On 20 June the ICO issued its interim report into a its review of the adtech industry and real time bidding process (“RTB”) that forms an integral part of the online advertising ecosystem. The ICO has identified adtech as a priority area for review, noting the pervasive growth of an industry which is reliant on making billions of decisions online about users on a daily basis, but where the privacy related requirements are often misunderstood and often poorly applied, exposing users to potential risk. The report is one of a number of other similar initiatives that the ICO and other European supervisory authorities are working on, in particular, the ICO has published its guidance today on cookies (on which we will publish a further blog post).

The adtech report is the first formal feedback from the ICO into its wider review of the industry, presenting a picture that shows an ecosystem suffering extensive compliance shortcomings – in particular around transparency, consent and the data supply chain. At this stage, the ICO’s intention is clearly to shine a spotlight on the shortfalls that need addressing (which are clearly presented as systemic) and encourage industry to engage closely in coming months to develop some more mature thinking to the operating model and adopt appropriate reforms to support better compliance. Whilst critics may say this is a missed opportunity to provide a simple set of steps which need to be done, it is clear that the “complexity and opacity of the RTB ecosystem,” makes this sort of approach unrealistic – a “measured and iterative approach” is sensible to allow the market to gradually mend their ways, with the threat of enforcement hanging over those who ultimately fail to get on board.

RTB – what is it?

RTB is the process which culminates in targeted adverts displayed to website and app users (“users“). The key actors in the RTB process are the publishers – i.e. the website owners/online services providers – who sell advertising space to advertisers through ad exchanges. Advertisers bid in real time to place adverts to users through a bid request process where advertisers can find a suitable user audience. To facilitate this, publishers typically share with ad exchanges data such as user IP addresses, location data, device types, and can also include special category data of website users. The ICO highlight that the ‘man in the street’ won’t appreciate the complex network that sits behind the way online ads are served and that for every advert there is an open auction process which involves multiple organisations which all could be processing personal data of users (whether or not a particular organisation “wins” the bid), and volumes of personal data collected from a multitude of data sources. And this all happens in milliseconds.

Also key to the process are cookies: user information which sits within the auction process (and ultimate display of targeted ads) is typically gathered through cookies and other similar technologies. Given the intricacies of cookies and a prevalent misunderstanding (both from organisations and consumers) of how they are deployed, it is no surprise that material failings have been detected by the ICO in this report. As mentioned above, this review also forms part of a wider theme that the ICO is currently addressing regarding cookies.

There are three key themes to the ICO’s findings in the report:

(1) Consent

The report highlights that there is a fundamental misunderstanding in adtech between the rules which govern lawful collection and use of personal data rules under the GDPR and the requirements for consent collection under the ePrivacy regulations which apply to data collected through cookies. The ICO note that market participants typically rely on ‘legitimate interests’ as the basis for collecting and processing user data for RTB without regard to the separate rules which govern cookie ‘consent’ under the ePrivacy regime. As most RTB relies on cookies to originate the data which supports the RTB process, the ePrivacy regime must be respected and consent should by default be secured from each user to support the downstream RTB process. This consent must be secured to a GDPR standard – which means the form of acceptance provided at the outset by the user to place a cookie must be explicit, fully informed as to the consequent use, and freely given. The ICO believes that many current cookie collection models do not currently meet this standard (including ironically the ICO’s own website until changed earlier this month). The ICO goes on to restate their view that if ‘consent’ is required to collect cookie data, the appropriate lawful basis for processing data under the GDPR (as part of the downstream RTB process) should also be consent – a principle that many in the adtech ecosystem simply don’t understand or properly apply (many publishers routinely relying on ‘legitimate interests’ for all types of RTB activity). This should be rectified. The report separately notes that in many cases bid requests may involve processing ‘special category data’ (eg data related to a user’s sate of health or political or religious views) and that irrespective as to whether the cookie rules mandate consent for the use of this data the GDPR will require explicit consent to be obtained before processing this data for RTB. Again this is not well understood and participants should look with care at how and when they may be sharing data which could constitute special category data.

(2) Transparency

The report also identifies problems with the way the RTB meets the GDPR transparency requirements. The ICO notes that organisations fail to meet the full requirements of GDPR Articles 13 and 14 by not giving a full and accurate picture to users about happens to their data within the adtech ecosystem. There is real need to change tone and substance to notices to give much more clarity to users about who will receive their data – organisations cannot meet the requirement to specify the “recipients or categories of recipients” of data (as required by Article 13(1)(e)) by simply giving a vague reference to the class of potential recipients within the ad exchange community which can often involve over 450 organisations in the various data flows. More specific information about actual recipients should be given. The ICO recognises of course that this will be a real challenge for the current operating model and so a solution here will take time to work through.

In relation to the way user profiles are created about them in ad exchanges and other intermediary facilities, almost always without the user’s awareness, the ICO’s view is that clear – this is “disproportionate, intrusive and unfair in the context of processing personal data for the purposes of delivering targeted advertising.” and so reform must be made. Again no immediate answers are provided but the expectation is clearly set that current models must change with an immediate focus on further industry consultation, including specific engagement with the main ecosystem operators (IAB Europe and Google) and other regualtors.

(3) Data supply chain

The third theme of the report is the risk of “data leakage” in the supply chain. The risk here is that there are numerous parties exchanging volumes of personal data at speed and once the data is out of the hands of one party and thus no robust way to guarantee further protection and controls from other parties in the chain. The net of recipients is widely cast as user information will go to a multitude of organisations, even if they don’t win the auction. There seem to be no hardy assurances regarding data minimisation, retention or security. Even where contracts may be put in place, the ICO reminds readers that that is not enough: in keeping with the accountability principle, organisations should be undertaking appropriate monitoring to assess the level of controls in place.

So what next? The main message of the report is that the ICO is taking a serious look at the industry and expects change to happen. Enforcement will undoubtedly come (the report for example references an impending industry ‘sweep’ which could certainly lead to action), but for now their focus is on further market engagement and an expectation that working practices must start to change.

Immediate areas of focus for those involved in the ecosystem will be to (1) check valid cookie consents are in place at the point of data collection (many legacy cookie pop ups are unlikely to be fit for purpose for valid adtech data collection), (2) checking the lawful basis for processing RTB data aligns to cookie consent wherever appropriate, (3) understand where processing of special category data is taking place and either restricting the collection of that data, or ensuring it only applies with explicit user consent; (4) understanding (as far as possible) where you sit in the RTB data supply chain and whether you can improve the transparency of messages you give to users about what you and others you work with in the supply chain do; and (5) consider (or reconsider) whether appropriate data protection impact assessments (DPIAs) have been undertaken to minimise the data protection risks of the processing operations involved in the adtech world.

These are just immediate issues to consider – more importantly stay close to the evolving regulatory review process and inevitable changes that will start to flow down the supply chain as clearer guidance emerges from the ICO, other data protection authorities and key industry bodies and market operators (eg IAB Europe, Google).