March 02, 2020

UK ICO to begin formal enforcement action against the adtech industry


In June 2019, the UK Information Commissioner's Office ("ICO") produced a report on the advertising industry's use of adtech and real time bidding ("RTB") and whether UK data protection and e-marketing legislation was being complied with. The report criticised parts of the sector for not doing enough to safeguard personal data, but stated that the ICO would give organisations a six-month grace period prior to taking regulatory action, during which time they would work with stakeholders in the industry to ensure that steps were being taken towards compliance.

On the 17 January 2020, in a blog by their Executive Director of Technology and Innovation, Simon McDougall1, the ICO stated that, whilst some stakeholders had engaged positively with them following the publication of June's report, overall the ICO were not satisfied that enough was being done by the industry and that, as a result of this, they would begin taking formal regulatory action. In this article, we explore the concepts of adtech and RTB, before taking a closer look at some of the potential issues that the ICO have identified surrounding their use, and the possible next steps that the ICO could take.

What is adtech, and what is it used for?
The ICO defines adtech as 'tools that analyse and manage information for online advertising campaigns and automate the processing of advertising transactions'.2 Adtech is frequently used in conjunction with RTB – a live process that facilitates the auction of online advert impressions in the milliseconds that it takes for a webpage to load and display to users. The use of RTB is somewhat controversial, with the information that advertisers are provided with to facilitate the auction process often falling under the definition of personal data under the European General Data Protection Regulation ("GDPR"). The ICO is concerned that some within the adtech industry are not always using the appropriate lawful basis to obtain that data and, when they are obtaining personal data, are not doing enough to safeguard it.

What exactly have the ICO said?
In their June report, the ICO identified a number of concerns that they have with the adtech industry and the use of RTB.

Lawful Basis
The ICO have commented on there being a 'lack of clarity' from many RTB participants regarding the appropriate lawful basis that should be relied upon for processing under Article 6 of the GDPR, with many participants relying on 'legitimate interests' for both the processing of personal data and for the setting of cookies to obtain that data. However, the ICO have been keen to highlight that using legitimate interests as the legal basis for processing risks falling short of compliance with the Privacy and Electronic Communications Regulation ("PECR"), as well as their own latest guidance on the use of cookies (published by the ICO in July 2019), makes it very difficult for organisations to rely on legitimate interests for the use of cookies, rather than consent obtained in accordance with the GDPR standard (which must be fully informed, unbundled, affirmatively given and capable of being withdrawn).

The Use of Special Category Data
One of the major concerns that the ICO have expressed surrounds the use of special category data in adtech and RTB. The ICO  has claimed that 'a proportion of bid requests involve the processing of special category data', before going on to note that processing special category data is forbidden, unless one of the conditions within Article 9 of the GDPR applies.3 The only Article 9 condition that is likely to apply to RTB is Article 9 (2) (a) – explicit consent – with the ICO making it very clear that, in the ICO's view, adtech and RTB participants cannot rely on any other conditions for the processing of special category data. The ICO have noted that participants should either modify their existing consent mechanisms in order to actively obtain specific consent for the processing of special category data, or these participants should cease to process this kind of data.4

The Lack of Transparency
Another concern relates to the lack of transparency in the adtech sector. This includes both a general of lack of transparency - typified by the fact that many internet users are often unaware that their data is being used in this way - but also that participants in the industry fail to provide sufficient information to users that complies with the information and transparency requirements set out in Articles 13 and 14 of the GDPR. For example, Article 14 (1) (d) states that individuals must be informed of the 'recipients or categories of recipients of (their) personal data'. However, as the ICO notes, with RTB this simply is usually not possible. The ultimate recipients of the personal data do not typically have the means to contact the relevant individuals, as the first parties that receive the data from the individuals in the form of cookies often have no idea, at the point of obtaining the data, which advertisers they will be selling it to. As such, it is typically impossible for the first party to provide the required information about and gain consent from the user for the advertisers to receive their information.

Data Supply Chains
The sheer complexity and volume of participants involved in adtech and RTB means that the data supply chains can often be very lengthy. In fact, according to the ICO, 'a single RTB request can result in personal data being processed by hundreds of organisations', as both the successful and unsuccessful bidders are receiving a user's information during the RTB process. With a data supply chain this large, the risk of data leakage and/or data misuse significantly increases. The ICO have said that they intend to closely monitor data supply chains within RTB, and have warned that organisations will need to be able to demonstrate that their activities are compliant with the GDPR.5

Data Protection Impact Assessments ("DPIAs")
DPIAs are a way of mapping, measuring and assessing the level of risk associated with particular data processing activities. High-risk activities are usually deemed to be those that (amongst other things): involve new technologies (e.g. facial recognition software); large scale processing of personal data; or use personal data to make automated decisions about a data subject. In the opinion of the ICO, RTB satisfies all of these requirements, and the ICO has expressed concern that the vast majority of participants in the adtech and RTB sector are not currently meeting their obligations to complete DPIAs in relation to the use of this technology.6

The threat of regulatory action:
On the other end of the spectrum, the ICO have reported that many organisations still 'have their heads firmly in the sand', and that they are now confident that engagement alone will not solve the problems that they have with the industry. The ICO reports that many of the concerns that the ICO shared in their June report still persist, with the organisation describing some of the DPIAs that they have received as 'immature', and with concerns remaining around the justification that some adtech companies are giving for gaining and processing the personal data. The basic level of data protection controls over security, data retention and data sharing also remain areas of concern. The ICO signs off its latest blog with a warning to adtech companies that remain non-compliant with data protection laws, stating that: 'those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilise its wider powers'.


2 201906.pdf

Related Services & Industries

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.