AdTech: a review of recent developments and data protection risks

AdTech is a rapidly evolving area, of particular importance to publishers and other businesses or cultural organisations who drive traffic to their websites through content. Digital advertising has attracted significant public attention in recent years as a result of complaints from privacy activists and media concerns over seismic developments in the industry brought about by key players such as Google and Apple. This is reflected in ongoing high-profile investigations by the Information Commissioner’s Office (ICO) and EU regulators alike into current practices.

In this article, which includes an introduction to the relevant concepts, we recap the law and regulations which govern AdTech. We also discuss current practices and developments in the industry and consider practical steps which organisations should be taking in the short and long term to ensure that their digital advertising practices are compliant with data protection law – as we await the results of the ICO’s investigation, paused because of the pandemic but resumed in January 2021.

Current practices in the AdTech industry

AdTech is an umbrella term for digital tools which are used to deliver targeted or personalised advertising.

Real Time Bidding (RTB) is one such tool and is a process which enables publishers to sell advertising space on their website to the highest bidder in a manner which allows advertisers to target specific users and groups based on their browsing history. RTB is a rapid and highly technical process. However, in essence, the process works as follows:

• when a user visits a website, the user’s browser will send a request to the website’s contents server to retrieve the content that needs to be displayed. If the content includes advertising space that needs to be filled (ie because it has not already been allocated), the response back to the user’s browser will contain code that will tell the browser to request information from the publisher’s ad server;
  
  
• the ad server will put a request out to a Supply Side Platform (SSP), which is a platform designed to facilitate the selling of ad space. The SSP will read the user’s cookie ID to identify the browser sending the request and will send that information to an ad exchange;
  
  
• the ad exchange connects the SSP with various Demand Side Platforms (DSPs). The DSPs respond with bids for the advertising space and, once the winning bid has been selected, instructions are then sent to the user’s browser detailing how to collect the advertising content;
  
  
• those instructions are passed back through the chain, until the relevant advertising materials are finally passed from the advertiser’s marketing server to the user’s browser – so that the space is filled by the time the webpage loads.

The chief compliance issue here, aside from trading and ad regulation, is in the use of personal data (in cookie IDs) to tailor such ads to the user.

Cookies are key to the majority of AdTech practices, including RTB.

First-party cookies are created and stored by each website a user visits. They are generally used to allow websites to collect website analytics, facilitate the general functioning of the site, and remember a user’s preferences. They cannot be used for advertising on other websites, but they can be used by publishers for that purpose within their own domain.

Third-party cookies are cookies created by domains other than the one which users intended to visit and are used in an AdTech environment to build up a picture of a user’s browsing history in order to more effectively direct adverts or advertising campaigns to individuals and/or specific groups.

Device fingerprinting is another technique which is used by advertisers. It involves identifying a user’s computing device based on its unique identifiers, such as its location, IP address, operating system, apps, browsers etc. It will come as no surprise that this is one of the more controversial AdTech practices, as it can be used to effectively de-anonymise users and track everything from their initial interest in a product / service, to the point of purchase.

Overview of governing law

In the UK, AdTech is primarily governed by the Privacy and Electronic Communications Regulations 2003 (PECR) and the UK General Data Protection Regulation (UK GDPR), as well as the ASA / CAP Code in respect of the content (and audience targeting), and consumer law / trading regulation in terms of resulting sales. This article however is focusing on the regulation of the use of personal data.

PECR

Although the UK may in due course adopt or create its own version of the draft EU ePrivacy Regulation (which is intended in time to update EU member state law in this area), PECR remains the primary legislation (although the ICO may bring fines under both UK GDPR and PECR, with the latter still capped at £500,000 but the former far higher).

Regulation 6 PECR requires as follows (our emphasis added):

“(1)… a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment:

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.”

While certain essential cookies do not require such consent, when it comes to advertising (eg RTB) this means that prior to setting the required cookies (or similar technologies such as pixels) on a user’s device, the website publisher must have obtained the user’s consent to do so. Consent under PECR must meet the UK GDPR standards of being affirmative (opt-in), specific, informed and freely given, and it must also be as easy to withdraw as it is to provide.

UK GDPR

Under the UK GDPR, user information processed during RTB typically qualifies as personal data. The UK GDPR definition of "personal data" includes "online identifiers" and a website user is potentially identifiable from the bid-request information. This is because the average “bid-request” sent by a web page to its advertising suppliers will include: IP address; device data; information about the website; location data; and age (or age range) and gender (if known).

Website publishers are considered controllers as they have discretion over "how and why" the website user’s personal data is processed. However, relevant authorities in the UK and EU suggest that other parties in the RTB supply chain, even if they do not “see” any personal data themselves, may also be regulated as (joint) data controllers. That is because they jointly determine how the personal data is used.

RTB is a complex process, involving multiple (sometimes hundreds) of parties and servers, many of which may not be based in the UK (or even the EU). As a result, personal data is likely to be transferred internationally and organisations will need to have a lawful basis under GDPR for its processing and any international transfer. The ICO is clear that these relationships need to be supported by adequate contractual arrangements and due diligence across the chain.

ICO guidance, reports and investigations

ICO AdTech consultation

On 20 June 2019, the ICO issued a report on AdTech and real time bidding (RTB), which (amongst other things) identified industry practices which it considered were likely to breach data protection law.

Our full briefing on this report is available here. However, in summary, the ICO’s concerns as regards RTB are as follows:

Lawful basis for processing

It is important not to confuse the PECR requirement for consent to set cookies with the UK GDPR requirement to identify an appropriate lawful basis for processing. Organisations must comply with both requirements.

It is common for organisations to use legitimate interests as their UK GDPR legal basis for processing, even where they have gained consent for setting cookies to satisfy PECR.

Whilst the ICO recognises that the use of legitimate interests can be justified for particular processing activities within the RTB process, it has also stated that legitimate interests cannot be the controller’s legal basis for processing an initial website bid request – as an organisation would be unable to show that the use of personal data for this purpose:

(a) was proportionate;

(b) had a minimal privacy impact; and

(c) that data subjects would not object to the processing if they were adequately informed.

In light of the above, the ICO expressed concerns that organisations did not always have a valid lawful basis for processing user’s data.

Special category data

As the category of a website, provided for the purpose of bid requests, might relate to (amongst other possible categories) politics and health conditions, the ICO expressed concerns that inferences could be drawn about the data subject (eg their political views and health). Whether website category information could qualify as special category personal data would of course depend on the user’s reasons for accessing the web page, however, it is worth bearing in mind that the processing of special category data requires a lawful basis under Article 9 UK GDPR – meaning, in practice, explicit consent is required.

Transparency

The RTB process involves multiple organisations, each of which will process bid-request information. The ICO has expressed concern that controllers do not fully understand how personal data in a bid request is processed once sent from the website, and are therefore unable to explain this to data subjects to ensure they can exercise their data protection rights.

Accountability

The ICO stated that it is not sufficient to satisfy UK GDPR accountability requirements simply to have a contract in place with the other parties in the chain: the parties must go further than this in terms of due diligence and understanding the supply chain.

Data Protection Impact Assessment (DPIAs)

The ICO expects organisations involved in RTB advertising to conduct DPIAs to show they have properly considered the risk to data subjects and how these risks can be mitigated.

The industry has countered in various ways, including that effective and fully informed consent is not practical or user-friendly to obtain to the UK GDPR standard, that consumers benefit from RTB in terms of tailored and suitable content, and also there will sometimes be legitimate and necessary reasons to process certain data (including age) for eg ad content compliance purposes. Although industry stakeholders have been working in consultation with the regulator on a responsible sector standard, the IAB Transparency and Consent Framework (see below), there remains distance between the ICO and the industry on this issue.

Other relevant ICO guidance on direct marketing

Also relevant to the ICO’s regulatory approach in this area of law is its Direct Marketing Code of Conduct. The current "official" version of Code of Conduct pre-dates GDPR, albeit with the addition of certain post-2018 commentary, and it deals with AdTech in only limited terms (even referring to outdated Cookies Guidance from 2012, rather than the more up-to-date July 2019 Cookies Guidance – which does contain relevant guidance on the use of cookies in advertising).

The March 2020 consultation draft for the new Code of Conduct (which the ICO is statutorily required to produce) deals more specifically with certain AdTech concepts such as cookies, tracking pixels, and data-matched audience targeting (eg Facebook Custom Audiences). However, in terms of RTB it simply refers out to the 2019 AdTech report. IAB UK (see again below) has published an industry response to the consultation draft here.

Regulatory vs. sector tension

Whilst in her foreword to the 2019 AdTech report the Information Commissioner acknowledged the need for a system that allows publishers to earn revenue and which can process advertising requests at speed, the seriousness and number of the ICO’s concerns about RTB practices seemed to cast doubt on the future of RTB, at least in its current form, in the UK – unless the UK were to diverge from EU law on this issue going forwards.

The ICO’s follow-up review and investigation were paused in May last year as attention shifted to the COVID-19 pandemic. That investigation resumed in January and the ICO will continue with a series of audits focusing on data management platforms. Once concluded, the ICO will publish its findings. The industry’s attention will then likely switch to enforcement – namely, how severe will it be, and which players in the sector will be targeted first – before determining its next move.

In the meantime, however, the ICO has issued a short briefing, which passes responsibility for understanding compliance back to the sector:

“All organisations operating in the adtech space should be assessing how they use personal data as a matter of urgency. We already have existing, comprehensive guidance in this area, which applies to RTB and adtech in the same way it does to other types of processing – particularly in respect of consent, legitimate interests, data protection by design and data protection impact assessments (DPIAs) [all linked from the page]”.

EU enforcement action

It is worth noting that data protection supervisory authorities in the EU have also been looking closely at AdTech practices for many years, following up with guidance and, in some cases, enforcement action – so far focused on “big tech” companies rather than advertisers or publishers. For example:

France

In January 2019, the CNIL issued Google with a EUR50 million fine for breaches of the GDPR, in response to complaints made by privacy campaign groups in relation to the use of targeted advertising in the Android operating system. Specifically, the CNIL found that Google had not complied with the transparency and information requirements under the GDPR in its privacy policy and had not obtained valid consent to targeted advertising because users were given insufficient information for their consent to be valid, informed and specific; and

Germany

In February 2019, the Bundeskartellamt issued a decision prohibiting Facebook from combining users’ data from different sources (eg from WhatsApp, Instagram and other services owned by Facebook) in order to improve its targeting advertising. Amongst other reasons for its decision, the Bundeskartellamt found that Facebook did not have a lawful basis for this type of data processing, and many users were unaware of it.

Industry developments

AB Transparency and Consent Framework (“IAB TCF”) 2.0

As part of its response to the ICO’s 2019 report, the Internet Advertising Bureau (IAB UK) – an industry body with a focus on digital advertising comprising media owners, agencies and brands – set out a series of actions designed to help companies engaged in RTB to understand and meet their data protection and privacy compliance obligations, covering:

(a) data security;
(b) the involvement of special category data;
(c) reliance on legitimate interests for cookies;
(d) legitimate interests assessments;
(e) data protection impact assessments; and
(f) transparency and fairness of information provided to consumers.

Key elements of the IAB TCF are, as the name suggests, the recording of a user’s consent and transparency about the use of their data. The IAB TCF sets minimum requirements in respect of the information required about disclosures of data, adherence to technical specifications and a public attestation of compliance. For example, there is a requirement to remind users of their right to withdraw consent at least every 13 months.

Whilst it does not have its regulatory approval, it is increasingly common to see it referenced in contracts and cookie banners. The UK ICO remains in consultation with IAB UK about the IAB TCF and major players in the industry now participate in the framework, including Google.

Google

Last year Chrome announced its intention to remove support for third-party cookies by the end of 2022. Instead, “web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers”.

Google has also been working with the broader industry on the Privacy Sandbox to “build innovations that protect anonymity while still delivering results for advertisers and publishers”. The Privacy Sandbox is not a single product, but a host of alternative means of targeted advertising such as:

• The Federated Learning of Cohorts (FLoC). FLoC proposes a new way for businesses to reach people with relevant content and ads by clustering large groups of people with similar interests, effectively hiding individuals “in the crowd”. Users are assigned to a “flock” with similar browsing histories. By using “on-device” processing, a person’s web history remains private on their browser. Recent trials indicate that FLoC can provide an effective replacement for third-party cookies: “Our tests of FLoC to reach in-market and affinity Google Audiences show that advertisers can expect to see at least 95% of the conversions per dollar spent when compared to cookie-based advertising”.
  
  
• Fledge (Turtledove). This operates by making an ad auction decision in the browser itself rather than via various servers. The idea is to protect privacy by limiting the amount of data flowing around the ad system. If the ad bid and the targeting decisions are made at browser level, there will be less user data outside the control of the browser which can be used to develop user profiles.

Apple 

Apple has similarly announced dramatic changes to protect privacy interests, including:

• “Nutrition Labels”. From 8 December 2020, before accepting new apps or app updates, Apple requires detailed information about the app’s privacy practices, including whether data is used to track users across third party apps/sites. Specifically, Apple requires companies to identify: the parties collecting user data; the types of data collected and, for each type of data, (i) the purpose of collecting that data, (ii) whether that data is linked to specific users, and (iii) whether the data is used for tracking.
• App Tracking Transparency (ATP). There is a unique device identifier on every iPhone and iPad called the “identifier for advertisers” (IDFA). Companies which sell mobile ads, including Facebook, use the IDFA to target those ads. Apple’s iOS 14.5 includes a new ATP feature, which will be turned on by default. It will force app developers to explicitly ask for permission from users to use the IDFA.

Alternatives to cookie-based advertising

Alternatives to cookie-based advertising have been developed by other players in the industry. And, given Google and Apple’s recent announcements, it is likely that this area will see further growth and development over the coming months and years. Examples of alternatives to cookie-based advertising include:

• Contextual advertising. This involves placing ads based on the content of the webpage, as opposed to the user’s browsing history. There is therefore no privacy risk, as the process does not involve the processing of any end-user data. There is also a clear potential for the technology to be further developed and enhanced by AI in the future.
  
  
• Alternative identifiers. Unified ID and LiveRamp have developed technologies which prompt users to provide their own data on visiting a website (e.g. their email addresses) which is then hashed into online identifiers that can be used across the network of publishers who adopt the technology. In this way, advertisers benefit from authenticated data that a user has provided directly, and users benefit – in theory – from clearer information about the use of their data and are able to more freely give and withdraw their consent across the network.

Industry and regulatory response: Competition law v Data Protection law

Global issues

AdTech is a multi-billion dollar industry, with Google’s advertising business alone estimated at around £150bn. Clearly renewed regulatory interest in the industry and the recent developments outlined above will have a significant impact not only on the future of the industry but also its value – and it is likely that smaller businesses will feel the effects of this changing landscape more acutely.

For this reason, the industry’s response to Google and Apple’s announcements has been mixed, to say the least. While some have praised these players for taking steps to protect privacy interests, others have suggested that their plans are more self-serving. For example, Apple continues to collect IDFA and it is arguable that removing ads will encourage more in-app purchases. Indeed, Mark Zuckerberg has accused Apple of making changes for competitive reasons, rather than to advance and protect users’ privacy.

Zuckerberg’s complaint arguably goes to the heart of the international regulatory response in respect to the recent developments in AdTech, namely the delicate balance to be struck between competition and privacy. As the EU Commission put it in a recent statement, “Competition law and data protection laws must work hand in hand to ensure that display advertising markets operate on a level playing field in which all market participants protect user privacy in the same manner”.

Most recently, Google’s Privacy Sandbox and AdTech practices more generally have attracted significant regulatory attention from a competition law perspective.

United Kingdom

Earlier this year, the Competition and Markets Authority (CMA) (working closely with the ICO) took enforcement action against Google in relation to its plans to phase out third-party cookies in Chrome. The CMA was concerned that Google’s alternatives to third-party cookies could disrupt competition in digital advertising markets by forcing advertising spending to become even more concentrated within Google and thereby undermining the ability of other publishers to generate valuable revenue from cookie-based advertising.

In response, Google has offered a wide range of commitments which, if accepted by the CMA, would become legally binding in the UK. These include a commitment to limit how it will use and combine user data for the purposes of digital advertising, and a commitment not to discriminate against rivals in favour of its own advertising and ad-tech businesses.

Whilst the CMA has announced that it considers these commitments sufficiently address its concerns, it launched a consultation with interested parties, which closed on 8 July 2021.

European Union

The European Commission (EC) has been investigating Google’s AdTech practices for a number of years and recently announced that it has opened a new, formal antitrust investigation into allegations that Google is abusing its role in the sector.

The EC investigation will consider a wide range of practices including Google’s brokering of advertisements and sharing of user data across websites and apps, and allegations that Google favours its own ad-buying tools in the auctions it runs and excludes competitors from brokering advertising buys on YouTube.

Key take-aways for controllers

All organisations (including publishers and website operators) should watch carefully for the ICO’s final report, likely to be published at some point later in 2021. They should also be building in strategic contingencies and budgeting for worst-case revenue models in a market without RTB ad revenues.

The ICO is engaging with the IAB and the wider industry and it is to be hoped that some sensible consensus can be reached on consent standards and the other compliance questions, but clearly the ICO’s findings, whatever they are, will be of great significance. In the meantime, although there is no evidence of significant ICO enforcement action, the ICO stressed in 2019 that the law applies in any event, and that “data controllers should re-evaluate their approach in this area”. It must make good sense to assess and document AdTech activities, and the privacy notices and cookie banners which are used and which can deliver a good degree of transparency to data subjects affected.

If companies implement newer technologies, such as alternatives to cookie-based advertising, it is worth remembering that these do not yet have regulatory sign-off and indeed is likely that they will attract the attention of the ICO where potentially intrusive processing of personal data is involved. Companies will therefore need to ensure that any new technologies are implemented in a manner that accords with the key principles of data protection law: lawfulness, transparency and accountability. This begins by updating cookie banners, critically examining the lawful basis for processing personal data, and undertaking DPIAs.

In the longer-term, and more generally, it is important that marketing teams – and those responsible for the commercial side (ie contracting with suppliers) – are well-educated about data protection law and the considerations to be borne in mind when launching advertising campaigns and implementing AdTech. Companies would be advised to regularly train their staff, to mitigate the risk of data breaches and ensure compliance with data protection law and the ICO’s guidance and recommendations in this area.

Please do contact the data protection team at Farrer & Co if you have any questions about AdTech or wider marketing or data protection compliance.

If you require further information about anything covered in this briefing note, please contact Owen O’Rorke, David Morgan, Genna Morgan, or your usual contact at the firm on +44 (0)20 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, July 2021