpinned by a lawful basis. Consent and legitimate interests are two of the lawful bases that can be used for processing personal data and the ones most likely to apply in an Adtech context (the EDPB seems to have rejected the possibility of relying on Article 6(1)(b) – necessary for performance of a contract).
Both legitimate interests and consent can present difficulties and there has been a considerable amount of scrutiny on the lawful basis issue (see our article for more).
The lawful basis assessment can have repercussions further down the data lifecycle. For example, it is not uncommon to see advertisers seek to rely on the same lawful basis as the relevant website provider in order to use the persona datal for their own purposes.
Commercial contracts in the Adtech sector involve a range of commercial and technology issues. Data is often an important element of the transaction and data protection issues should be looked at as part of the wider negotiation strategy rather than in isolation.
GDPR-focused data addenda and Data Processing Agreements (DPAs) have been a source of much confusion and variation in practice because of the complexities of data use and sharing in the space. GDPR requires a level of self-analysis that the prior Directive did not.
It is one vertical where any clarity as to which platforms are processors, controllers or both is challenging – the pre-GDPR knee-jerk reaction that all vendors are processors, and Adtech platforms are just another type of vendor, quickly ran out of steam in the run-up to May 2018.
Even now, 12 months in, we see wide variations in how some of the settled Adtech categories of platform are regarded. We do not have scope here to dive into the detail, but suffice it to say there are more controllers in Adtech than one might think, as many platforms (not all) use personal data on users for their own purposes, or for the purposes of their clients generally, and often not just to deliver a service to the one client or partner they received the data from.
While not conclusive, the use of personal data for your own needs or for the benefit of multiple clients, points towards controller status.
There is, however, no general agreement on whether demand-side platforms, supply-side platforms, data management platforms, ad networks or ad exchanges (to name a few of the common categories in the space) are generally one or the other – they may be either or both and the answer may be different for different purposes of processing.
The major Adtech companies have, of course, been through the process, decided which category they fall into for different processing of personal data, and present template DPAs or equivalent to the market accordingly.
Things get messy when partners disagree on controller-processor classification. New entrants to Europe or to the market generally need to do the same, and ensure sales teams are 'on message' and understand enough GDPR to maintain a consistent line.
The net effect of the variation in GDPR-focused contracts is that there are huge numbers of GDPR-focused agreements out there and some of them will have mis-classified roles, leading to non-compliance and often friction in how data use is operationalised.
We expect this to shake out over time and for an increased level of clarity over Adtech roles under GDPR to emerge which will shapethe form the agreements should take.
Clarify your role and document accordingly – the uncertainty over status in the data processing cycle matters because if there is no clarity on what role you play, there is no clarity on the kind of contractual commitments you should be making to clients and partners which include that:
Adtech businesses are generally well aware of the regulatory challenges posed by GDPR, ePrivacy and other consumer-driven rules. The flow of complaints by privacy campaigners and regulatory investigations will add to the pressure on the industry to revisit its practices which may well have a huge impact on the Adtech ecosystem as a whole.
Debbie Heywood looks at the issues attracting regulator attention and enforcement in the EU Adtech ecosystem.
1 of 5 Insights
Chris Jeffery and Debbie Heywood look at the main compliance challenges for Adtech under the GDPR.
3 of 5 Insights
Chris Jeffery looks at the Dutch regulator's view on cookie walls to gather consent to tracking cookies.
4 of 5 Insights
We look at German regulator guidelines on the use of tracking cookies and lawful basis under the GDPR.
5 of 5 Insights