At a Glance…

The ICO (the Information Commissioner’s Office – the UK privacy regulator) published what it calls an ‘Update Report’ on real-time bidding (RTB) on 20 June.

There have been a lot of summaries over the last week which may be leaving you more confused about how serious this is and, more importantly, what if anything you need to do. Let’s dissect it.

How has this come about?

This report is not coming out of the blue. The ICO has held various outreach sessions on adtech with business over the last year, was very clear in its GDPR anniversary report that adtech would be a focus for the year ahead. Further, specific complaints against Google and programmatic advertising practices are being investigated in both Ireland and the UK and both regulators have talked about this. We were expecting and even hoping for more clarity on the ICO’s stance therefore, so this is not a surprise. The only thing which is perhaps surprising is that the ICO has only focused on RTB in this report. It is separating out practices that are at the more complicated end of adtech for specific attention but many of the points they raise can also be applied to wider technologies and processing.

Does this mean RTB is dead?

No, but the ICO does make it very clear in the report that it considers all current RTB practices to be non-compliant with GDPR. This is an alarming statement! However, they don’t say they are actively about to fine or enforce….just yet. They are essentially sending a warning shot, explaining what they think is a failure in the industry and what they expect companies to now fix. They say they will report back further in 6 months’ time. It all seems a little passive-aggressive and vague – typical English politeness? One of the reasons for this though, is that the ICO recognises that there aren’t easy fixes and that the complexity of data transfers and processing between multiple stakeholders that is involved in RTB means that for various of the issues the ICO considers non-compliant, industry solutions are needed and companies (particularly brands and publishers) can’t unilaterally fix everything. The ICO is in detailed ongoing discussions with Google (who runs its Authorised Buyers RTB service – previously known as DoubleClick) and the IAB on solutions.

Whilst companies will certainly want to relook at what they are doing in RTB in light of this, we don’t expect that most will go so far as pulling back from RTB just on the back of this. You can’t rule out enforcement action in the meantime however, particularly around cookie consents.

What actions do you need to take?

Strategy: If industry solutions are not found and resolved with the ICO in the next few months, we could see quick enforcement action. For publishers, brands and agencies – what would a complete or temporary restriction on RTB mean for you in practice? Think through what your alternatives will be strategy and contract wise.
“Special Category Data”: This means personal data that is seen as particularly sensitive. It includes information such as health, sexual orientation, religion, political beliefs. Often, the schema for RTB contain this data – for example as a brand, you may be looking to bid for space against specific audience segments that denote these. Often brands and legal teams don’t necessarily know this is happening.

The ICO sees the use of special category data in an RTB context as high risk and says that it would require “explicit consent”. In practice, this would mean getting very clear specific consent from each user for the use of this data for this purpose and the usual cookie banners we see just wouldn’t cut it. The kind of consent required would be almost impossible to obtain.

This should be your biggest takeaway and action. Check what category fields you are set up to use. Speak to your marketing team to ensure they understand the risks and issues and don’t create custom fields that use special category data.
Privacy Policy/Cookie Policy: The ICO makes it very clear that they consider transparency and explanations to users around RTB to be insufficient. This echoes the concerns CNIL (the French regulator) when it fined Google 50m Euros (albeit this is being appealed). Transparency and readability is such an important issue. We still see far too many long, complex privacy and cookie notices that an average user simply can’t understand. You have to spend time on relooking at these and making this readable.
Consent: Companies are still confused about what consent is needed for the use of cookies which of course are a key feature in RTB. This has often been because cookie rules are contained in both GDPR (in general terms) and the Electronic Privacy legislation (in specific terms). There are no industry norms or templates and a very wide variety of “consent” practices can be seen over the internet.

The ICO restates its position on this. In short, you have to have GDPR level consent for advertising cookies and they don’t think legitimate interests is an appropriate justification. GDPR level consent has to have an action (the ICO says just continuing to browse a website would not be sufficient), specific and informed.

Interestingly, the ICO was subject to scrutiny on its own cookie consent mechanisms in the last few months and has just updated its approach. This new approach involves a pop up which: (i) clarifies that they are using necessary cookies (which don’t require consent); (ii) says they would like to use Google Analytics – but set this to a default off unless a visitor expressly chooses to move the toggle to yes; and (iii) has an overall “save and close” action button. The ICO does not use programmatic advertising cookies so there is no wording or consent for that. The ICO has said it will release more guidance on what it expects companies to do on cookies this week.

Relook at your cookie consent wording and mechanisms regardless of whether or not you are using RTB. Is your approach really GDPR compliant in terms of a specific action and granularity? Look out for the ICO’s cookie guidance which it intends to publish this week for further detail on what they expect.
Data Protection Impact Assessment: The ICO confirms they will expect this for RTB. If you are undertaking RTB and haven’t done a data protection impact assessment, you need to do one now. Also consider what other adtech practices may require an assessment. Accountability and documentation is absolutely key for GDPR compliance.
Contracts and security: RTB relies on a complex chain in which multiple parties are receiving and exchanging personal data. The ICO says this is a potential security risk and that the current reliance on standard contract clauses between parties is insufficient and not the right approach. In particular, it points out that this doesn’t provide for sufficient assessment of competence and requisite due diligence and monitoring. This isn’t one you can easily fix and take action on – you can’t unilaterally start amending the Google Authorised Buyer or IAB contracts and documentation for example. What you will need to do is get involved in the industry discussions around solutions on this and keep abreast of them. You also need to be documenting carefully what data you receive and are doing with it and the ICO suggests focusing on ensuring that you have and document processes for protecting and deleting data.

What next?

We await the next review from the ICO as well as industry solutions and reactions to address the above. Enforcement action can’t be ruled out in the meantime.