On 20th June 2019 the Information Commissioner’s Office (ICO) published its “Update report into adtech and real time bidding” setting out the ICO’s findings and views on data protection practices in the adtech industry. This follows a review by the ICO of the adtech industry including engagement with industry stakeholders. The review focused specifically on real time bidding (RTB) as, according to the ICO, this type of online behavioural advertising appears particularly challenging from a privacy perspective due to its complexity. The report should serve as a warning to anyone operating in the adtech space as the ICO makes it clear that it will expect change and the industry is under scrutiny for its data handling in other parts of the world as well.
In this report, the ICO regards the level of compliance with data protection laws (notably the GDPR / Data Protection Act 2018 and the e-Privacy directive / Privacy and Electronic Communications Regulations) as insufficiently mature. The ICO invites the organisations acting in the RTB ecosystem to adjust their data protection practices and, in particular, “to re-evaluate their approach to privacy notices, use of personal data and the lawful bases they apply”.
The two priority concerns identified by the ICO in the adtech context are:
Sensitive data (i.e. special categories of data): this is often processed without the necessary explicit consent or other specific justification for processing.
The data supply chain: companies tend to rely solely on contracts to ensure compliance with data protection law but this does not appear sufficient or appropriate in light of the complexity of this ecosystem (multiple actors, chains of data transfers and repeated sharing among chains of businesses of a vast amount of data).
Other key concerns identified by the ICO are:
Legal bases for processing: many companies providing adtech or engaging with adtech providers rely on legitimate interest as a justification for processing when in fact consent may be required for the placing of cookies or other tracking technologies. The ICO also takes the view that consent is the most suitable basis for data processing subsequent to the placing of cookies, as the intrusiveness of RTB processing can hardly be justified by the legitimate interest of the controller.
Transparency: privacy notices to data subjects are not sufficiently clear and do not give individuals an appropriate picture of what happens to their data. The ICO notes the complexity and opacity of the RTB system and the fact that even the participants often do not know with whom data is shared or how their processing operations work.
The ICO also found that compliance is insufficient with respect to data protection impact assessments (DPIAs) and information security measures. Finally, the ICO found inconsistencies in relation to the implementation of data minimization and retention measures.
The report is not guidance nor it is legally binding on organisations. However, the report could result in future guidance and, in any case, it is useful for organisations to understand the ICO’s priorities and views regarding the current state of compliance in relation to adtech. Ignoring the ICO’s recommendations may increase organizations’ risk of ICO action against them, and of fines and regulatory actions more generally, in the future.
The ICO will continue engaging with the adtech industry and exploring data protection implications in this sector (in particular by means of targeted information-gathering activities related to the data supply chain, profiling, controls, and DPIAs). The ICO may undertake a further industry review in six months’ time and may issue a further update report in 2020. The ICO has stated it intends to provide organizations with an appropriate period of time to adjust their practices, but it is clear the ICO expects current practices to change to address its concerns.