• ICO strongly challenges the use of “legitimate interests” as the lawful basis for processing data in real-time bidding.
  • ICO plans additional review to occur in six months, promising a “measured and iterative” approach toward enforcement.

Just over a year after the General Data Protection Regulation went into effect, the U.K. Information Commissioner’s Office has turned its attention to the adtech sector, specifically RTB. The ICO’s Update Report Into AdTech and Real Time Bidding is partially informed by an adtech fact-finding forum held by the ICO in March, which brought more than 100 parties together to discuss the data protection issues raised by adtech. The report focuses specifically on RTB, but its findings give us insight into how the ICO will view other online advertising activities.

What Are the ICO's Key Areas of Concern?

  • Lawful Basis. In one of the most challenging lines of the report, the ICO states: “We believe that the nature of the processing within RTB makes it impossible to meet the legitimate interests lawful basis requirements. This means that legitimate interests cannot be used for the main bid request processing.” The ICO notes that under U.K. law, consent is required at the outset for the use of any nonessential cookies. While the ICO acknowledges that subsequent processing could rely on an alternative lawful basis, it takes the position that the nature of the processing in RTB makes it impossible to meet the legitimate interests requirements (i.e., the risks to individuals’ interests, rights and freedoms outweigh any benefit to the business from this form of ad delivery). The ICO further notes that bid requests that include sensitive categories of data (including inferences about those categories) require explicit consent, an even higher standard to meet, regardless of whether that data is used for profiling.
  • Transparency/Security in the Data Supply Chain. The ICO raises several concerns with the complexity of the RTB “data supply chain.” First, it finds that companies in the RTB ecosystem cannot consistently provide the information required under the GDPR’s transparency principles, as the parties do not always have visibility into which parties will receive the personal data shared in a bid request or where that data will be used. Notably, the ICO suggests that the IAB Europe’s Transparency and Consent Framework may not solve the issue of transparency in light of the number of vendors on its vendor list and because the list does not include all the vendors in the RTB ecosystem. In addition, the number of companies that receive and share personal data makes it impossible for any one party to guarantee that the personal data will remain subject to the appropriate data protection and controls. This concern is similar to the concern raised by Dr. Johnny Ryan’s complaint to the ICO (and the Irish Data Protection Commissioner), which claims that personal data shared in the RTB ecosystem is not protected against unauthorized or unlawful processing, and thus violates the integrity and confidentiality principle articulated in Article 5(1)(f) of the GDPR.
  • Accountability. The ICO takes the position that DPIAs are legally required for RTB. The report identifies several aspects of RTB, including large-scale profiling, the tracking of geolocation or behavior, and the use of “invisible processing,” which have been deemed by the ICO to be “high risk” processing activities that require a DPIA. The ICO expressed a concern that companies that indicate they rely on legitimate interests as their lawful basis may have failed to conduct and document their legitimate interests analysis, including the potential safeguards used to reduce individual risks.​

What Are the Next Steps?

Ultimately, this report is a warning letter to the adtech industry. In her commissioner’s foreword, Commissioner Denham states that the report “sets out where we expect to see change, and sets out the timescales in which we expect to see action.” Guidance for the industry is clear: The ICO expects data controllers to reevaluate their approach to privacy notices, uses of personal data and the lawful bases applied within the RTB ecosystem.

The ICO appears to understand that online advertising is critical, particularly to smaller publishers, and has suggested that it will be moving slowly in order to understand the business implications of its actions, as balanced against its data protection imperative. Starting in July 2019, the ICO will undertake targeted information-gathering activities to further understand the data supply chain, the impact of profiling, the controls in place and the DPIAs undertaken in connection with RTB. The ICO will also continue to engage with key stakeholders, including the IAB Europe and Google, and will share information with other Data Protection Authorities that are currently investigating related complaints. While fines may not be immediate, the industry should not expect to receive multiple warnings. The ICO plans additional industry review in six months’ time, which appears to be the window given to adtech companies to address the concerns raised above.