We reported recently that the Information Commissioner’s Office (ICO) were looking into the adtech sector and concerns around how personal data is being processed as part of the Real Time Bidding technology used to place online adverts on websites. On 20th June, the ICO published an Update Report into Adtech and Real Time Bidding.
The report itself isn’t legally binding, doesn’t form part of any guidance or indicate any form of enforcement action. They don’t say as much, but I’d say it will be difficult if you’re in the adtech sector to ignore the findings, which on the face of it are pretty damning, and expect to continue to get away with unlawful processing. Definitely, watch this space for further information from the ICO and probably expectations on taking things forward towards proper compliance – as the ICO puts it “If you operate in the adtech space, it’s time to look at what you’re doing now, and to assess how you use personal data.”
In the report, the ICO highlights the main concerns with RTB (Real Time Bidding) and acknowledges that whilst the report is primarily about RTB there is still work to do in other areas of adtech. Specifically, the ICO says RTB carries a number of personal data risks including:
- profiling and automated decision making
- large-scale processing including of special category of data (that would normally require explicit consent to process)
- combing and matching data from multiple sources
- tracking of location and behaviours of data subjects
- invisible processing
- lack of transparency to the end user (data subject)
All things that the GDPR and privacy law restrict or control in one way or another.
So, what are the key issues identified in the report?
Generally speaking the key issues are:
- Lack of consideration by some RTB participants on what the lawful basis for processing is, with some using legitimate interest inappropriately
- Consent mechanisms being used are not compliant with the requirements for when special category data is processed (which requires an additional special category condition for processing (Article 9))
- Privacy information (privacy notices) is often inadequate in explaining what happens with user data and lack of transparency around who data is shared with
- Lack of controls around who data is shared with, where in the world they are based (restricted transfers outside the EEA in many cases) and therefore lack of controls around security of the data
- DPIA (data protection impact assessments) are mandatory because of the type of processing taking place, but not many DPIA have been carried out to identify the risks and attempt to mitigate them
The ICO therefore concludes:
- Non-special category data is being processed unlawfully at the point of collection because of the belief that legitimate interests apply for the placing/reading of cookie data, rather than relying on consent as required by PECR
- Special category data is being processed unlawfully because explicit consent is not being collected
- Even if legitimate interests apply in some of the supply chain processing, there is little evidence that legitimate interest assessments have been carried out or that appropriate safeguards are in place
- The risks from RTB are not being fully assessed because DPIA are not being carried out
- There is a lack of transparency in privacy notices about how how the processing works and how and where data is being shared
- Billions of bid requests are processed each week without appropriate organisational or technical measures in place to secure the data
- Appropriate considerations of the requirements for restricted international transfers or data as part of the bidding process have been largely ignored or approaches are inappropriate
- Inconsistencies in the application of data minimisation (limiting what personal data is needed) and data retention controls
What are the next steps?
Going forward the ICO is going to:
- Continue to understand the complexity of the RTB data supply chain for further analysis
- Engage further with stakeholders in the adtech sector
- Engage with other Data Protection Authorities (i.e. the other “ICOs” across the EU)
- Consider further information obtaining exercise (referred to as an “industry sweep”)
The ICO is also expecting data controllers in the adtech sector to review their approaches to privacy notices, use of personal data and the lawful basis for processing data within the RTB ecosystem.