Introduction
Amongst other things, Simon McDougall, the ICO’s Executive Director of Technology and Innovation wrote the following in his recent ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. blog posted on January 17th, 2020.
“The AdTechAdvertising Technology: The use of digital tools and analytics for the delivery of advertising. real time bidding industry is complex, involving thousands of companies in the UK alone…
There is a significant lack of transparency due to the nature of the supply chain…
Our [the ICO] June 2019 report identified a range of issues….
We [the ICO] are confident that any organisation that has not properly addressed these issues risks operating in breach of data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data..”
For many AdTech companies the increasing risks from ICO enforcement could seriously impact their new and valuable business models.
Understanding the complexity
Serious stuff, but for many, the technology behind real time bidding (RTB) is still complex and baffling. The AdTech industry is awash with acronyms and “industry speak”. Even published explanations of how the technology works are difficult to understand by those who are not in the know.
To help explain the complexity its worth standing back and thinking about what is happening:
Real Time Bidding
So, there is a huge market for online advertising space, but how do advertisers access it? This is where Real Time Bidding comes in, however the technological challenges to realise it are considerable:
And all this happens in milliseconds as pages are loading and advertising space opportunities created.
There are multiple ad networks and technologies – Supply Side PlatformsPlatforms used by website publishers to optimise and sell ad space in an automated and efficient way. (SSPs), Content Delivery NetworksGeographically distributed group of servers working together to provide delivery of web content. (CDNs), Ad Exchanges, agency trade desks, Data Management Platforms (DMPs), Demand Side Platforms (DSPs). Details of how these technologies work is beyond the scope of this blog but a key distinguishing feature of AdTech is the ability to use online profiles, often compiled and augmented from many multiple sources to deliver targeted adverts based on personal profiles, behaviours and activities.
It all means huge amounts of data are exchanged in real time between multiple technologies and providers. Much of this is personal data including special category data covered by Article 9 of the GDPR.
Lack of transparency, uncertain security and ill-defined lawful bases
The GDPR requires transparency. Individuals should be able to understand how, why, where and by whom their personal dataInformation which relates to an identified or identifiable natural person. is being processed. Unless there is an alternate lawful basis for processing, they should provide consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. for processing and sharing any personal data they provide. This consent should be explicit if the data is high risk special category data as defined in the GDPR’s Article 9.
The complexity and length of the Real Timing Bidding supply chain makes mapping the data flows extremely difficult. So, making the processA series of actions or steps taken in order to achieve a particular end. transparent and explaining to the average consumer how their personal data is used becomes extremely challenging.
Given the scale and speed of processing personal data between multiple sources, platforms and data sets, there’s often uncertainty as to the security of the data; there are real dangers that data can leak or be stolen, that processors can access data unlawfully or use it for unintended purposes.
Much of the AdTech industry is ultimately centred on consumer advertising. By the nature of the process, data must be shared with third parties and may contain special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal.... Almost without exception, the only appropriate lawful basis of the possible six defined in the GDPR is identifiable consent, but if their personal data is being transferred between unknown platforms in ways data subjectAn individual who can be identified or is identifiable from data.s don’t understand, then it’s hard (if not impossible) for consumers to provide the necessary informed consent for this to occur. Legitimate Interest is often claimed as the legal basis for these transfers, however authorities such as the UK’s Information Commissioners Office (ICO) have already warned this is not appropriate.
In these circumstances it’s hardly surprising that the ICO and other EU supervisory authorities have real and serious concerns about the AdTech industry’s practices It explains why they are making increasingly unveiled threats about pursuing enforcement actions if the industry does not start to reform its practices.
What does data protection regulation mean for AdTech?
Despite all these concerns AdTech is here to stay. The commercial realities are just too great and there are real benefits to conversionThe successful click or interaction with a campaign, advert, pop-up etc. that the publisher wanted the audience to take. rates (and therefore budget efficiencies) when informing consumers about products and services in a properly targeted way. Publishers, ad networks, agencies and advertisers all benefit and are not in any kind of hurry to change.
But the GDPR requires that the data subject, i.e. you and I, are considered and that data protection principles and legal requirements taken more seriously.
There are great opportunities to develop better tools to map and simplify AdTech data flows and improve transparency. We are already seeing some technology providers making changes. It’s interesting to note that Google has been working closely with ICO to develop new guidelines and Google Chrome’s plans to phase out the use of 3rd party cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences. is a real opportunity to reduce uncontrolled and opaque sharing of data. However, we still need to understand transparently what Google’s alternate solution will be and whether it addresses privacy needs, or just ensures that Google tightens its grip on global online advertising revenues.
It’s also fair to say that the more embedded the industry becomes before regulators hold it to account, the more difficult it becomes to put the genie of unlawful data processing back in the bottle. Based on the ICO’s recent rhetoric and the way in which they have taken high profile enforcement actions (BA and Marriot etc.) then it’s highly likely we will see similar actions in the AdTech Industry in the not too distant future.
So it’s time for many AdTech companies to take a fresh look at how they approach data protection legislation, to make their use of personal data more transparent, to ensure the data they process is secure and to properly define and adhere to the lawful basis for processing they use. Furthermore, they should pay greater attention to how they manage consent particularly when processing special category data.
If they don’t take these steps, then the consequences for the industry are going to be severe.
Are you overwhelmed by AdTech and looking for guidance? Enquire below
Fill in your details below and we’ll get back to you as soon as possible