New statement by the UK Data Protection Authority on Real Time Bidding

On 20 June 2019, the UK data protection supervisory authority, the UK ICO, issued a new opinion on data protection implications of real time bidding ("Update Report into adtech and real time bidding"). The thrust is similar to that of the March 2019 "Guidance for Telemedia Providers" by the German supervisory authorities.

Thus, the ICO assumes that “legitimate interests” are not an adequate legal basis for real time bidding; rather, consent is regularly required. Another criticism is that transparency in the ad tech sector is not sufficient. The existing industry solutions, e.g. from IAB Europe, are also deemed insufficient. It is noteworthy with which clear words the "disproportionate, intrusive and unfair" data processing processes in real time bidding are criticized.

In detail:

1. Necessary legal basis

In the opinion of the authority, legitimate interests are generally ruled out as an adequate legal basis. This is, in the ICO’S view, already the case because, irrespective of the data processing under the GDPR, a GDPR compliant consent is required for the setting of cookies. However, if consent had to be obtained anyway, it would not be clear why the data processing would then be based on legitimate interests. This could also lead to unjustified results, for example if a user revokes his/her consent and further data processing is then based on legitimate interests. According to the ICO, consent is the only practicable legal basis for “business-as-usual” real-time bidding. Thus, the ICO broadly agrees with the view of the German data protection conference expressed in the "Guidance for Telemedia Providers" by the German supervisory authorities.

The ICO also criticized the fact that many providers of real time bidding apparently had not understood that, in addition to the requirements of the GDPR, they also had to meet the requirements of the ePrivacy Directive and accordingly had to obtain cookie consent.

2. Transparency

Transparency in real time bidding is not warranted, according to the ICO. Although many providers have privacy notices ready, these often do not meet the transparency requirements. In addition, so many providers are involved in the bidding and ad-serving process that it is impossible to understand which parties actually receive user data. In particular, this would lead to publishers using real time bidding not understanding how the data processing involved works and therefore not being able to comply with the GDPR’s accountability obligations.

3. Data Protection Impact Assessment

The authority considers that a data protection impact assessment should be carried out for real time bidding because (i) new technologies are used, (ii) profiling of users takes place on a large scale, (iii) “covert” data processing' takes place, (iv) user behaviour and locations are processed, and also (v) the data of vulnerable individuals such as children is processed.

4. Industry Standards

In the ICO’s view, the existing industry standards, such as those of IAB Europe, do not meet the requirements of the GDPR.

5. Further Procedure

The ICO clearly announced enforcement actions: The ICO assumes that, if enforcement measures are not taken, existing problems will not be resolved. Nevertheless, the ICO announced that it will take a cautious and coordinated approach. The ICO is aware that many publishers are heavily dependent on revenues from the advertising industry. In the coming six months, the ICO will therefore consult with market participants such as IAB Europe to see whether it will agree on - or if necessary order - a correspondingly adapted processing practice.