UK Privacy Regulator Takes Aim at the AdTech Industry

ICO-UK-logo-300x300The UK Data Protection Authority, the Information Commissioner’s Office (ICO), has published an update report on privacy issues around real-time bidding (RTB) and programmatic advertising. The report is a progress update on the ICO’s investigation into the AdTech industry, which it says is one of its regulatory priorities.

The ICO is concerned that most individuals have a limited understanding of how the AdTech ecosystem processes their personal data. Earlier this year, it commissioned research into online advertising, finding that 63% of the 2,300 participants indicated they found it acceptable that ads funded free content; however, when researchers explained how RTB works, this fell to 36%.

What Is RTB?
RTB refers to the process of buying and selling online ad space through real-time auctions that occur in the time it takes a website to load.

Broadly, when you visit a website (or open an app, use a video-streaming service, walk past a digital billboard using recognition technology, etc.) certain information may be collected by the website, merged with other information about you, and shared, via third-party intermediaries, with advertisers who bid against each other to display their advert to you. This all happens in an instant and relies, in part, on cookies and similar technology.

The information shared may include your IP address (or part of it), cookie IDs, your location, time zone, language settings, device type and other information relating to your search queries, site behavior, demographic information, etc. The ICO takes the view that some of this information constitutes personal data under the GDPR, and could indicate particularly sensitive attributes, such as your health, ethnicity, political leanings, etc.

What are the ICO’s concerns?

The ICO is concerned that:

  • Website publishers do not have a valid legal basis for placing cookies (i.e., valid user consent), or for processing information which could be sensitive, such as health, ethnicity, political leanings, etc. (known as special category data under the GDPR, requiring “explicit” consent).
  • The ICO expressed concern that many in the AdTech industry mistakenly believe that they can rely on legitimate interest as a valid legal basis for the placing and/or reading of cookies—EU law requires consent.
  • There appears to be a lack of understanding of, and potentially compliance with, the Data Protection Impact Assessment (DPIA) requirements in the GDPR. In the ICO’s view, a DPIA is mandatory where personal data is processed for RTB, given the high risk to individuals.
  • The privacy policies and information provided to users cannot ensure transparency and fair processing of data.
  • Industry initiatives such as the IAB Transparency and Consent Framework do not currently address the ICO’s concerns.
  • The ad profiles created about individuals can be detailed and are repeatedly shared among hundreds of organizations for any one bid request, all without the individuals’ knowledge.
  • There is an inconsistent application of measures to secure the data in transit and at rest. Individuals have no guarantees about the security of their personal data within the AdTech ecosystem.
  • There is little or no consideration as to the requirements of data protection law about international transfers of personal data, and similar inconsistencies about applying data minimization and retention controls.

What next?
Going forward, the ICO intends to undertake targeted information-gathering activities, engage with stakeholders and cooperate with other data protection authorities. Following these efforts, it may undertake a further industry review in six months’ time. The scope and nature of such an exercise will depend on the ICO’s findings over the forthcoming months.

The AdTech industry is facing increasing scrutiny by European authorities. Earlier this year, France’s data protection authority fined Alphabet’s Google 50 million euros ($57 million) for breaching European Union online privacy rules. The French regulator said that Google lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personalized ads—these issues were also flagged in the ICO’s report.

On the back of the Google fine and the ICO’s report, organizations involved in the AdTech industry should re-evaluate their approach to privacy notices, their use of personal data, and the lawful bases they rely upon within the RTB ecosystem. The ICO says it will continue to focus on both RTB and AdTech in general and may issue a further update report in 2020.


Like the FTC Before It, the UK’s Competition and Markets Authority Puts Influencers on Alert