The ICO has released an update report that is critical of adtech and Real-Time Bidding (RTB) industry practices. RTB is a means by which online advertising inventory is bought and sold on a per-impression basis, often based on the profile and personal data of the viewer of the intended advert.
The ICO’s main concerns are:
- controllers should be seeking consent rather than relying on legitimate interests as the lawful basis for processing;
- some processing may involve special category data for which explicit consent would be the only available lawful basis;
- there is a lack of transparency over how data subjects’ personal data is being used; and
- controllers must be more pro-active in auditing suppliers and not solely relying on contractual obligations to ensure data protection compliance.
The ICO will continue to consult with the adtech sector and undertake a further industry review in late 2019 / early 2020; however, many of the key points are now reflected in the ICO’s updated guidance on cookies and similar technologies.
RTB advertising and privacy law
RTB advertising is governed by two main privacy laws: The Privacy and Electronic Communications Regulations (PECR) and the General Data Protection Regulation (GDPR).
Regulation 6 PECR states that an organisation must gain the subscriber’s (or user’s) consent to "store information, or to gain access to information stored, in the terminal equipment of a subscriber."
In practice, this means that prior to setting the cookies (or similar technologies) required for RTB advertising on a user’s device, the website publisher must have obtained the user’s consent (typically through a cookies banner). Consent under PECR must meet the GDPR standards of being specific, informed and opt-in. Consent must also be as easy to withdraw as it is to provide.
PECR is due to be replaced by the ePrivacy Regulation which is unlikely to be in force until at least the end of 2020 (it is expected that organisations will be given at least a year’s notice once the final draft is agreed). The latest draft of the ePrivacy Regulation removes the requirement for cookie banners for audience measurement purposes; however, website publishers will remain responsible for obtaining consent for setting advertising cookies.
Under GDPR, user information processed during RTB typically qualifies as personal data. This is because the average ‘bid-request’ sent by a web page to its advertising suppliers will include: IP address; device data; information about the website; location data; and age (or age range) and gender (if known). The GDPR definition of "personal data" includes "online identifiers" and a website user is potentially identifiable from the bid-request information.
Website publishers are considered controllers as they have discretion over the "how and why" the website user’s personal data is processed.
What are the ICO’s main concerns?
Confusion between PECR and GDPR requirements
Many organisations confuse the PECR requirement for consent to set cookies with the GDPR requirement to identify an appropriate lawful basis for its processing. Organisations must comply with both PECR and GDPR.
Consent should be the lawful basis under GDPR Article 6
It is common for publishers to use legitimate interests as their GDPR legal basis for processing, even where it has gained consent for setting cookies to satisfy PECR.
The ICO recognises that the use of legitimate interests can be justified for particular processing activities within the RTB process; however, the ICO states that legitimate interests cannot be the controller’s legal basis for processing the initial website bid request as it would be unable to show that the use of personal data for this purpose:
- was proportionate;
- had a minimal privacy impact; and
- that data subjects would not object to the processing if they were adequately informed.
These views are not wholly accepted by the advertising and publishing industries, although it is difficult to see the ICO changing its analysis. A frustration raised with the ICO’s approach is that GDPR compliant consent would appear to require very detailed consent wording and multiple opt-in tick-boxes. In addition, any third party supplier relying on the user’s consent must be specifically named in the consent wording; as discussed below, multiple players are typically involved in processing a single bid request. Obtaining valid consent could result in "consent fatigue" and diminish the user experience.
Website publishers seem particularly exposed in terms of non-compliance. Adtech suppliers involved in subsequent processing often require the website publisher to obtain consent, or at least "such necessary consents as are required", from the website user to allow the supplier to process the user’s data.
Processing special category data without explicit consent
A bid request may also specify the category of website involved. This enables both the targeting of suitable adverts and the exclusion of unsuitable adverts. The ICO notes that some standardised categories relate to politics and health conditions (citing the example of cardiovascular disease), which potentially correlate to “special category” personal data points about an individual. Whether website category information could qualify as special category personal data would appear to depend on the user’s reasons for accessing the web page, although the ICO is concerned that inferences could be drawn about the data subject (e.g. their political views and health conditions). Processing of special category data requires a lawful basis under Article 9 GDPR, meaning in practice explicit consent, which would be very difficult for website publishers to validly obtain.
Transparency and the ability to exercise data subject rights
The RTB process often involves multiple organisations (sometimes hundreds), each of which will process the bid-request information. The ICO are concerned that controllers do not fully understand how the personal data contained in a bid request is processed once sent from the website. Controllers must fully understand how their processing operations work, be able to clearly explain this to data subjects and also ensure that individuals can exercise their data protection rights.
The ICO states that a contract-only approach to ensuring data protection compliance (whether from one’s processors, clients or service providers) is not sufficient to satisfy GDPR accountability requirements and terms and conditions need more proactive back-up, including by monitoring and auditing.
Data Protection Impact Assessments (DPIAs)
DPIA’s must be conducted where there is a high risk to the rights and freedoms of individuals. The ICO expects organisations involved in RTB advertising to conduct DPIAs to show they have properly considered the risk to data subjects and how these risks can be mitigated.
ICO enforcement and future developments
The report states that the ICO will continue to develop its understanding of the adtech sector. It intends to undertake a further review towards the end of 2019 and produce a further update report in 2020.
To date, the ICO has not been pro-active in enforcing the law on cookies and RTB advertising, perhaps partly because it was waiting for the ePrivacy Regulation to come into force.
The ICO expects controllers to take action to re-evaluate their approach to privacy notices, their use of personal data and their lawful bases for processing. The ICO states it will provide organisations with "an appropriate period of time" (without specifying how long) to adjust practices after which it will expect controllers and market participants to address the above concerns.
In the meantime, advertising industry body, IAB Europe, has developed an updated version 2 of its Transparency and Consent Framework (TCF) which it hopes will provide a model for compliance that will be accepted by the ICO. Other significant players, such as Google, are likely to develop their own products in an attempt to resolve the ICO’s concerns.
Conclusion and recommendations
The hard-line approach in the ICO’s report has taken many in the adtech industry by surprise, although the report came out before the new TCF was finalised. The ICO would argue, in response, that adtech has escaped serious enforcement action to date and the report was only following current EU guidance and reflecting the requirements of GDPR.
The ICO has stated that it recognises how important online advertising is for certain online sectors such as the publishing industry, yet it remains to be seen how RTB advertising can be fully compliant with GDPR requirements (such as consent standards) and continue in the same manner.
Organisations are encouraged to undertake a DPIA of its RTB activities to develop a deeper understanding of what is involved from a processing perspective. As ever, a review of privacy notices and cookie banners is also necessary to ensure sufficient transparency and to clearly identify the lawful bases for processing.
If you require further information about anything covered in this briefing note, please contact David Morgan, or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, September 2019