In June 2019, the UK Information Commissioner's Office ("ICO") produced a report on the advertising industry's use of adtech and real time bidding ("RTB") and whether UK data protection and e-marketing legislation was being complied with. The report criticised parts of the sector for not doing enough to safeguard personal data, but stated that the ICO would give organisations a six-month grace period prior to taking regulatory action, during which time they would work with stakeholders in the industry to ensure that steps were being taken towards compliance.
On the 17 January 2020, in a blog by their Executive Director of Technology and Innovation, Simon McDougall1, the ICO stated that, whilst some stakeholders had engaged positively with them following the publication of June's report, overall the ICO were not satisfied that enough was being done by the industry and that, as a result of this, they would begin taking formal regulatory action. In this article, we explore the concepts of adtech and RTB, before taking a closer look at some of the potential issues that the ICO have identified surrounding their use, and the possible next steps that the ICO could take.
What is adtech, and what is it used for?
The ICO defines adtech as 'tools that analyse and
manage information for online advertising campaigns and automate
the processing of advertising transactions'.2 Adtech is frequently
used in conjunction with RTB – a live process that
facilitates the auction of online advert impressions in the
milliseconds that it takes for a webpage to load and display to
users. The use of RTB is somewhat controversial, with the
information that advertisers are provided with to facilitate the
auction process often falling under the definition of personal data
under the European General Data Protection Regulation
("GDPR"). The ICO is concerned that some within the
adtech industry are not always using the appropriate lawful basis
to obtain that data and, when they are obtaining personal data, are
not doing enough to safeguard it.
What exactly have the ICO said?
In their June report, the ICO identified a number of
concerns that they have with the adtech industry and the use of
RTB.
Lawful Basis
The ICO have commented on there being a 'lack
of clarity' from many RTB participants regarding the
appropriate lawful basis that should be relied upon for processing
under Article 6 of the GDPR, with many participants relying on
'legitimate interests' for both the processing of personal
data and for the setting of cookies to obtain that data. However,
the ICO have been keen to highlight that using legitimate interests
as the legal basis for processing risks falling short of compliance
with the Privacy and Electronic Communications Regulation
("PECR"), as well as their own latest
guidance on the use of cookies (published by the ICO in July 2019),
makes it very difficult for organisations to rely on legitimate
interests for the use of cookies, rather than consent obtained in
accordance with the GDPR standard (which must be fully informed,
unbundled, affirmatively given and capable of being withdrawn).
The Use of Special Category Data
One of the major concerns that the ICO have
expressed surrounds the use of special category data in adtech and
RTB. The ICO has claimed that 'a proportion of bid
requests involve the processing of special category data',
before going on to note that processing special category data is
forbidden, unless one of the conditions within Article 9 of the
GDPR applies.3 The only Article 9 condition that
is likely to apply to RTB is Article 9 (2) (a) – explicit
consent – with the ICO making it very clear that, in the
ICO's view, adtech and RTB participants cannot rely on any
other conditions for the processing of special category data. The
ICO have noted that participants should either modify their
existing consent mechanisms in order to actively obtain specific
consent for the processing of special category data, or these
participants should cease to process this kind of data.4
The Lack of Transparency
Another concern relates to the lack of transparency
in the adtech sector. This includes both a general of lack of
transparency - typified by the fact that many internet users are
often unaware that their data is being used in this way - but also
that participants in the industry fail to provide sufficient
information to users that complies with the information and
transparency requirements set out in Articles 13 and 14 of the
GDPR. For example, Article 14 (1) (d) states that individuals must
be informed of the 'recipients or categories of recipients of
(their) personal data'. However, as the ICO notes, with
RTB this simply is usually not possible. The ultimate recipients of
the personal data do not typically have the means to contact the
relevant individuals, as the first parties that receive the data
from the individuals in the form of cookies often have no idea, at
the point of obtaining the data, which advertisers they will be
selling it to. As such, it is typically impossible for the first
party to provide the required information about and gain consent
from the user for the advertisers to receive their information.
Data Supply Chains
The sheer complexity and volume of participants
involved in adtech and RTB means that the data supply chains can
often be very lengthy. In fact, according to the ICO, 'a single
RTB request can result in personal data being processed by hundreds
of organisations', as both the successful and unsuccessful
bidders are receiving a user's information during the RTB
process. With a data supply chain this large, the risk of data
leakage and/or data misuse significantly increases. The ICO have
said that they intend to closely monitor data supply chains within
RTB, and have warned that organisations will need to be able to
demonstrate that their activities are compliant with the GDPR.5
Data Protection Impact Assessments
("DPIAs")
DPIAs are a way of mapping, measuring and assessing
the level of risk associated with particular data processing
activities. High-risk activities are usually deemed to be those
that (amongst other things): involve new technologies (e.g. facial
recognition software); large scale processing of personal data; or
use personal data to make automated decisions about a data subject.
In the opinion of the ICO, RTB satisfies all of these requirements,
and the ICO has expressed concern that the vast majority of
participants in the adtech and RTB sector are not currently meeting
their obligations to complete DPIAs in relation to the use of this
technology.6
The threat of regulatory action:
On the other end of the spectrum, the ICO have reported
that many organisations still 'have their heads firmly in the
sand', and that they are now confident that engagement alone
will not solve the problems that they have with the industry. The
ICO reports that many of the concerns that the ICO shared in their
June report still persist, with the organisation describing some of
the DPIAs that they have received as 'immature', and with
concerns remaining around the justification that some adtech
companies are giving for gaining and processing the personal data.
The basic level of data protection controls over security, data
retention and data sharing also remain areas of concern. The ICO
signs off its latest blog with a warning to adtech companies that
remain non-compliant with data protection laws, stating that:
'those who have ignored the window of opportunity to engage and
transform must now prepare for the ICO to utilise its wider
powers'.
Footnotes
1 https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/06/blog-ico-adtech-update-report-published-following-industry-engagement/
2 https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf
3 https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/
4 https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf
5 https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report 201906.pdf
6 https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.