The good news for those engaging in online behavioural advertising is that the report acknowledges that “the automated delivery of ad impressions is here to stay”.
The not-so-good news is that the ICO is unimpressed with the adtech industry’s level of maturity in understanding and meeting data protection requirements. As such, the ICO envisages regulatory intervention in this area to be inevitable. Whilst the report does not purport to address all privacy challenges arising in from use of adtech, key points to note include:
- Data protection impact assessments (DPIAs) are mandatory for processing of personal data in the context of real time bidding (RTB). Despite the propensity of RTB activities to satisfy the triggers for a DPIA under Article 35 of the GDPR, the ICO’s impression is that many organisations within the RTB ecosystem have not undertaken any such DPIAs.
- Consent is always the most appropriate lawful basis for RTB processing activities. The ICO’s view is that the nature of processing within RTB makes it impossible to satisfy the criteria for reliance on legitimate interests as a lawful basis for processing. The ICO considers consent to be the only lawful basis for processing relating to the placing and reading of the cookie and the onward transfer of the bid request. Even if an argument could be made for reliance on legitimate interests, the ICO has said that participants within the ecosystem are unable to show that they have properly carried out the legitimate interests tests and implemented appropriate safeguards. Where bid requests involve the processing of sensitive data (aka “special categories of personal data”), the ICO concludes that the current requests for consent under both the IAB Europe’s Transparency and Consent Framework (TCF) and Google’s Authorised Buyers’ framework (AB Framework) are non-compliant. Adtech participants should therefore either modify their existing consent mechanisms to obtain explicit consent, or not process sensitive data at all.
- Industry initiatives must try harder to satisfy GDPR transparency requirements. Whilst providing fair processing information in an online environment can be challenging, the information provided in RTB lacks clarity and is overly complex. Industry initiatives such as the TCF and AB Framework are trying to address this problem, but the ICO’s view is that these are insufficient to ensure transparency and fair processing of personal data, and therefore also insufficient for obtaining freely-given and informed consent.
- Data processing in the RTB context is excessive to the purpose of delivering targeted ads. The ICO deems the creation, sharing and enrichment of detailed user profiles in the RTB context to be disproportionate, intrusive and unfair. This conclusion will be particularly difficult for data management platforms and data brokers operating in this space.
- Organisations need to do more to stop data leakage. Relying on contractual provisions alone is insufficient to ensure data protection-compliant processing through the data supply chain. Organisations must also undertake appropriate monitoring and ensure that contractual terms are supported by appropriate technical and organisational measures.
From July 2019, the ICO will undertake targeted information gathering to further explore the data protection implications of RTB, including in relation to the data supply chain and profiling. It intends to engage further with IAB Europe, Google, and other key stakeholders, and will be collaborating with data protection authorities in other European countries who are also considering complaints in this area.
It is clear is that the clock has started ticking on the need for those involved in online behavioural advertising to act. The ICO may undertake a further industry review in six months’ time; in the interim, it expects controllers to evaluate their use of personal data, approach to privacy notices and the lawful basis invoked in the context of RTB. Whilst an official regulatory view provides a helpful litmus test in enabling participants to assess their level of compliance, it is now down to adtech players to figure out how to reconcile their existing practices with the views expressed in the report.