With many of us around the world spending more time in our homes and at our computers the world of online advertising and ad-tech is going to be increasingly important. This article looks at the rise of real time bidding and the ICO’s approach to this technology.
Adtech is a term used to describe tools that analyse and manage information (including personal data) for online advertising campaigns and automate the processing of advertising transactions. Real time bidding is one of the tools in use in the ad-tech industry.
Real time bidding (or RTB) allows advertisers the opportunity to bid for online ad spaces in order to deliver relevant, targeted advertising to consumers in under a second. Algorithms are used to identify the most relevant advertising content for each individual based on set parameters, such as price ranges or demographics, and the auction process is operated through a fully-automated sequence of bids. It is just one form of online advertising, but it is particularly popular due to the revenue potential it presents.
Some of the main advantages associated with real time bidding are its cost effectiveness (pay per impression rather than bulk purchase), scalability, flexibility to adapt bid-parameters to ensure that target audiences are reached and data collection.
Following a review launched in February 2019, the Information Commissioner’s Office (ICO) published its updated report into adtech and real time bidding in June 2019. Due to its complexity, and outstanding data protection issues, adtech is once again in the ICO’s line of sight and has been featured of their recent blog.
The ICO considers that those advertisers who have failed to address the issues raised in their guidance last year will be operating in breach of data protection law.
What did the 2019 report say?
The guidance considered the proportionality of “one visit to a website […] resulting in a person’s personal data being seen by hundreds of organisations” in order for advertisers to increase traction with their target market. Unsurprisingly, the ICO did not find the balance being struck between the parties’ interests to be acceptable.
Real-time bidding relies on the automated processing of the personal data contained in ever-growing personal data profiles. Their research shows that data subjects are often unaware this method of marketing, or these personal data profiles, exist. This drew the attention of the ICO and led them to identify real-time bidding as posing a potential risk to the rights and freedoms of individuals.
In particular, the report highlighted the following concerns:
1. A lack of consent from data subjects and of transparency from businesses
The majority of the personal data processed during real time bidding is captured by cookies and many businesses are relying on legitimate interests in order to process this data. Legitimate interests is only available as a lawful basis for processing if consent is not required under the Privacy and Electronic Communications Regulations (PECR).
The PECR does require data subject consent before organisations capture and process personal data via cookies. For consent to the processing of personal data to be valid, it must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes […] by a clear affirmative action” that they agree to the processing of their personal data. As most data subjects do not know that this type of processing is taking place, or understand real time bidding, they cannot provide consent to this type of processing. This means that many organisations are not currently meeting their obligations under the PECR or the GDPR in this respect.
In addition, the data profiles created for real time bidding auctions often contain special category data. Processing this kind of data is prohibited under the GDPR unless an exemption applies. In this instance, the only possible exemption appears to be consent.
2. The lack of guarantees surrounding data security
The personal data profiles created and shared in the real time bidding process are continuously re-shared and expanded by hundreds of organisations. This means it is currently almost impossible to trace where the personal data has been disseminated and re-used. It is also very difficult for an organisation to assess whether each future recipient complies with its obligations under the GDPR.
Historically, businesses have been happy to rely on contractual terms saying that the recipient has sufficient organisational and technical measures in place to ensure the safety of the personal data they receive. However the ICO’s report makes it clear that they do not consider this to be compatible with controllers’ accountability obligations under the GDPR.
So what is expected from organisations?
Accountability
Under article 5(2) of the GDPR, data controllers must be able to demonstrate their compliance with data protection legislation (the principle of accountability). The ICO’s report explains this means that “organisations must understand, document and be able to demonstrate:
- How their processing operations work;
- What they do;
- Who they share the data with; and
- How they can enable individuals to exercise their [data] rights”.
In many instances, it may not currently be possible for organisations relying on real time bidding to demonstrate their compliance with the GDPR due to the opaque nature of the data supply chain.
Better information for consumers
In order to give consent, data subjects need to understand what happens to their data. Due to the lack of education on real time bidding in the consumer market, the standard of the information that needs to be provided to consumers in order for them to give their consent is high. Careful thought should go into how you bring these practices to consumers’ attention.
Businesses do not need to obtain data subjects’ consent to the use of real time bidding. However, as most of the data profiles used as part of the auction have been created using information captured by cookies or similar technologies, you must obtain prior consent to their use from the data subject whose devices they are placed on.
Where cookies are being used, you are required to provide clear and comprehensive information about the nature and purposes of those cookies to data subjects. This can be achieved through your cookie policy.
Carry out due diligence on processors
Data processors are required to have appropriate technical and organisational measures in place to protect personal data against unauthorised and unlawful processing, and against accidental loss, damage or destruction.
If we think back to the accountability principle, organisations relying on real time bidding have an obligation as data controllers to ensure they understand how their processor’s operations work, how and with whom the personal data will be shared (and potentially augmented).
This means that it is the controller’s obligation to undertake appropriate monitoring and to ensure that any contractual terms claiming that a processor has sufficient organisational and technical measures in place to ensure the safety of the personal data they receive are accurate.
Data Protection Impact Assessments
Whenever new technologies are being used, or where processing is likely to result in a risk to the rights and freedoms of individuals, organisations should be carrying out a Data Protection Impact Assessment (DPIA).
Real time bidding requires large scale processing of personal data, which often contains special category data (for example relating to health and sexuality) and is invisible to the relevant data subjects. The data is often subject to international transfers and there is a risk that the data will be shared in unintended ways. This means that there is likely to be a risk to the rights and freedoms of individuals and that DPIAs should be carried out.
What about other types of adtech and affiliate marketing?
Whilst the ICO have focussed their recent investigations on real time bidding they stated in the 2019 report “Our prioritisation of both RTB and the above issues in this report is not an indication that we think other areas in adtech and online advertising are ‘issue-free’ in terms of data protection” and many of the issues highlighted in the report will apply equally to other areas of adtech and affiliate marketing. In the report the ICO also state that “RTB isn’t the only aspect of adtech that we’re looking into” so we would encourage the wider industry to review the report and its findings and keep abreast of the developments in this area which will have wider application. As adtech relies heavily on the use of cookies it is important that businesses obtain valid consent to placing cookies on user’s devices. The ICO issued new guidance in July 2019 making it clear that implied consent to the use of cookies was no longer sufficient but many websites are still failing to comply.
Next Steps
The ICO says it has received commitments from several UK advertising trade bodies to produce guidance for their members, and the ICO has committed to continue to engage with industry to protect data subjects. In particular, the Internet Advertising Bureau UK has provided a full response to the ICO’s report and has committed to develop guidance for its members.
The ICO continues to urge all organisations involved in real time bidding to review processes, systems and documentation. This includes privacy by design considerations and ensuring that you follow this approach when using (or creating) real time bidding services.
We can expect industry-specific guidance, a regulatory response and increased scrutiny from the ICO in the coming months. In the meantime, our specialist data protection team can advise you on privacy by design, consumer rights and algorithmic decision making and the implementation of the ICO’s guidance on real time bidding.