ICO’s report on ad-tech and real-time bidding

With thanks to a friend and Data Privacy expert, who recently shared the UK Information Commissioner's Office's (ICO) report into ad-tech1 and real-time bidding (RTB)2 , below is my summary of the report. While the Commissioner’s executive summary in the report gives a very good overview, my version is shorter3 –

After an industry-wide review, the ICO found ad-tech’s lack of express consent to the storage, sharing and processing of personal data in RTB to be problematic. The two main issues (in my opinion) are a lack of: (i) proper consent; and (ii) DPIAs?.

Consent

PECR? takes precedence over GDPR when it comes to use of cookies? and requires data controllers to provide “clear and comprehensive information” and obtain prior consent?. The ICO found a lack of prior consent across the ad-tech industry; with organisations attempting to rely on the ‘legitimate basis’ alternate?. It’s fair to say the ICO sees this reliance as a pretty shaky basis for such wide data processing and sharing?... and a reliance which totally ignores PECR.

DPIAs

The ICO found that many ad-tech players were not conducting DPIAs. Both the GDPR and ICO guidance mandates that DPIAs must be conducted for systematic profiling and large-scale processing - which apply to RTB1?. This has resulted in a clear lack of ‘privacy by design’.

Next steps

The ICO will now begin a further process of ad-tech stakeholder engagement and some commentators believe that the ad-tech industry has effectively been put “on notice” for individual investigations (and fines) to follow a further ICO review in 6 months’ time and publication of such review’s report (anticipated 2020). The message, to my mind, is “conduct your DPIAs, reduce the scope of the data and get consent” but whether the industry will listen before the regulator starts enforcement11 remains to be seen.

Footnotes

1 Ad-tech (advertising technology) is a general term for the digital tools^ that facilitate the provision of online advertising^^.

               ^Including the hardware and servers that underpin them.

               ^^Including (without limitation) transactions between advertisers and publishers and delivery of content to be viewed.

2 RTB can be summarised as “the process that takes place as a webpage is being loaded whereby advertisers automatically place bids up to a maximum they are willing to spend^ to fill any pre/mid-roll video advertising and/or static digital ad slots^^.

               ^ Based on the page being loaded and the information known about who is accessing such page.

               ^^ Banners, skyscrapers etc.

3 Albeit with these copious footnotes; I’ve been reading a lot of David Foster Wallace.

? Data protection impact assessments – see Article 35 GDPR. A DPIA should be carried out where processing of personal data is “likely to result in a high risk” to the rights and freedoms of natural persons. Article 35(3) requires DPIAs to be conducted if there is: (i) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (ii) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (iii) a systematic monitoring of a publicly accessible area on a large scale.

? The Privacy and Electronic Communications (EC Directive) Regulations 2003.

? The data gathering power of cookies being fundamental to ad-tech offering demographically segmented/special interest ‘page viewers’ up for bidding by advertisers.

? To GDPR standards.

? Recital 40 GDPR “In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”

? RTB can involve the ‘profile’ of a page viewer being shared with hundreds of bidders and such profiles can vary in terms of the ‘special category^’ personal data they contain.

               ^ Basically, ‘very sensitive’ data - which requires ‘explicit’ consent for processing/storage etc.. The GDPR’s non exhaustive list includes: (i) race and ethnic origin; (ii) religious or philosophical beliefs; (iii) political opinions; (iv) trade union memberships; (v) biometric data used to identify an individual; (vi) genetic data; (vii) health data; and (viii) data related to sexual preferences, sex life, and/or sexual orientation.

1? Supra note 9.

11 It is anticipated that the larger players will be hit first (if at all).

Boring disclaimer - I've written the above in my personal capacity (as a legal nerd) for information purposes only and it is not intended to be legal advice. I make no warranty of any kind and will not be responsible for any actions (or inactions) if anyone is foolish enough to rely on my writing.