Introduction

The nearly unlimited opportunities of present-day technologies grouped under the umbrella of adtech – including online behavioural advertising – pose legal compliance challenges for businesses looking to take advantage of the latest advertising trends.

Adtech is defined by the UK Information Commissioner’s Office as, “Tools that analyse and manage information (including personal data) for online advertising campaigns and automate the processing of advertising transactions. [Adtech covers] the end-to-end lifecycle of the advertising delivery process, which often involves engaging third parties for one or more aspects of these services, although some advertising is still placed directly between advertisers and publishers.”[1]

These Guidelines are intended to provide actors in the adtech space with an understanding of the primary solutions to common problems related to Programmatic Advertising and Real Time Bidding (RTB) and do not constitute legal advice.

PROBLEM

Lawfulness: Absence of a valid legal basis to collect personal data through cookies and tracking technologies.

ICTLC’s PROPOSED SOLUTION

  • Rely on consent. Consent is the only appropriate legal basis for using profiling cookies and tracking technologies, as a result of the ePrivacy Directive.
  • Remember that consent must always be freely-given, specific, informed and unambiguous, and provided by a clear affirmative action on the part of the user!
  • Freely-given: Don’t create undue pressure for users to consent, or relevant detriment to users if they refuse/withdraw consent (such as cookie walls);
  • Specific: Make sure you identify the purpose for which you are seeking consent as specifically as possible in the wording of your consent request.
  • Informed: The minimum information you should give for consent to be valid, and which should be provided directly to users when asking for consent, includes (i) your identity as a controller, (ii) the specific purpose you identify for the consent request, (iii) the type of data you want to use, (iv) the right to withdraw consent, and how it can be exercised, (v) meaningful information about the adtech process, namely where personal data may be used to make automated decisions affecting the user (such as the logic involved, the possible consequences for the user, and how the user can react), and (vi) whether any risks arise for users due to transfer of data outside of the EU (in the absence of a relevant adequacy decision or appropriate safeguards in place, such as standard contractual clauses). You still need to include the rest of the Art. 13/14 GDPR information somewhere, such as in your Privacy Policy.
  • Unambiguous / clear affirmative action: Consent should be given by a positive action, not implied from inaction (pre-ticked boxes should not be used). Avoid actions which, albeit positive, create doubt as to whether the user actually wants to consent (typical example is continued browsing of a website or scroll down).
  • Consent needs to be collected before the processing starts. If a cookie requires consent, it should not be set until consent is obtained!
  • Don’t assume that third-party-collected consent is ok, even if you have a contract with that third party requiring them to collect consent correctly. Carry out regular checks, or even audits, as to how that third party collects consent, to be sure.
  • Make use of Consent Management Platforms to ensure that consent is properly collected and can be used; make sure that any such Platforms they are configured in line with GDPR consent requirements.

PROBLEM

Fairness: Lack of safeguards, user understanding, lack of user control, creation of very detailed profiles shared on a large scale.

ICTLC’s PROPOSED SOLUTION

  • Consider the proportionality of the data you use. Do you actually need to collect as much user data as you do for your adtech purposes? Could you achieve the same or substantially similar results with less information?
  • Increase user control. Help users to understand how RTB works, provide them with regular reminders that you are monitoring them, and offer easy means for them to stop the monitoring.
  • Ensure the ease and simplicity of consent withdrawal and cookie management.

PROBLEM

Transparency: Information provided to users is either lacking or overly complex.

ICTLC’s PROPOSED SOLUTION

  • Effectively communicate essential information to users.
  • Consider layered Privacy Policies, push and pull notices, hover-over pop-ups, and other more interactive means.
  • Determine how much information on recipients is enough and don’t use more than what is necessary. Remember that overloading users with information can create similar issues for users to providing no information at all. Follow the guidance of your supervisory authority on this, if any.
  • See also the “Informed” section above under the “Lawfulness: Absence of a valid legal basis to collect personal data through cookies and tracking technologies” Problem.

PROBLEM

Purpose Limitation: Managing the Publisher/Advertiser relationship.

ICTLC’s PROPOSED SOLUTION

  • Engage in Joint Controllership Agreements and Data Management Agreements to limit the ways in which received user data can be further used, to impose specific security measures, to establish safeguards for users, etc.
  • Controller-to-controller agreements have the potential to impose specific consent-collection requirements upon Publishers and allocate responsibility for data protection compliance among the different stakeholders

PROBLEM

Data Minimisation: Seeing a very detailed user profile, leading to an excessive collection of user data that includes special categories of personal data.

ICTLC’s PROPOSED SOLUTION

  • Ensure that only the least amount possible of user data to provide an effective profile is transmitted.
  • Balance user rights against your interest in obtaining detailed user profiles.
  • Remember that in the long run, more information means more risk to the rights of users.
  • Don’t disclose sensitive data, unless you are sure that you have a legal basis AND an applicable exception to the GDPR’s prohibition on the processing of sensitive data. Moreover, on this point, don’t forget to check applicable EU Member States’ legislation, which may impose additional restrictions.

PROBLEM

Storage Limitation: User profiles generated through RTB are stored for an indefinite period of time.

ICTLC’s PROPOSED SOLUTION

  • Set appropriate expiration dates for cookies and tracking technologies. Cookie data should be deleted once profiles have been successfully created.
  • Base any retention periods on necessity (how long do I need to keep the data to meet my purpose?), legal obligation (how long does the law require me to keep the data?) and/or the need for precautionary legal measures (how long do I need to keep the data as evidence to address potential legal claims?).
  • If personal data is no longer strictly necessary for its original purpose, delete it! (Unless you are legally required to keep it for longer, or you need it to protect your legitimate interests).

PROBLEM

Security: Disclosing data to an indeterminate number of recipients.

ICTLC’s PROPOSED SOLUTION

  • Have appropriate security within your own domain.
  • Engage in Joint Controllership Agreements and Data Management Agreements that require a minimum baseline for security, imposing obligations on any other entities that are to come into contact with the data you collect and share.

PROBLEM

Accountability: High-risk processing activities including: the Evaluation or scoring (profiling) of users; Systematic monitoring (via cookies and tracking technologies) of users; Sensitive data (depending on data collected and the source);

Large-scale processing (a multitude of user profiles, with various data points may be handled) Matching or combining datasets (profile enrichment); Use of novel technologies (new types of cookies and tracking tech, Ad Exchanges, etc.).

ICTLC’s PROPOSED SOLUTION

  • Perform a thorough Data Protection Impact Assessment of the impact on the rights, freedoms and legitimate interests of users due to the use of their personal data.
  • Identify measures to comply with data protection principles and address any relevant risks to be identified and documented.
  • Document all compliance actions so that they can potentially be shown as evidence to competent Supervisory Authorities or to the Judiciary.