- A recent report issued by the United Kingdom’s (UK) data protection authority raises several concerns about whether the use of real-time bidding complies with European Union (EU) data protection laws.
- In addition to providing a framework for compliance with EU laws, the UK report can assist U.S. organizations in addressing other domestic and foreign data privacy obligations and industry standards.
Organizations may rely upon real-time bidding (RTB) for several reasons: to advertise their goods and services to new audiences at a lower cost than traditional advertising campaigns, to more precisely target potential customers who are most relevant to their area of business, or to more adequately measure the success of their products and sales techniques. In fact, according to some estimates, U.S. organizations spent almost $24 billion on advertisements using RTB in 2018, which is more than three times the amount spent just four years earlier.
However, the use of RTB raises data privacy and security concerns, and its practice has been the subject of formal complaints lodged with and ongoing investigations by several EU data protection authorities. The UK’s Information Commissioner’s Office (ICO) recently stated that current RTB practices are “disproportionate, intrusive, and unfair.” The statement was made in a recent report the ICO issued regarding RTB’s impact in terms of compliance with the EU General Data Protection Regulation (GDPR).
However, the ICO’s findings have broader applicability to U.S. organizations seeking to comply with a range of foreign and domestic data protection laws, including the California Consumer Privacy Act (CCPA). Most importantly, the ICO’s findings address consent and lawful data processing, transparency and data privacy notices, and vendor management and third-party contracting.
What Is Real-Time Bidding?
According to the ICO, most bid requests include (but are not limited to) the following types of data:
- A unique identifier for the bid request
- The user’s Internet Protocol (IP) address and cookie and user identification
- The user’s location, time zone, language preference and device type
The ICO noted that some bid requests contain information on the user’s website history, use of the current website or application, search queries, session time and demographic data. It also found that the underlying RTB protocols relate to categories of data that are deemed “special” under the GDPR because of their sensitivity (e.g., mental and sexual health, politics, ethnicity). Generally, an advertiser will pay a publisher more for a bid request with greater specificity and detail because it will enable the advertiser to more accurately target an advertisement, especially if it supplements such a bid request with information from other sources.
Data Protection Compliance
A cornerstone of the GDPR is that organizations are required to identify a lawful basis for their data processing activities, and it sets forth six such bases for processing personal data. When processing “special categories” of personal data, organizations have to account for additional requirements set forth under the law. The ICO reported a “lack of clarity” regarding the appropriate lawful basis an organization should rely on to undertake its data processing when it pertains to RTB. In short, the ICO concluded that in order to account for both (i) the processing of general and special categories of personal data under the GDPR, and (ii) cookie and similar data under the PECR, the “only lawful basis for ‘business as usual’ RTB processing of personal data is consent.” This conclusion is significant because it rebuts the argument that organizations can rely on the GDPR’s “legitimate interest” legal basis for data processing, which arguably has a lower threshold than obtaining an individual’s consent.
In addition to its impact on organizations under the GDPR, the ICO report highlights the importance that consent may have on organizations’ compliance with other data protection laws. For instance, in the United States, the Children’s Online Privacy Protection Act (COPPA) requires organizations to obtain parental consent before collecting some types of information from children under the age of 13, and the CCPA (as currently written) requires covered businesses to obtain similar consent prior to selling children’s personal information and prohibits such businesses from entering “consumers” into their financial incentive programs unless the “consumer gives the business prior opt-in consent … which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.” The Illinois Biometric Information Privacy Act (BIPA) requires organizations to obtain consent when collecting or disclosing individuals’ biometric information. In addition, the Federal Trade Commission has issued recommendations that organizations provide consumers with notice and obtain their affirmative consent before using data in a way that is materially different than claimed when collected.
Transparency and Data Privacy Notices
The ICO report raises concerns about how the principle of transparency is addressed in the RTB context. The GDPR mandates organizations to process personal data in a “transparent manner,” which, accordingly, requires organizations to provide individuals with notice of their data processing activities. More specifically, Article 13 of the GDPR requires that at the time personal data is obtained, an organization must provide the individual whose personal data is being disclosed with a broad range of information, such as:
- The organization’s contact details
- The purpose of and legal basis for the data processing
- The recipients (or categories of recipients) of the personal data
- Whether the organization will transfer personal data outside the EU
- Data retention periods and criteria
- The individual’s rights under the GDPR
Article 14 of the GDPR sets forth similar requirements in the context of when an organization collects personal data from a third party (and not the individuals themselves). Recital 39 of the GDPR explains that “[t]he principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used” and individuals “should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data.” The ICO report is critical of the manner in which organizations address these transparency-related issues in the RTB process. In particular, the ICO report raises concerns that publishers cannot always identify the third parties with whom they share personal data and the nature in which personal data is consistently augmented, both within and outside of the RTB process.
The ICO report notes that a single RTB request can result in an individual’s personal data being processed by hundreds of organizations that have no direct relationship with that individual. The nature of the processing in the RTB ecosystem leads to the risk of “data leakage,” which the ICO defines as the circumstances “where data is either unintentionally shared or used in unintended ways.” The ICO report also raises concerns that under such circumstances, there usually are no robust guarantees or technical controls between all the parties to mitigate the risk of a data leakage. Although contractual terms are an important part of data processing between parties, the ICO emphasizes that organizations “cannot rely on standard terms and conditions by themselves, without undertaking appropriate monitoring and ensuring technical and organizational controls back up those terms.”
The ICO raises three important points that all organizations should consider incorporating into their own vendor management process that involves the exchange or processing of personal data, confidential information or other sensitive business data. First, assess whether vendors have the competency to process this information in accordance with the law and industry standards. Second, prior to any exchange of data, a written contract should be executed that memorializes the vendor’s security standards; data assistance, confidentiality and breach notification requirements; and liability and remedies. Third, depending on the nature of the processing, the organization should provide meaningful oversight of the vendor to ensure its ongoing compliance with the contract. Given the degree to which organizations routinely disclose personal data, confidential information and other sensitive data with external entities, a vendor management contracting process has become a standard business practice.
The ICO report raises several data privacy issues in the RTB context that transcend the GDPR and provide insights into complying with multiple data protection laws. For example, it is important for an organization to fully understand the type, nature and scope of data it collects as part of its routine business practices – from cookie data on its website users to general personal information on its rewards program members – to truly recognize its legal obligations related to such data processing, which may include requesting and obtaining an individual’s consent.
An organization should also be cognizant of its third-party and vendor management contracting to mitigate the risk of data leakage by ensuring proper technical controls are in place amongst the parties. Not only does third-party contracting protect personal data rights, it protects a business’s interests and can mitigate legal liability.