Key Notes:

  • A recent report issued by the United Kingdom’s (UK) data protection authority raises several concerns about whether the use of real-time bidding complies with European Union (EU) data protection laws.
  • In addition to providing a framework for compliance with EU laws, the UK report can assist U.S. organizations in addressing other domestic and foreign data privacy obligations and industry standards.

Organizations may rely upon real-time bidding (RTB) for several reasons: to advertise their goods and services to new audiences at a lower cost than traditional advertising campaigns, to more precisely target potential customers who are most relevant to their area of business, or to more adequately measure the success of their products and sales techniques. In fact, according to some estimates, U.S. organizations spent almost $24 billion on advertisements using RTB in 2018, which is more than three times the amount spent just four years earlier.

However, the use of RTB raises data privacy and security concerns, and its practice has been the subject of formal complaints lodged with and ongoing investigations by several EU data protection authorities. The UK’s Information Commissioner’s Office (ICO) recently stated that current RTB practices are “disproportionate, intrusive, and unfair.” The statement was made in a recent report the ICO issued regarding RTB’s impact in terms of compliance with the EU General Data Protection Regulation (GDPR).

However, the ICO’s findings have broader applicability to U.S. organizations seeking to comply with a range of foreign and domestic data protection laws, including the California Consumer Privacy Act (CCPA). Most importantly, the ICO’s findings address consent and lawful data processing, transparency and data privacy notices, and vendor management and third-party contracting.

What Is Real-Time Bidding?

RTB often refers to the automated process triggered when an individual accesses a website or an online application and a range of user data, including personally identifying information, is broadcasted to (possibly) thousands of organizations as part of an auction process. More specifically, an organization operating a website or an online application (i.e., the “publisher”) can use cookies and similar technologies to collect information about a user accessing its website/platform and consolidate this data into a “bid request” that is transmitted into the RTB ecosystem. Once in the RTB ecosystem, advertisers can engage in a real-time auction enabling the auction winner to insert an ad on the publisher’s website or online application. This entire process takes place in just milliseconds, usually within the time it takes a website page to load for the user.

According to the ICO, most bid requests include (but are not limited to) the following types of data:

  • A unique identifier for the bid request
  • The user’s Internet Protocol (IP) address and cookie and user identification
  • The user’s location, time zone, language preference and device type

The ICO noted that some bid requests contain information on the user’s website history, use of the current website or application, search queries, session time and demographic data. It also found that the underlying RTB protocols relate to categories of data that are deemed “special” under the GDPR because of their sensitivity (e.g., mental and sexual health, politics, ethnicity). Generally, an advertiser will pay a publisher more for a bid request with greater specificity and detail because it will enable the advertiser to more accurately target an advertisement, especially if it supplements such a bid request with information from other sources.

Data Protection Compliance

According to the ICO, some of the information collected and disclosed as part of the RTB process may constitute “personal data,” as defined by the GDPR, and the use of cookies and similar technology is regulated by the UK’s Privacy and Electronic Communications Regulations (PECR) 2003, which implements European Directive 2002/58/EC (also known as the “e-privacy Directive”). As noted above, there are three aspects of the ICO’s report that are relevant to any organization seeking to comply with data protection laws and industry standards: consent and lawful data processing, transparency and data privacy notices, and vendor management and third-party contracting.

A cornerstone of the GDPR is that organizations are required to identify a lawful basis for their data processing activities, and it sets forth six such bases for processing personal data. When processing “special categories” of personal data, organizations have to account for additional requirements set forth under the law. The ICO reported a “lack of clarity” regarding the appropriate lawful basis an organization should rely on to undertake its data processing when it pertains to RTB. In short, the ICO concluded that in order to account for both (i) the processing of general and special categories of personal data under the GDPR, and (ii) cookie and similar data under the PECR, the “only lawful basis for ‘business as usual’ RTB processing of personal data is consent.” This conclusion is significant because it rebuts the argument that organizations can rely on the GDPR’s “legitimate interest” legal basis for data processing, which arguably has a lower threshold than obtaining an individual’s consent.

In addition to its impact on organizations under the GDPR, the ICO report highlights the importance that consent may have on organizations’ compliance with other data protection laws. For instance, in the United States, the Children’s Online Privacy Protection Act (COPPA) requires organizations to obtain parental consent before collecting some types of information from children under the age of 13, and the CCPA (as currently written) requires covered businesses to obtain similar consent prior to selling children’s personal information and prohibits such businesses from entering “consumers” into their financial incentive programs unless the “consumer gives the business prior opt-in consent … which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.” The Illinois Biometric Information Privacy Act (BIPA) requires organizations to obtain consent when collecting or disclosing individuals’ biometric information. In addition, the Federal Trade Commission has issued recommendations that organizations provide consumers with notice and obtain their affirmative consent before using data in a way that is materially different than claimed when collected.

Transparency and Data Privacy Notices

The ICO report raises concerns about how the principle of transparency is addressed in the RTB context. The GDPR mandates organizations to process personal data in a “transparent manner,” which, accordingly, requires organizations to provide individuals with notice of their data processing activities. More specifically, Article 13 of the GDPR requires that at the time personal data is obtained, an organization must provide the individual whose personal data is being disclosed with a broad range of information, such as:

  • The organization’s contact details
  • The purpose of and legal basis for the data processing
  • The recipients (or categories of recipients) of the personal data
  • Whether the organization will transfer personal data outside the EU
  • Data retention periods and criteria
  • The individual’s rights under the GDPR

Article 14 of the GDPR sets forth similar requirements in the context of when an organization collects personal data from a third party (and not the individuals themselves). Recital 39 of the GDPR explains that “[t]he principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used” and individuals “should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data.” The ICO report is critical of the manner in which organizations address these transparency-related issues in the RTB process. In particular, the ICO report raises concerns that publishers cannot always identify the third parties with whom they share personal data and the nature in which personal data is consistently augmented, both within and outside of the RTB process.

The issue of transparency is a hallmark of many data protection laws, including those in the United States. For example, in addition to COPPA, there are federal laws governing the healthcare sector and financial institutions that mandate the issuance of data privacy notices and statements akin to Articles 13 and 14 of the GDPR. Several U.S. state laws have notice or similar policy requirements related to the collection and use of Social Security numbers, as does BIPA in the context of collecting and using biometric data. Under current California law, certain websites or online service providers that collect personally identifiable information on California residents who access their site or online services must “conspicuously post” a privacy policy containing certain background information on the organizations’ data practices, and the CCPA, which will go into effect in early 2020, will expand this privacy notice requirement in a manner that is even more analogous to the GDPR.

The ICO report notes that a single RTB request can result in an individual’s personal data being processed by hundreds of organizations that have no direct relationship with that individual. The nature of the processing in the RTB ecosystem leads to the risk of “data leakage,” which the ICO defines as the circumstances “where data is either unintentionally shared or used in unintended ways.” The ICO report also raises concerns that under such circumstances, there usually are no robust guarantees or technical controls between all the parties to mitigate the risk of a data leakage. Although contractual terms are an important part of data processing between parties, the ICO emphasizes that organizations “cannot rely on standard terms and conditions by themselves, without undertaking appropriate monitoring and ensuring technical and organizational controls back up those terms.”

The ICO raises three important points that all organizations should consider incorporating into their own vendor management process that involves the exchange or processing of personal data, confidential information or other sensitive business data. First, assess whether vendors have the competency to process this information in accordance with the law and industry standards. Second, prior to any exchange of data, a written contract should be executed that memorializes the vendor’s security standards; data assistance, confidentiality and breach notification requirements; and liability and remedies. Third, depending on the nature of the processing, the organization should provide meaningful oversight of the vendor to ensure its ongoing compliance with the contract. Given the degree to which organizations routinely disclose personal data, confidential information and other sensitive data with external entities, a vendor management contracting process has become a standard business practice.

The ICO report raises several data privacy issues in the RTB context that transcend the GDPR and provide insights into complying with multiple data protection laws. For example, it is important for an organization to fully understand the type, nature and scope of data it collects as part of its routine business practices – from cookie data on its website users to general personal information on its rewards program members – to truly recognize its legal obligations related to such data processing, which may include requesting and obtaining an individual’s consent.

Moreover, an organization should assess whether its data privacy policies and notices accurately reflect its current practices and legal obligations. Of particular importance, a data privacy policy should address how data practices operate, provide individuals with notice of their data processing choices and options, disclose to whom personal data is disclosed, and identify the sources from which such data is obtained, especially if the source is not the individual whose personal data is being processed.

An organization should also be cognizant of its third-party and vendor management contracting to mitigate the risk of data leakage by ensuring proper technical controls are in place amongst the parties. Not only does third-party contracting protect personal data rights, it protects a business’s interests and can mitigate legal liability.