While governments around the world grapple with the issue of how to regulate content on the internet, the Adtech ecosystem is already subject to a wide regulatory framework. This has intensified with the advent of the GDPR which raises issues around transparency, lawful basis, security and consent, in particular.

It’s not just data protection regulators who are focusing on Adtech though. Competition and consumer regulators have also enforced against some of the tech giants for abuse of a dominant position in online advertising, and aggressive and misleading practices, respectively.

It’s also worth considering that the EC is bringing in GDPR-style fines for breaches of consumer protection law. As recent decisions and actions by regulators have shown, there are substantial risks if you get it wrong, not least, in the most extreme cases, significant fines.

Data protection regulators

EU data protection regulators are looking closely at Adtech, sometimes in response to complaints from privacy campaigners, and sometimes carrying out their own investigations or initiatives.

The major issues creating tension between the GDPR and the Adtech model are:

  • Compliance with the data protection principles in Article 5 – The processing of personal data has to comply with the Article 5 principles. This includes that processing must be transparent, data must be collected for specified and explicit purposes, must be secure, and that processing must be limited to what is necessary in relation to the purposes for which they are processed. These requirements are challenging in terms of Adtech because it is not always straightforward to explain to the individual what is happening to their data in a way which they are likely to understand or engage with, given the complexity of the data journey. Due to the large number of different companies involved in the delivery of an online ad, it is challenging for any of them to exercise any real control over what others ‚in the chain‘ do with the data collected.
  • Lawful basis – personal data processing will only be lawful if it is carried out under one of the permitted lawful bases in Article 6 (and Article 9 in cases of sensitive data). When processing personal data for online advertising, the lawful basis is likely to be that the processing is carried out with the consent of the data subject, or that it is in the legitimate interests of the data controller where that is not outweighed by the rights and freedoms of the data subjects.
  • Consent – the consent requirements under the GDPR and the ePrivacy Directive have been enhanced. Consent must now be freely given, specific, informed and an unambiguous indication of the data subject’s wishes. These requirements impact not only how consent is obtained if it is being used as the lawful basis for data processing, but also on the use of the types of cookies for which consent is required under the ePrivacy Directive. The granularity of consent required on a strict interpretation of the requirements creates challenges for the clean, uncluttered experience designers and users prefer, especially on smaller mobile screens

Since the GDPR came in, decisions by some of the EU regulators as well guidance they have issued (some of which are detailed below), shows these issues coming up repeatedly, although not always with clear resolution for stakeholders.

UK

In February 2019, the UK’s ICO published a blog on Adtech and data protection, announcing a focus on programmatic advertising and real-time bidding. The ICO identified three particular areas of interest:

  • Transparency – how and what people are told about the use of their data.
  • Lawful basis of processing – the ICO seeks to understand why different businesses in the Adtech ecosystem rely on different lawful bases for processing.
  • Security – how can organisations ensure that onward transfers of data which happen very rapidly are secure?

At the ICO’s subsequent fact finding forum on Adtech, the ICO’s office commented on the tension between data protection laws and Adtech and discussed:

  • The amount of personal data required for systems to function effectively.
  • Whether consumers can ever be given enough information to understand what’s happening to their data.
  • Whether there is a lawful basis for processing personal data which could be consistently applied across the whole ecosystem.

As is often the case with the ICO, it is taking a practical approach, recognising the value of Adtech to businesses.

This does not, however, entail any compromise on compliance and the ICO is currently auditing a number of data brokers and Adtech companies including Experian, Equifax and Call Credit, Acxiom Ltd, Data Locator Group Ltd and GB Group PLC with reports on its findings due by the end of this year.

The ICO has also been looking at the use of data analytics for targeted advertising in the context of political campaigns. This led to enforcement action against Facebook and Cambridge Analytica in the latter part of 2018, together with a consultation on a draft Code of Practice on the use of personal information in political campaigns.

France

The CNIL issued Google with a EUR50m fine for breaches of the GDPR in January 2019, responding to complaints made on 25 and 28 May 2018 by privacy campaign groups about the use of targeted advertising in the context of its Android operating system.

On the basis of its inspections, the CNIL concluded that:

  • Google did not comply with the transparency and information requirements of the GDPR in relation to its privacy policy for Android. Information provided was found to be difficult to access, insufficiently transparent and requiring too many steps while not providing coherent or complete information in a single place about geo-tracking and targeted advertising. It was too difficult for users to understand what Google was doing with their data and the purposes of the processing were not described in sufficient and clear detail. Similarly, there was a lack of clarity about the legal bases for processing used to target adverts, and around what constituted Google’s legitimate interests.
  • Google did not obtain valid consent to targeted advertising because individuals were given insufficient information for consent to be informed and consent was insufficiently specific. In addition, general consent was required in order to sign up but the consent to receive targeted ads, was not on the main sign-up page, and was pre-ticked. This meant that consent was neither specific (because a general consent was the default type of consent) nor unambiguous (because the fact that the consent to targeted ads was pre-ticked meant that there was no unambiguous consent by clear, affirmative action).

The CNIL took account of the scope of Google’s processing and the reliance of people on its Android operating system to determine the amount of the fine.

Google appears to have been criticised for not making all its privacy information available in one place, but it also seems to have followed the Article 29 Working Party recommendations to use granularity to help individuals through the process of understanding what happens to their personal data.

This confirms the tension between presenting information in a way which ensures the essentials are read up front and making sure that individuals have all the required information (even where it is complex and lengthy), particularly when relying on consent.

Other ‚take homes‘ are the point that consent must be by affirmative action – pre-ticked boxes will not be sufficient; the emphasis placed on linking processing operations to specific purposes; and on explaining what is meant by legitimate interests in sufficient detail for the individual to understand.

Google has confirmed that it will be appealing the fine, saying it worked hard to create a GDPR consent process for targeted advertising which is as transparent as possible. It also expressed concerns that the judgment would have a negative impact on publishers, original content creators and tech companies. The appeal will be heard by the Conseil d’État, France’s highest public law court, which may refer questions to the CJEU.

The CNIL has also made a series of decisions involving the issue of consent to geolocalisation data for targeted advertising.

In June 2018, it issued formal notices against marketing platform providers Teemo and Fidzup and on 9 November, it issued similar notices Vectuary and Singlespot. The businesses were found to have failed to get valid consent to the processing of geolocation data for profiling and targeted advertising.

The businesses provide location-based marketing solutions using a software development kit (SDK) integrated into publishers‘ apps. At the time of the CNIL’s notices, users downloading an app with the SDKs would see a pop-up asking whether users consented to the app collecting their location data.

The pop-ups did not specify that the location data would be used for profiling and advertising, nor that it would be shared with third parties. The CNIL said consent was not valid under the GDPR because it was:

  • Not informed – consent was collected after the app had been downloaded and the collection of location data had already begun.
  • Not freely given – users were not able to download the apps without the SDKs and had no choice but to give consent in order to continue using the apps.
  • Insufficiently specific – the pop-ups did not set out the specific purposes of the processing (profiling and targeted advertising) and did not indicate that the data would be passed to third parties.

The relevant businesses were given three months to bring their practices in line with GDPR requirements. The CNIL said there would be no further action as long as this happened and has since issued some guidance for developers.

Germany

The German data protection supervisory authorities (Datenschutzkonferenz) issued guidelines in April 2019, for providers of telemedia services (which includes website operators) on processing personal data as a result of tracking.

The guidance says that tracking can potentially take place under the GDPR on the lawful basis of consent or because it is in the legitimate interests of the tracker and this is not outweighed by the rights and freedoms of the individuals.

The data controller must carefully select the most appropriate lawful basis which will, in most cases, be consent. Only limited activities, for instance analytics and security (but not Adtech where multiple platforms are involved) are accepted as candidates for legitimate interests. For more on the guidelines, see our article.

Netherlands

The Dutch regulator commented on the use of ‚take it or leave it‘ cookie walls which require the user to consent to tracking if they want to access a website.

The regulator said this cannot constitute proper consent under the GDPR and the ePrivacy Regulation as it is not freely given – there is no real choice involved. The Dutch regulator has promised greater scrutiny of these practices. For more on this, see our article.

European Data Protection Board (EDPB)

In April 2019, the EDPB issued draft guidelines for online service providers on the processing of personal data under Article 6(1)(b) GDPR for online services.

Article 6(1)(b) is the lawful basis that the processing is necessary for performance of a contract to which the data subject is party, or to take steps at the data subject’s request prior to entering into the contract. A section of the guidelines looks at reliance on 6(1)(b) as a lawful basis for online behavioural advertising, concluding that it is most unlikely to be suitable.

Essentially, whether or not it is necessary to process the personal data requires an objective assessment of whether there are alternative, less intrusive measures – it is not simply a case of covering it in the contract.

The controller must be able to demonstrate that the main object of the specific contract could not be performed without the processing in question and cannot artificially expand this.

For example, even if cookies are used as part of delivering the services, another lawful basis like consent may be needed for additional purposes like targeted advertising, and in accordance with ePrivacy rules, controllers must obtain data subjects‘ prior consent to cookies for behavioural advertising.

Even where online behavioural advertising funds the provision of a service, it is not a necessary element of performing the contract unless it can be argued that the contract had not been performed due to an absence of advertising.

Tracking and profiling of users to identify groups of similar characteristics to enable targeting advertising to similar audiences cannot be carried out on the basis of Article 6(1)(b) as it cannot be said to be objectively necessary for the performance of the contract.

Competition regulators

We are increasingly seeing competition regulators looking into the issue of data dominance and whether data processing activities constitute an abuse of a dominant position. For obvious reasons, this type of regulator scrutiny tends to impact the biggest players but it often relates to their position in the Adtech market.

Germany’s Bundeskartellamt and Facebook

In February 2019, Germany’s competition regulator, the Bundeskartellamt, issued a decision prohibiting Facebook from combining user data from different sources, in particular, from the use of other services owned by Facebook like WhatsApp and Instagram, but also by tracking users‘ behaviour on third party websites using APIs.

The Bundeskartellamt said that Facebook used the user profiles it built up to improve its targeted advertising activities.

The Bundeskartellamt suggested that users suffered harm as a result of their lack of control over their data but also that advertising customers and competitors suffered as they were faced with a dominant supplier of advertising space in social networks.

The Bundeskartellamt found that Facebook had no effective justification for collecting data from other company-owned services and Facebook Business Tools, or for assigning the data to Facebook user accounts.

The processing of the data was not to fulfil a contractual obligation, there was no effective consent to the processing of personal data because users had to accept in order to receive the service, and Facebook’s legitimate interests did not outweigh the rights and freedoms of its users.

In a public response to the decision, Facebook said that the Bundeskartellamt:

  • had underestimated the competition it faces in Germany
  • misinterpreted Facebook’s GDPR compliance
  • misapplied German competition law.

Facebook argued that compliance with data protection law was the remit of data protection regulators and that to mix competition law with data protection law undermined the impact of the GDPR. The German Competition Act does, however, cite access to data, especially in the case of online platforms and networks, as a relevant factor which can contribute to market dominance.

It is clear in this case that the German authority believed that Facebook was in breach of the GDPR, which gave it increased access to personal data, giving it an unfair advantage, not least in its ability to sell and deliver targeted advertising. Regulators in Italy and France have reached similar decisions. In August 2019, however, the Higher Regional Court in Düsseldorf granted Facebook’s request to suspend the effect of the Bundeskartellamt’s decision pending an appeal by Facebook to the German Federal Court of Justice. While the Regional Court did not question Facebook’s dominant position in the relevant market, it did not find any basis for abuse of that position because the infringement of data protection law did not have an anti-competitive effect. A causal link between Facebook’s dominant position and abusive practice could only be based on competition law and not data protection law. The FCO is appealing the Regional Court’s decision so we will continue to see developments in this space. See here for more.

EC Google fine

In March 2019, the European Commission fined Google EUR1.49m for abusive practices in online advertising. The Commission found that it was not possible for Google’s competitors in online search advertising to sell advertising space in Goggle’s own search engine pages between 2006-16.

This meant that third party websites were an important entry point for them into the market. In 2006, however, Google introduced exclusivity clauses into its individually negotiated agreements with publishers. The publishers were prohibited from placing any search adverts from competitors on their search results pages.

From March 2009, Google began replacing the exclusivity clauses with ‚premium placement‘ clauses which required publishers to reserve the most profitable space on their search results pages for Google’s adverts and request a minimum number of Google adverts.

This prevented Google’s competitors from placing their search adverts in the most visible and clicked on parts of website search results pages. From March 2009, Google also began including clauses requiring publishers to seek written approval from Google before making changes to the way in which rival adverts were displayed. This gave Google a high degree of control over its competitors‘ adverts.

The EC concluded that Google had been dominant in online search advertising intermediation in the EEA since at least 2006, and had abused its market dominance by preventing rivals from competing in the market. This conduct harmed competition and consumers, and stifled innovation. Google changed these behaviours in June 2016 after receiving a Statement of Objections from the EC.

So where does this leave Adtech?

The recent regulator guidance, investigation and enforcement activity, both in competition and data protection demonstrate the ‚flash points‘ for the industry.

Granted, most Adtech companies will not have the market share to come onto the radar of the antitrust authorities, but significant pressure still arises from the privacy spotlight on Adtech, and the varying opinions between the different parts of the ecosystem, arising out of the uncertainty over what the law actually means for the industry.

This causes significant concerns about where the regulatory risk should fall and the extent to which commercial contracts should push that risk onto business partners. Publishers, in particular, worry about accepting responsibility for achieving consent and transparency for a complicated data journey over which they feel they exercise little control.

The situation is all the more complex due to the lack of clarity around the incoming ePrivacy Regulation, both what it will say and when it will apply.

For this reason, the UK’s ICO’s approach of consultation with the industry (without compromise on compliance), is welcome; the best solutions are most likely to come through collaboration between the regulators and the industry.

Meanwhile, commercial wheels need to be kept turning and brands still want to address a growing online audience of engaged consumers. Despite the uncertainties, Adtech businesses continue to grow and acquire European market share, as the regulatory drama unfolds.

For some practical data privacy compliance tips, see our article.