Ad tech and data protection: Addressing key challenges
Introduction
Despite its relative maturity, the ad tech industry has been hit hard by the changes introduced under the General Data Protection Regulation 2016/679 ("GDPR"). It's an industry powered by cookies, the use of which often involves the processing of personal data. The current lack of clarity between the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") and the GDPR is an additional challenge for the industry.
In June 2019, the Information Commissioner's Office ("ICO") issued an updated report into ad tech and real time bidding1 ("RTB") (the "ICO Report"). The report identified a number of areas in which it feels data protection practices need to change.
In this article we examine what personal data processing is taking place in the RTB process, outline some of the key data protection challenges highlighted in the ICO Report and suggest practical steps to address them.
What is RTB?
RTB is an auction process that occurs in "real time" to sell visual advertising in digital channels (such as websites and apps).
In essence, RTB involves an operator of a digital channel (a "Publisher") selling space in their channel to display a third party's content ("Advertisers"). The space is sold through real time bids on a per visitor basis.
The RTB process relies on cookies or related technologies, such as pixels, that collect information from a visitor's device when they visit a Publisher's channel. A visitor's cookie information is often enriched by a data management platform ("DMP"), which collates it with other known (or inferred) information about them ("Visitor Data"). Visitor Data may contain varying amounts of personal data.
Multiple Advertisers place bids for digital adverts to individual visitors in the available space of the Publisher's channel, basing each bid on the visitor's particular Visitor Data.
Advertisers rely on the RTB process to maximise the value of their bids, because the Visitor Data enables them to target their advertising in channels that are most relevant to each individual visitor.
RTB ecosystem
Set out below (Figure 1) is an overview of the range of parties who are commonly involved in the RTB process ("RTB Participants").
Figure 1:
RTB Participants |
|||
---|---|---|---|
Publisher Organisations who have advertising space (inventory) on their websites, platforms and apps to sell to Advertisers. |
Advertising Exchanges and Servers The location where RTB takes place. Mediates between Publishers and Advertisers and operates on both buy and sell sides. |
Advertiser Organisations who want to broadcast information on their products and services to consumers on a Publisher's inventory. |
|
Sell Side Platform ("SSP") Platform to help Publishers manage and sell their inventory |
DSP Platform used by Advertisers to place bids for inventory space on Publisher's websites, platforms and apps. |
||
DMP Platform which analyses and combines data, including personal data, from multiple sources to facilitate targeted advertising personalised to an individual consumer. |
|||
Consent Management Platform ("CMP") A tool which manages consents e.g. of individuals using a Publisher's website, platform or app. |
Privacy and Electronic Communications Regulation (PECR) and the GDPR
In the UK, PECR and the GDPR are the primary data protection regimes governing RTB participants. PECR regulates privacy in electronic communications, imposing specific rules about the use of cookies and related technologies on an end user's device.
Where the setting of a cookie involves the processing of personal data, both the GDPR and PECR must be complied with.
Data protection challenges
Below we discuss four data protection challenges identified in the ICO Report and outline some practical steps for RTB participants to consider.
1. Lawful basis for processing personal data
Where personal data is processed by an RTB participant, a lawful basis is required under article 6 of the GDPR. The ICO Report stated that, due to the nature of the processing, consent of the end user is the only lawful basis under GDPR that can be relied on to process personal data for the RTB auction process2. However, this is not consistent with the current industry approach and there is a lack of clarity over which lawful basis many RTB participants currently rely.
In addition, the lawful basis relied on to process personal data in connection with ancillary activities within the RTB process, such as processing by Advertisers, DSPs and SSPs, also needs to be carefully assessed.
RTB participants, will also need to comply with the requirements of PECR which state that consent is required in order to "drop" advertising-related cookies on a user's device3.
In practice
RTB participants should:
- review the lawful basis relied on for their data processing activities in the RTB process and document this review;
- where consent is relied on as a lawful basis, ensure that it meets the GDPR standard (i.e. unambiguous, specific and freely given)4; and
- where a CMP's consents are relied by other RTB participants, determine whether such consents meet the GDPR standard.
2. Special category personal data
For any processing of special category personal data, including information about an individual's political opinions, religion, health information or ethnic group, the GDPR requires the explicit consent of the individual to be obtained5. The ICO Report identified6 that a proportion of RTB bid requests involve the processing of special category personal data, and found that consent requests for this processing which it had reviewed did not meet the GDPR's standard for explicit consent.
In practice
RTB participants should identify whether it collects/processes any special category personal data in respect of its RTB activities, and if it does:
- consider whether that processing is necessary for the bid-request or whether it can be removed; and
- ensure that explicit consent is obtained from end users which meets the GDPR standard (see 1 above).
3. Clear information on processing
The GDPR requires transparency in relation to how personal data is processed. Articles 13 and 14 of the GDPR set out specific information which must be provided to individuals in clear and plain language. This is challenging for RTB participants due to the complex processing involved, typically across multiple organisations as well as automated processing for various purposes such as targeting, fraud prevention, analysis and measurement.
Regulation 6(2) of PECR also requires clear and comprehensive information is given about the cookies and other technologies which are dropped on a device.
In practice
RTB participants should:
- review their fair processing notices to ensure they are clear about what processing is taking place, the purpose of the processing and with whom personal data is shared; and
- conduct a cookie audit, including a review of cookie notices and banners and updating them where relevant, to ensure they are accurate and identify the purposes and duration of the cookies used.
4. Avoiding intrusive and unfair processing
During the RTB process, bid request information is often combined and enriched by creating a profile of an end user using information gathered from other sources such as DMPs.
This may constitute unfair and intrusive processing if the quantity and nature of the personal data being processed as part of that enrichment is disproportionate to the purpose of delivering targeted advertising.
Pursuant to Article 35(4) of the GDPR, the ICO has published a list of processing operations7 likely to require a data protection impact assessment ("DPIA"). These include data matching for the purposes of direct marketing.
In practice
- RTB participants should assess and mitigate risks associated with data enrichment. These should be documented in a DPIA. Where such risks cannot be mitigated, the RTB participants should cease carrying out data matching activities.
Conclusion
The ICO recognises that ad tech industry is a complex and intertwined ecosystem. Because of this, the ICO is giving the industry time get its act together and is working with industry to address some of the complex issues. However, there is little doubt the ICO expects to see change.
Enforcement action will come if improvements don't. RTB participants should therefore not wait, and would be well advised to start reviewing (and where applicable remediating) their data protection practices in light of the ICO Report.
Byte-sized news
- EDPB releases GDPR territorial scope guidelines: The European Data Protection Board (EDPB) has released the finalised version of its guidelines on the territorial scope of the GDPR. The EDPB originally published a version of the guidelines for public consultation in November 2018 and they are intended to establish a harmonised interpretation of article 3 of the GDPR by EU data protection supervisory authorities.
- German DPA fines ISP €9.6 million: Germany's Federal data protection authority (German DPA) fined (available in German only) 1&1 Telecommunications, a German biggest internet service provider (ISP), for its failure to put in place "sufficient technical and organizational measures" to protect customer personal data in its call center operations as required under article 32 GDPR. The fine came after the German DPA discovered that callers to the call center could retrieve personal data about an individual simply by giving the individual's name and date of birth. This was considered to be an insufficient level of authentication for protecting customer personal data.
- ICO updates guidance on special category personal data: The ICO has published updated guidance on special category personal data. The guidance includes explanations and examples of each of the conditions for processing special category personal data under article 9(2) of the GDPR and how the provisions of the Data Protection Act 2018 relate to these conditions. The guidance makes clear that a condition under article 9(2) of the GDPR as well as a lawful basis under article 6 of the GDPR is required in order to process special category personal data.
With thanks to Tom Brookes and Clive Wong for their contributions.
1. ICO updated report into ad tech and real time bidding, available at: https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf
2. ICO Report page 18 section 3.3.
3. Regulation 6 of PECR.
4. Article 7 of the GDPR and recital 32.
5. Article 9 of the GDPR. Specific exemptions can apply, but are not applicable to the RTB process.
6. ICO Report page 16 section 3.2.
7. ICO Guidance on Examples of processing 'likely to result in a high risk' available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/examples-of-processing-likely-to-result-in-high-risk/
Key Contacts
We bring together lawyers of the highest calibre with the technical knowledge, industry experience and regional know-how to provide the incisive advice our clients need.
Keep up to date
Sign up to receive the latest legal developments, insights and news from Ashurst. By signing up, you agree to receive commercial messages from us. You may unsubscribe at any time.
Sign upThe information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.