ICO update report on Adtech and real time bidding

What's the issue?

There is a genuine question around whether it is possible for the adtech industry as it currently operates to comply with all aspects of the GDPR and PECR. The complexities of the adtech ecosystem, especially in relation to interest-based advertising, present a real challenge to online publishers and the adtech platforms seeking to align with GDPR principles.

Adtech businesses are already the focus of a number of complaints to regulators who are now trying to firm up their approach. The ICO is known to take a pragmatic stance (but not at the expense of compliance) and recently conducted a fact-finding forum to help it understand the issues faced by businesses trying to comply.

What's the development?

Following its fact-finding forum, the ICO has published an update report into Adtech and real time bidding (RTB), summarising its findings so far. Its view is that the adtech industry presents a number of challenges to good data protection practices.

The report focuses on issues around transparency and consent (in relation to special data, as a lawful basis, and to cookies), as well as on the data supply chain. The ICO goes on to say that these are not the only issues in the adtech ecosystem and with RTB.

What does this mean for you?

This is a report rather than guidance but it is essential for players in the adtech ecosystem to pay attention and read it in conjunction with the guidance on cookies. The guidance highlights many compliance issues without suggesting complete solutions although it does look as though an industry standard solution will be the most viable.

Perhaps the most significant direction of travel is the one towards consent as the only appropriate lawful basis in practice for real time bidding under the GDPR. Those seeking to rely on legitimate interests should understand that this will be just as fraught with difficulty as achieving consent, and is unlikely to be viewed by the ICO as the correct lawful basis for adtech-related processing of personal data.

Many businesses are going to find they are non-compliant and may struggle to understand how to achieve compliance. The key is to do as much as possible and to be able to demonstrate you are trying to comply (in accordance with the accountability principle). As always, transparency is vitally important. The more people understand what is happening to their data, the less likely they are to have an issue and the less likely the regulators are to get involved.

Adtech players are urged to review their data protection practices and follow applicable GDPR and ePrivacy guidance which. while not necessarily specific to adtech, remains relevant. The ICO says: "we expect data controllers in the adtech industry to re-evaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the RTB ecosystem". We would be happy to assist with this.

The ICO confirms it is taking an iterative and measured approach to its review. It will spend the next six months gathering information and engaging with the industry and will review its position towards the end of the year when it may conduct a further industry sweep and publish an additional report.

Taylor Wessing held a webinar on Tuesday 16 July to discuss this report and the ICO cookie guidance, as well as the approach of other EU regulators. If you missed the webinar, you can listen to it here.

Read more

Points to note from the report include the ICO's views that:

• DPIAs will be required for processing operations involving RTB as they will almost certainly include elements from the ICO's Article 35(4) list of operations likely to result in a high risk to the rights of individuals.
• Many players are unclear about the difference between GDPR requirements and requirements under PECR. PECR requires organisations to provide clear and comprehensive information about the purposes of any cookie (or similar technology) and obtain GDPR-standard prior consent. No exemptions will apply in the case of RTB cookies and it is irrelevant whether the information being stored or accessed is personal data.
• Many bid requests involve the processing of special category (sensitive) personal data. The only applicable condition which will satisfy Article 9 requirements is explicit consent. Current consent requests provided under both the IAB's 'Open RTB Protocol' and Transparency and Consent Framework (TCF) and Goggle's Authorized Buyers Real Time Bidding protocol (AB) are non-compliant in this respect. Market participants must modify existing consent mechanisms to collect explicit consent or not process special data at all.‍
• Bid requests which do not involve processing special data do not require explicit consent, however, given cookies are used in this process, consent to the cookies is still required under PECR to GDPR standard.
• ICO guidance states that if organisations are required to obtain consent for marketing under PECR, they should use consent as their lawful basis under GDPR. Trying to apply legitimate interests when an organisation has GDPR-level consent would be unnecessary and could cause confusion to individuals.
• Reliance on legitimate interests for marketing activities is only possible if organisations don't need consent under PECR and are also able to show that their use of personal data is proportionate and has a minimal privacy impact. Even if an argument could be made for reliance on legitimate interests, participants within the ecosystem are currently unable to demonstrate that they have carried out the balancing interests test and implemented appropriate safeguards.
• The only lawful basis for 'business as usual' RTB processing of personal data is consent. This is because PECR requires consent to non-essential cookies and consent is also the most appropriate lawful basis for processing personal data beyond the setting of cookies (although associated processing may be able to rely on an alternative basis).
• There is an issue with lack of transparency under both the GDPR and PECR. Privacy information given to individuals often lacks clarity and does not give them an appropriate picture of what happens to their data. Due to the complexity of the RTB ecosystem, organisations cannot always provide required information, particularly as they do not always know with whom data will be shared. It is unclear whether the TCF vendor list is of practical use to individuals and it does not include all RTB actors.
• Where processing of personal data by third parties is intended to rely on a consent obtained by a first party, those third parties need to be named as recipients of the data. As the first party has no way to determine which third parties will receive the data, extensive lists of organisations which may receive data are provided.
• It is unclear whether organisations participating in the RTB framework understand what is happening across the data supply chain. While industry initiatives such as the TCF attempt to address this, in their current forms, they do not comply with the accountability principle of the GDPR.
• The creation of enriched or augmented user profiles by mixing data from different sources is disproportionate, intrusive and unfair, in particular, in cases where individuals are unaware this is happening.
• The complex data supply chain leads to a risk of data leakage where data is either unintentionally shared or used in unintended ways.
• Using contractual controls to provide guarantees of data privacy compliance does not satisfy GDPR requirements as there is no appropriate monitoring of ongoing compliance of all actors in the supply chain.
• Accountability is also an issue as lack of visibility across the supply chain means it is impossible to document how compliance is achieved.
• There is no evidence that any of the current initiatives to change the way the RTB system operates are fully mature or would sufficiently address data privacy concerns, nor that any measures to do so would be adopted voluntarily by the industry.
• There is little or no consideration as to the law on data transfers.
• There are inconsistencies about the application of data minimisation and retention controls.
• It is not possible to guarantee data security down the supply chain.

The European adtech industry body, the IAB, has welcomed the ICO's report, saying that data protection concerns are impossible to address without a standardised industry solution. While responding to some of the ICO's comments on its TCF, the IAB says it looks forward to working with the ICO and other regulators to develop its framework.