data bytes 21 27 Jan 2020 Ad tech and data protection:  Addressing key challenges

Introduction

Despite its relative maturity, the ad tech industry has been hit hard by the changes introduced under the General Data Protection Regulation 2016/679 ("GDPR"). It's an industry powered by cookies, the use of which often involves the processing of personal data. The current lack of clarity between the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") and the GDPR is an additional challenge for the industry. 

In June 2019, the Information Commissioner's Office ("ICO") issued an updated report into ad tech and real time bidding¹  ("RTB") (the "ICO Report"). The report identified a number of areas in which it feels data protection practices need to change. 

In this article we examine what personal data processing is taking place in the RTB process, outline some of the key data protection challenges highlighted in the ICO Report and suggest practical steps to address them.

What is RTB?

RTB is an auction process that occurs in "real time" to sell visual advertising in digital channels (such as websites and apps). 

In essence, RTB involves an operator of a digital channel (a "Publisher") selling space in their channel to display a third party's content ("Advertisers"). The space is sold through real time bids on a per visitor basis. 

The RTB process relies on cookies or related technologies, such as pixels, that collect information from a visitor's device when they visit a Publisher's channel. A visitor's cookie information is often enriched by a data management platform ("DMP"), which collates it with other known (or inferred) information about them ("Visitor Data"). Visitor Data may contain varying amounts of personal data. 

Multiple Advertisers place bids for digital adverts to individual visitors in the available space of the Publisher's channel, basing each bid on the visitor's particular Visitor Data. 

Advertisers rely on the RTB process to maximise the value of their bids, because the Visitor Data enables them to target their advertising in channels that are most relevant to each individual visitor. 

RTB ecosystem 

Set out below (Figure 1) is an overview of the range of parties who are commonly involved in the RTB process ("RTB Participants").

Figure 1:

Privacy and Electronic Communications Regulation (PECR) and the GDPR

In the UK, PECR and the GDPR are the primary data protection regimes governing RTB participants. PECR regulates privacy in electronic communications, imposing specific rules about the use of cookies and related technologies on an end user's device. 

Where the setting of a cookie involves the processing of personal data, both the GDPR and PECR must be complied with.

Data protection challenges 

Below we discuss four data protection challenges identified in the ICO Report and outline some practical steps for RTB participants to consider. 

1. Lawful basis for processing personal data 

Where personal data is processed by an RTB participant, a lawful basis is required under article 6 of the GDPR. The ICO Report stated that, due to the nature of the processing, consent of the end user is the only lawful basis under GDPR that can be relied on to process personal data for the RTB auction process². However, this is not consistent with the current industry approach and there is a lack of clarity over which lawful basis many RTB participants currently rely. 

In addition, the lawful basis relied on to process personal data in connection with ancillary activities within the RTB process, such as processing by Advertisers, DSPs and SSPs, also needs to be carefully assessed. 

RTB participants, will also need to comply with the requirements of PECR which state that consent is required in order to "drop" advertising-related cookies on a user's device³. 

In practice 

RTB participants should:

• review the lawful basis relied on for their data processing activities in the RTB process and document this review;
• where consent is relied on as a lawful basis, ensure that it meets the GDPR standard (i.e. unambiguous, specific and freely given)⁴; and
• where a CMP's consents are relied by other RTB participants, determine whether such consents meet the GDPR standard.

2. Special category personal data

For any processing of special category personal data, including information about an individual's political opinions, religion, health information or ethnic group, the GDPR requires the explicit consent of the individual to be obtained⁵. The ICO Report identified⁶  that a proportion of RTB bid requests involve the processing of special category personal data, and found that consent requests for this processing which it had reviewed did not meet the GDPR's standard for explicit consent. 

In practice

RTB participants should identify whether it collects/processes any special category personal data in respect of its RTB activities, and if it does:

• consider whether that processing is necessary for the bid-request or whether it can be removed; and
• ensure that explicit consent is obtained from end users which meets the GDPR standard (see 1 above). 

3. Clear information on processing 

The GDPR requires transparency in relation to how personal data is processed. Articles 13 and 14 of the GDPR set out specific information which must be provided to individuals in clear and plain language. This is challenging for RTB participants due to the complex processing involved, typically across multiple organisations as well as automated processing for various purposes such as targeting, fraud prevention, analysis and measurement. 

Regulation 6(2) of PECR also requires clear and comprehensive information is given about the cookies and other technologies which are dropped on a device. 

In practice

RTB participants should: 

• review their fair processing notices to ensure they are clear about what processing is taking place, the purpose of the processing and with whom personal data is shared; and
• conduct a cookie audit, including a review of cookie notices and banners and updating them where relevant, to ensure they are accurate and identify the purposes and duration of the cookies used.

4. Avoiding intrusive and unfair processing

During the RTB process, bid request information is often combined and enriched by creating a profile of an end user using information gathered from other sources such as DMPs. 

This may constitute unfair and intrusive processing if the quantity and nature of the personal data being processed as part of that enrichment is disproportionate to the purpose of delivering targeted advertising. 

Pursuant to Article 35(4) of the GDPR, the ICO has published a list of processing operations⁷  likely to require a data protection impact assessment ("DPIA"). These include data matching for the purposes of direct marketing. 

In practice 

• RTB participants should assess and mitigate risks associated with data enrichment. These should be documented in a DPIA. Where such risks cannot be mitigated, the RTB participants should cease carrying out data matching activities.

Conclusion

The ICO recognises that ad tech industry is a complex and intertwined ecosystem. Because of this, the ICO is giving the industry time get its act together and is working with industry to address some of the complex issues. However, there is little doubt the ICO expects to see change. 

Enforcement action will come if improvements don't. RTB participants should therefore not wait, and would be well advised to start reviewing (and where applicable remediating) their data protection practices in light of the ICO Report. 

Byte-sized news

• EDPB releases GDPR territorial scope guidelines: The European Data Protection Board (EDPB) has released the finalised version of its guidelines on the territorial scope of the GDPR. The EDPB originally published a version of the guidelines for public consultation in November 2018 and they are intended to establish a harmonised interpretation of article 3 of the GDPR by EU data protection supervisory authorities.
• German DPA fines ISP €9.6 million: Germany's Federal data protection authority (German DPA) fined (available in German only) 1&1 Telecommunications, a German biggest internet service provider (ISP), for its failure to put in place "sufficient technical and organizational measures" to protect customer personal data in its call center operations as required under article 32 GDPR. The fine came after the German DPA discovered that callers to the call center could retrieve personal data about an individual simply by giving the individual's name and date of birth. This was considered to be an insufficient level of authentication for protecting customer personal data.
• ICO updates guidance on special category personal data: The ICO has published updated guidance on special category personal data. The guidance includes explanations and examples of each of the conditions for processing special category personal data under article 9(2) of the GDPR and how the provisions of the Data Protection Act 2018 relate to these conditions. The guidance makes clear that a condition under article 9(2) of the GDPR as well as a lawful basis under article 6 of the GDPR is required in order to process special category personal data.

With thanks to Tom Brookes and Clive Wong for their contributions.

1. ICO updated report into ad tech and real time bidding, available at: https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf
2. ICO Report page 18 section 3.3.
3. Regulation 6 of PECR.
4. Article 7 of the GDPR and recital 32.
5. Article 9 of the GDPR. Specific exemptions can apply, but are not applicable to the RTB process.
6. ICO Report page 16 section 3.2.
7. ICO Guidance on Examples of processing 'likely to result in a high risk' available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/examples-of-processing-likely-to-result-in-high-risk/