Digital advertising or adtech has been a hot topic for regulators across the EU in the last few years. The industry's compliance with data protection laws has long had question marks over it, with the complex ecosystem making transparency harder to manage and lawful basis harder to establish. However, the debate around the need for digital advertising to keep the internet free means that adtech is unlikely to be going anyway anytime soon.
The position on digital advertising in the UK seems currently suspended in a state of flux, but this does not mean that adtech businesses should be complacent regarding their regulatory obligations. In this article we look at UK regulatory activity on the topic over the last few years to help understand the current position and how to navigate data privacy compliance.
ICO report on adtech 2019
The Information Commissioner's Office made it clear that it had the digital advertising industry in its sights back in 2019 when it issued its update report (ICO's Report) into adtech and real time bidding (RTB). Words such as "disproportionate" and "intrusive" appear in the introduction to the Report to describe some of the adtech industry's practices around the creation and sharing of profiles of people. This sent warning shots to the ecosystem that the ICO was watching.
The Report highlighted the ICO's concerns about the use of personal data by the industry and key takeaways include:
- Consent is the only appropriate lawful basis in practice for RTB relating to targeted ads under the GDPR.
- Data protection impact assessments will be required for processing operations involving RTB.
- Explicit consent is needed for the use of special category data in bid requests.
- The lack of transparency is a big issue in the face of the complexity of the ecosystem of adtech (particularly that of RTB) and privacy notices are often non-compliant.
- Third parties relying on a consent obtained by a first party will need to be named as recipients of the data.
- Creation of enriched or augmented user profiles by mixing data from different sources is disproportionate, intrusive and unfair particularly when individuals do not know this is happening.
- The participants in the RTB framework may not know what is happening across the data supply chain. There are initiatives to try to address this (such as the TCF as we discuss here), but at the time of the ICO's Report, they did not comply with the accountability principle of the GDPR.
- Using contractual controls with other participants with whom user data is shared to provide guarantees of data protection compliance is not enough if there is no ongoing monitoring of compliance. This seems to be the focus of the reported €60m fine the CNIL intends to impose on French digital advertising platform Criteo.
The ICO's position in the Report was clear; the adtech industry is not currently (UK) GDPR-compliant. The ICO warned that regulatory action would follow if the players in the ecosystem did not get their houses in order in relation to data protection compliance, however, the adtech investigation was paused as the COVID-19 pandemic descended and resources were focused elsewhere.
ICO Opinion 2021
Following the pause in response to the pandemic, the ICO's investigation into the adtech industry was resumed in January 2021. The outgoing Information Commissioner, Elisabeth Denham, issued an Opinion in 2021 to flag that the adtech industry's data protection compliance was still high on the ICO's agenda but there has been no indication as to when or indeed whether a final report may be forthcoming.
The Opinion was, however, a reminder (and perhaps a warning) that digital advertising has the potential in the ICO's opinion to be highly intrusive from a privacy perspective given the way it uses cookies and other tracking technologies to gather information about individuals to profile and target them.
The ICO also launched various audits of companies, starting with a selection of data management platform companies, but it is not clear whether these audits have concluded or what (if any) outcomes they produced. There has been some enforcement action on the periphery of the topic, including an ICO enforcement notice issued to Experian in respect of its provision of marketing attributes to marketers (although Experian recently won an appeal against large parts of this), but no fines have been given in the adtech space and it begs the question as to whether or when the ICO will target the digital advertising ecosystem for enforcement.
The new Information Commissioner, John Edwards, has publicly stated that the ICO is shifting towards being a "more and empathetic and open" regulator, and companies across industries including adtech will be eagerly waiting to see what that means in practice. Against the backdrop of the UK trying to find its post-Brexit position and wanting to attract businesses, and given the approach of the current ICO, there is likely to be an enhanced focus on working with companies to achieve compliance before any showstopping fines are issued.
Data Protection and Digital Information Bill
The Data Protection and Digital Information (No.2) Bill (DPDI Bill) (published in March 2023) is making its way through Parliament and looks as though it will come into force later this year or next. The DPDI Bill does not include seismic changes but aims to make UK data protection law more straightforward for businesses to comply with, signalling the UK's shift to a more pragmatic approach. Despite this, it increases fines for PECR breaches to the higher GDPR level, meaning that being on the wrong side of compliance could be costly.
The DPDI Bill introduces changes to the consent requirements for cookies and may mean that cookie banners are not needed for lower risk activities. However, advertising cookies are on the higher risk side so consent will likely still be necessary for most digital advertising purposes, as flagged in the Report.
Joint statement with CMA
The digital advertising regulatory landscape is of course not limited to data protection, and competition laws are another key component. The ICO released a joint statement with the Competition and Markets Authority in May 2021 setting out their cooperation in approach to digital markets.
The CMA launched an investigation in 2022 into Meta's (previously known as Facebook) use of data obtained from advertising services and single sign on function to benefit its own services (such as Facebook Marketplace) and whether this distorted competition. The CMA recently updated its timetable for investigating Meta, stating that it has been extended to summer 2023. The outcome of the investigation will presumably be a strong indication of the direction in which the UK is headed, so we should know more soon about what the regulators are thinking.
Industry changes
Two of the biggest players in the digital advertising industry, Google and Apple, have both announced big changes in recent years, with Google moving away from the use of third party cookies in 2024 and Apple setting further transparency requirements for apps – effectively opting users out of tracking across apps by default (and causing Google, Facebook and other industry players to lose billions in ad revenue).
Some feel that there could also be a move away from reliance on RTB as the main form of digital advertising, with the rise of contextual advertising (perhaps enhanced by the use of AI) seen as a viable alternative. Contextual advertising involves showing ads based on the webpage that they are viewed on (e.g. adverts for dresses being shown on a bridal website and often more granular sub-categories of content), rather than tailored based on the personal data known about the viewer. Some reports have suggested that publishers like the New York Times and the Dutch publisher NPO have increased ad revenue by moving to contextual, although it is hotly debated whether this could be replicated by publishers generally.
What does this mean?
Arguably, the future of regulatory action on digital advertising is currently somewhat unclear in the UK. However, we do already know the key points that the UK regulators are focused on, with transparency and consent collection continuing to be potential flashpoints. This should help those in the digital advertising industry guide their approach to data protection compliance. What remains to be seen is how the UK regulators will go about enforcement of the data protection and related laws, particularly under the new Information Commissioner, and what will happen in the EU which may well set the tone for wider industry standards.