On 20 June, the UK’s Data Protection Authority (DPA), the Information Commissioner’s Office (ICO), released a report into adtech and specifically about real time bidding (RTB) via the open exchange This report is intended to send a clear message to the adtech sector – a warning shot – that the ICO’s concerns around the way the industry profiles and shares personal data within the online advertising ecosystem “feels disproportionate, intrusive and unfair, particularly when people are often unaware it is happening”.
Acknowledging the complexity of the market, the ICO is not issuing any immediate sanctions instead describing its ‘measured and iterative approach, before undertaking a further industry review in 6 months’ time’.
Meanwhile, the ICO expects the adtech industry to respond to its findings in the report it continues to work and consult with the industry as part of its information gathering activities.
Writing the introduction, Elizabeth Denham, Information Commissioner, underlined this approach:
“We understand the need for a system that allows revenue for publishers and audiences for advertisers. We understand a need for the process to happen in a heartbeat. Our aim is to prompt changes that reflect this reality, but also to ensure respect for internet users’ legal rights”
In a note to its members, the WFA issued a briefing that highlighted that while the report is focused on what the ICO calls “ad tech” companies, there could be wider implications for advertisers who work with them.
To this end ISBA is taking a small group of advertisers together with the WFA to meet with the ICO to further describe the processes and dependencies around RTB and other forms of programmatic advertising in an informal meeting arranged earlier in the year. If you would like to know more about this meeting, driven by our Data Steering Group, please contact Clare O’Brien email@example.com
Below we have summarised the key points in the 25-page report, indicating the ICO’s next steps and the areas it expects the industry to focus on. If you would like to discuss any aspect of the report or have insight to share with your peer members, please get in touch.
Some report highlights
- Legitimate interest should not be used as a legal basis for collecting and processing some types of data used in real-time bidding (RTB) due to the inadequate methods of obtaining consent which are insufficient in terms of data protection law. This is not rare practice it says.
- The practice of using sensitive personal data (eg browsing history) to target consumers without their explicit consent through poor practice is highlighted. This data is ‘repeatedly shared among hundreds of organisations for any one bid request, all without the individual’s knowledge’ the report emphasises.
- Data Protection Impact Assessments (DPIAs) are deemed by the ICO to be a GDPR requirement for RTB activity, but the report claims that they are currently not being carried out by the ‘RTB ecosystem’.
- The ICO repeatedly states that the information provided to both consumers and organisations participating in RTB is unclear and does not give them visibility of what happens to their data.
- A number of specific issues are raised in relation to IAB Europe’s Transparency & Consent Framework (TCF). IAB Europe refutes some of these claims in a statement available here.
- Commenting on the planning and management data for RTB campaigns, the report questions the capability of all industry participants to fully understand the privacy and ethical issues involved citing a lack of maturity in some market participants, and the ongoing commercial incentives to associate personal data with bid requests’.
- It also shines a light on the contractual agreements in the data supply chain to protect how bid request data is shared, secured and deleted, as being inappropriate given the type of personal data sharing and the number of intermediates involved’. In other words, a lack of standard practice.
- The ICO says it will carry out “targeted information-gathering activities” from July onwards, including looking at whether DPIAs have been carried out for programmatic activities.
- The ICO will continue to engage with key industry stakeholders over the next 6 months, including IAB Europe and Google (who are specifically mentioned in the report).
- Over the next 6 months, they ‘expect data controllers in the adtech industry to re-evaluate their approach to privacy notices, use of personal data and the lawful bases they apply within the RTB ecosystem’.
- The report, which was initiated by a GDPR complaint submitted by Johnny Ryan (Brave), Michael Veale (University College London) and Jim Killock (NGO Open Rights Group), lists various personal data processing practices which the ICO considers fail to comply with the EU’s General Data Protection Regulation (GDPR). Parts of the report reference a ‘fact-finding forum’ held in March, which was attended by the UK advertiser association (ISBA) and a number of WFA members.
- ISBA’s Media Team and Data Steering Group will continue to monitor the situation and provide members with updates as required.