ICO places emphasis on industry cooperation but warns of enforcement action.

What's the issue?

There is a genuine question around whether it is possible for the Adtech industry as it currently operates to comply with all aspects of the GDPR.

The complexities of the Adtech ecosystem, especially in relation to interest-based advertising, where known or inferred information about the user and their interests is used in order to show them ads they may be interested in, and the multiplicity of platforms and intermediaries that are often involved in the delivery of interest-based ads, present a real challenge to online publishers and the Adtech platforms seeking to align with GDPR principles.

The UK's ICO is just one of the regulators looking into the issue. It issued an interim report in June 2019, following a fact-finding forum and said it would then take six months to review its findings.

What's the development?

With the six month period over, the ICO has published a blog reporting on a further fact-finding forum held in November and setting out next steps.

The ICO had commented a few weeks earlier that there are encouraging signs and said that the nature of the debate has changed from "it's too complicated" to practical considerations which combine innovation and privacy, singling out statements of intent from Google and IAB Europe and UK.

The IAB UK has agreed a range of principles and is developing guidance on security, data minimisation and data retention, as well as UK-focused guidance on content taxonomy. It is also planning to educate the industry on special category data and cookie requirements. Google is going to remove content categories and improve its process for auditing counterparties. It has also said it will phase out support for third party cookies within the next two years.

The ICO does, however, retain "significant concerns about the lawfulness of processing special category data...and the lack of explicit consent for that processing" as well as "concerns about whether reliance on contractual clauses to justify onward data sharing is sufficient to comply with the law". Other flashpoints are around the use of legitimate interests as a lawful basis, insufficient data security and data minimisation, and a failure to complete sufficiently detailed DPIAs.

The ICO says some organisations "appear to have their heads firmly in the sand" and concludes that engagement alone will not address the issues; "it may be necessary to take formal regulatory action". The ICO also has warnings for the wider industry "some of what is happening now appears to us to be unlawful…The future of RTB is both in the balance and in the hands of all the organisations involved".

What does this mean for you?

It seems fairly clear the ICO is looking to industry to provide a compliance solution it can agree on, but the implications, are that there is no easy answer available. As an interim, the ICO provides somewhat vague advice to all organisations in the RTB chain, urging them to:

• Review their processes systems and documentation.
• Ensure your senior management understands that practices are changing in this industry and challenge them to review their approach.
• Embed a privacy by design approach to your use of RTB.
• Keep engaging with your trade associations. Change is happening. Make sure you are part of this dialogue and are engaging with your industry representation to make your views heard.

The ICO says "the most effective way for organisations to avoid the need for further regulatory scrutiny or action is to engage with the industry reform and transformation and to encourage their supply chain to do the same".

Adtech businesses will also have to grapple with the ramifications of the recently published draft Code of Practice on Direct Marketing which will, when adopted, have statutory force. All the usual compliance issues of lawful basis, transparency, and consent (to cookies), which are the focus of various RTB-related complaints before data protection regulators across Europe, are underlined in the Code (see our article).

Regulators recognise that the internet is fuelled by advertising but both competition and data protection regulators are repeatedly finding issue with the current business models. The main reason why GDPR compliance is particularly challenging for Adtech, is the complexity of the ecosystem: the number of different actors – publishers, vendors, data brokers, advertisers – the real time bidding system, and the data journey involving a large supply chain.

One of the questions the ICO is seeking to answer with the help of stakeholders, is whether there is a 'one size fits all' solution to the tension between the GDPR and Adtech. There have been a number of regulator decisions in this space but these tend to focus on the problems rather than the solutions. Hopefully, the ongoing investigations will result in further guidance and a more clear-cut approach.

You can read more about Adtech and GDPR compliance in our series of articles on the Global Data Hub.