In recent months, the Office of the Information Commissioner of the UK (“ICO”) has been looking into how personal data is used in real time bidding (“RTB”) in programmatic advertising, involving key stakeholders, including in fact-finding forum on March 6 to understand the marketplace and the application of the GDPR to it.

On June 20, the ICO published its Update report into adtech and real time bidding, which summarizes its findings so far.

Key takeaways:

Processing of non-special category data probably requires consent.

Organizations relying on legitimate interests as a lawful basis for non-special category data processing must “take on extra responsibility for ensuring that the interests, rights and freedoms of individuals are fully considered and protected.” They must “identify a legitimate interest,” “show that the processing is necessary to achieve it,” and “balance it against the individual’s interests, rights and freedoms.”

However, the ICO believes that “the nature of the processing within RTB makes it impossible to meet” the requirements for relying on legitimate interests as a lawful basis and that therefore “legitimate interests cannot be used for the main bid request processing.” In the ICO’s view, “the only lawful basis for ‘business as usual’ RTB processing of personal data is consent” (emphasis added). According to the report, this is especially true for any RTB organizations using cookies to process non-special category data, in which case “consent (to the GDPR standard) is still required … at the initial point of processing.” Under the GDPR, consent requires a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Processing of special category data requires explicit consent.

The ICO’s report identifies a variety of fields relating to “politics, religion, ethnic groups, mental health and physical health” in the schemas for bid requests. These fields are considered “special category data” under the GDPR. For special category data, “legitimate interests,” the report notes, do not constitute a lawful basis for processing; instead, explicit consent is also required under Article 9. Notably, the report expresses skepticism of industry approaches to date, such as the Interactive Advertising Bureau’s Transparency and Consent Framework. The ICO interprets explicit consent as requiring “a very clear and specific statement of consent” which “must be expressly confirmed in words, rather than by any other positive action.”

RTB organizations must improve the transparency of their data processing operations as well as their compliance mechanisms.

The ICO report highlights the “complexity and opacity of the RTB ecosystem” and claims that the industry might not be compliant with the information requirements in GDPR Articles 13 and 14. The accountability principle of the GDPR requires that organizations “understand, document, and be able to demonstrate: how their processing operations work; what they do; who they share any data with; and how they can enable individuals to exercise their rights.”

RTB organizations must perform data protection impact assessments (“DPIAs”).

Under GDPR Article 35(4), the ICO has previously published a list of high-risk processing operations for which DPIAs are mandatory. RTB involves several of the activities on that list, such as using new technologies, profiling individuals on a large scale, “invisible processing,” tracking individual geolocation or behavior, and using the personal data of children or other vulnerable individuals for marketing purposes, profiling, or automated decision making. The ICO accordingly believes that RTB organizations are legally required to perform DPIAs.

Industry Sweep Threatened

The ICO’s report also threatens an “industry sweep” in six months’ time, with a scope and nature of this exercise to be determined. Historically, these industry sweeps begin with gathering information from organizations via polls, written responses to questions, and interviews, and are often followed by enforcement actions and fines. The ICO expects adtech companies to “re-evaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the RTB ecosystem.”

Conclusion

Based on the tone of the report, RTB companies operating in the UK should review their GDPR compliance approaches and make sure that they comprehensively understand and document their data processing operations. The report highlights two prioritized areas of concern for further analysis and exploration: (1) “the processing of special category data without explicit consent” and (2) “the complexity of the data supply chain.” In July 2019, the ICO will commence “targeted information-gathering activities related to the data supply chain and profiling aspects, the controls in place, and the DPIAs undertaken.” The ICO plans to continue dialogue with key stakeholders in adtech, including IAB Europe.

The WilmerHale Cybersecurity and Privacy Group will continue to monitor developments and can assist companies in preparing for potential regulatory inquiries and enforcement.