Chris Jeffery and Debbie Heywood look at the main compliance challenges for Adtech under the GDPR.
There is a genuine question around whether it is possible for the Adtech industry as it currently operates to comply with all aspects of the GDPR; in fact, this was discussed at the UK ICO's recent fact finding forum on Adtech.
There are a few compliance issues which come up repeatedly in regulator investigations and complaints (whether Adtech-related or not) notably the lawful basis for processing, and compliance with the data protection principles, in particular, transparency, purpose limitation, data retention, and data security.
The complexities of the Adtech ecosystem, especially in relation to interest-based advertising, where known or inferred information about the user and their interests is used in order to show them ads they may be interested in, and the multiplicity of platforms and intermediaries that are often involved in the delivery of interest-based ads, present a real challenge to online publishers and the Adtech platforms seeking to align with GDPR principles.
A lawful basis for processing
Under the GDPR, there must be a lawful basis for processing personal data in order to comply with the principle that personal data be processed fairly and lawfully. In the context of Adtech, this will most likely be that it is processed with the consent of the data subject, or that the processing is in the legitimate interests of the data controller where those interests are not outweighed by the rights and freedoms of the data subject.
In contrast with the regime under the Data Protection Directive, the data controller must link each processing operation to a single purpose and the data subject must be given information about the lawful basis (and provide consent where relevant), before the processing begins in order to comply with the principle of transparency as well as the information requirements.
At first glance, legitimate interests might seem the preferable choice for Adtech players, mainly because it avoids the rigorous requirements for consent under GDPR. It is less straightforward than it might first appear, though. Reliance on legitimate interests under the Data Protection Directive was a relatively low hurdle to meet in as much as it was often seen (rightly or wrongly) as sufficient simply to explain the interests of the data controller.
Under the transparency and accountability provisions in the GDPR, reliance on legitimate interests now explicitly involves a more detailed analysis of a balancing exercise between the data controller's legitimate interests and the rights of the data subject on a case by case basis, all of which must then be explained to the data subject. Recent guidance from the German regulator is not alone in suggesting that the default is that the privacy rights of individuals will outweigh the legitimate interests of Adtech businesses where multiple platforms process user data.
We see a direction of travel in Europe towards consent as the lawful basis on which to rely when processing personal data for interest-based advertising purposes. The German regulator guidance, CNIL enforcement against mobile Adtech platforms in the French market and aspects of the ICO analysis of the Cambridge Analytica investigation trend that way, but have not yet reached the point where consent is generally accepted as the only option.
Market practice is not there yet, but post GDPR, early signs suggest that practice may need to change – at least for the use of profiles, segments, demographic and location data to target relevant ads. Consent is also relevant as it is needed under the ePrivacy Directive in order to drop cookies (except where these are strictly necessary to provide a service which the data subject has requested), and will likely be needed under the new ePrivacy Regulation when that eventually arrives.
While its contents are not finalised, the ePrivacy Regulation will, like the GDPR, harmonise the rules on cookies and the collection of information from mobile devices across Europe and we expect (although discussions are ongoing) that it will require GDPR-level consent for many of the techniques used in Adtech.
Adtech companies have the additional challenge of multiple purposes being pursued for a single ad impression – interest-based advertising itself, but also measurement, reporting, attribution and anti-fraud. Each of those needs to be assessed in terms of lawful basis.
The consent requirements under both the GDPR and the ePrivacy Directive have taken a step up. Consent must now be freely given, specific, informed and an unambiguous indication of the data subject's wishes. As EU regulator decisions and guidance have shown, this has a number of implications for the Adtech industry:
- Pre-ticked consents are not permitted because they do not show an unambiguous indication of the data subject's wishes.
- In order for consent to be informed, a considerable amount of information (not least about third parties which may receive personal data) must be given to the individual before consent is obtained.
- In order for consent to be specific, it cannot be bundled but must be obtained for each relevant processing operation.
- In order to be freely given, the data subject must be given a genuine choice. If, for example, the individual cannot access a website without giving consent to, say, tracking cookies which are not an essential part of supplying the website, the consent is unlikely to be freely given.
Personal data must be processed in a transparent manner. This involves giving individuals a considerable amount of information prior to the processing and is one of the reasons that privacy policies can become extremely involved.
For a complex set of processing operations like those involved in Adtech (profiling, real time bidding, multiple platforms performing different roles in an acronym-rich environment), explaining the data journey to individuals in a clear and digestible way is a challenge.
Google recently found itself at the end of a substantial fine from the CNIL which criticised (among other things), the fact that Google's explanation of its targeted advertising activities was too difficult for users to understand and required too many steps by the user. This was despite the fact that Google was following regulator guidance by adopting a granular approach.
The ICO's fact finding forum discussed whether consumers can ever be given enough information to understand what is happening to their data. Even if the information is provided, how likely is the consumer to read it, let alone understand it?
The other data protection principles
In addition to the lawful and transparent requirement, a number of the other data protection principles can present challenges to Adtech, including that the data must be collected for specified and explicit purposes, that data must be limited to what is necessary in relation to the purposes for which it is processed, that it should not be retained longer than necessary, and that it be kept secure.
The EU Adtech industry body, IAB Europe's transparency and consent framework is an attempt to smooth the path of GDPR compliance, particularly in relation to capturing consent and achieving compliance. It aims to help publishers, technology vendors, agencies and advertisers capture, store and signal global consents obtained by publishers and other consent management providers in an industry-standard manner.
The system also provides a 'white list' of vendors which publishers can use when they collect user consent.
The IAB hasn't seen universal take-up with Google a notable sceptic. As a result, the IAB has published a revised version of the framework for consultation to which Google has said it plans to sign up. Privacy campaigners are, however, yet to be convinced that the IAB framework does enough to get valid consent or provide transparency, despite the IAB's vigorous defence.
Ongoing complaints by privacy campaigners
There are a number of complaints pending before EU data protection regulators relating to GDPR compliance by data brokers and Adtech companies, some of which also take aim at the IAB framework and have led to full blown investigations.
Unsurprisingly, these focus largely on the selection of the lawful basis for the processing, namely consent and legitimate interests, and on compliance with the data protection principles, particularly transparency, purpose limitation and data retention.
Real Time Bidding Complaints
In September 2018, complaints were filed against Google and other Adtech firms with the ICO and the Irish Data Protection Commission by Dr Johnny Ryan of Brave, Jim Killock of the Open Rights Group and Michael Veale of University College London.
The main thrust of the complaints was the allegation that there "is a systematic data breach at the heart of the behavioural advertising industry". At issue are the 'real time bidding' systems which underpin Adtech.
The complaints allege that these are a mass data broadcast mechanism which gathers more information than is needed for targeting advertising which is then sent to a wide range of third parties for a range of purposes over which neither the initial advertiser nor the data subjects have any control.
In particular, the data subjects are unable to give informed consent to the process and cannot be given sufficient information to satisfy transparency requirements.
The complaints were also critical of the IAB framework for giving too much discretion to the vendor of the data as to whether or not the recipients have a legal basis for processing the relevant data.
Similar complaints relating to real time bidding systems were subsequently filed in Poland by the Panoptykon Foundation in January 2019, and in May 2019, further complaints were filed by other privacy campaigners in Spain, the Netherlands, Belgium and Luxembourg.
The Irish Data Protection Commissioner (which Google has gone to some effort to designate as its lead regulator for GDPR purposes) has said it will prioritise scrutiny of the Adtech sector following the complaints against Google and others and has launched a full investigation into Google as a result.
Privacy International complaints – November 2018
In November 2018, Privacy International filed complaints against Acxiom, Oracle, Criteo, Quantcast, Tapad, (and credit reference agencies Equifax and Experian), with the ICO, the CNIL and the Irish Data Protection Commission. The complaints focus on the use by these businesses of 'legitimate interests' as the lawful basis for processing personal data, arguing that this breaches the ICO's guidelines.
The complaints also argue that the businesses do not collect valid GDPR consent, do not give comply with a number of the data protection principles in Article 5 GDPR (including transparency, purpose limitation, fairness and lawfulness), and do not comply sufficiently with data subject rights and safeguards.
The complaints were, like the Brave complaints, also critical of the IAB's transparency and consent framework and its advocacy of 'global consent' which passes through the supply chain. Like Brave, Privacy International argued that the IAB consent framework fails to meet the enhanced GDPR consent requirement because it does not allow for sufficiently informed consent and results in the individual losing control over their data.
The Irish regulator announced an official investigation into Quantcast's compliance with the GDPR in May 2019.
Brave complaint – April 2019
Brave recently filed a formal complaint with the Irish Data Protection Commission in April 2019, against IAB Europe.
Dr Ryan argued that the IAB's website has a cookie wall which effectively requires users to consent to tracking cookies from third parties in order to access the website.
The complaint argued that the cookie consent notice does not provide users with adequate information about what is being consented to and does not meet the requirement for GDPR consent.The complaint went on to suggest that the consent notice breaches the GDPR by effectively requiring users to accept third party tracking cookies which are not necessary for the provision of the service requested by them, namely access to the IAB website.
Dr Ryan is challenging the IAB's view, expressed in its framework, that access to content can be made conditional on consent for data processing which is not necessary for the delivery of a requested service.
What's the solution?
The main reason why GDPR compliance is particularly challenging for Adtech, is the complexity of the ecosystem: the number of different actors – publishers, vendors, data brokers, advertisers – the real time bidding system, and the data journey involving a large supply chain.
One of the questions the ICO is seeking to answer with the help of stakeholders, is whether there is a 'one size fits all' solution to the tension between the GDPR and Adtech. There have been a number of regulator decisions in this space but these tend to focus on the problems rather than the solutions. Hopefully, the ongoing investigations will result in further guidance and a more clear-cut approach. In the meantime, see our article for practical GDPR compliance tips.