On June 20, 2019, the UK's Data Protection Authority (ICO) published a report on adtech and real-time bidding. The report highlights the main problems faced by the industry when applying the General Data Protection Regulation's (GDPR's) stringent requirements, and calls for further engagement on these issues by the different adtech players in the space.

Background

When the GDPR became effective on May 25, 2018, it imposed new and strict obligations on companies processing personal data. In the UK, the Privacy and Electronic Communications Regulations (PECR), which implements the EU e-Privacy Directive and will soon be replaced by the e-Privacy Regulation, complements the GDPR requirements. Both the GDPR and PECR govern how data is collected and further processed in the online advertising industry, including requiring notice and a legal basis for processing. The PECR specifically applies to the use of cookies and similar technologies and sets out the rules for consent to use these technologies.

Real-time bidding (RTB) is currently the cornerstone of programmatic advertising, both on publisher websites and apps, enabling the buying and selling of advertising inventory in real time, generally through a public auction. The ICO previously highlighted the privacy risks involved in web and cross-device tracking in its Technology Strategy for 2018 - 2021, and has now provided a report on RTB. The adtech sector will be asked to respond to the report, and make changes where required while the ICO continues to map out the adtech landscape and issues. The ICO stresses that it will take a measured and iterative approach before undertaking a further industry review in six months' time, but it already concludes that there is a lack of maturity of the sector when it comes to GDPR compliance.

Key Issues

The ICO report addresses three key interlocking issues in its findings, which are outlined below:

1. There is a misunderstanding in the industry about the appropriate legal basis for processing. Under the PECR, consent is required for the dropping or reading of cookies. According to the ICO, this rules out any other legal basis for processing, but many industry players are continuing to rely on legitimate interests for this purpose. The ICO notes that current consent frameworks that are available to publishers are not fully compliant. 
   
   The report clarifies that although it is theoretically possible for online behavioral advertising companies to rely on the legitimate interests legal ground, they should not do so in practice because:
   • when sensitive data is processed, explicit consent is required;
   • prior consent is required under the PECR for dropping or reading cookies for advertising. Consequently, the ICO states that it is unnecessary, confusing, and potentially unfair to rely on the legitimate interests of a party involved as an additional legal ground for processing when advertising is concerned; and
   • the ICO is of the view that, given the nature of RTB, legitimate interests does not provide a valid legal ground for processing. According to the ICO, the use of personal data is not proportionate and overly intrusive.
2. There is an inherent lack of transparency in the adtech space. According to the report, the RTB ecosystem is complex and opaque with individuals' profiles being enriched and shared many times, arguably beyond the understanding of the publisher or even the first layer of adtech players who participate. Given this, the ICO finds it difficult to believe that data subjects are provided with the information necessary to allow them to make an informed decision or to give valid consent.
3. The data supply chain introduces security and data sharing concerns. The report states that thousands of organisations process billions of bid requests in the UK alone each week. Many of these bodies are not part of an industry protocol, and data will be further processed outside of the EU, meaning that there is no guarantee that the data will be transferred or processed in accordance with the GDPR. The industry has tried to tackle this by means of contractual controls, but these are not bolstered by the requisite monitoring and security measures and, according to the ICO, do not provide a sufficient level of guarantees for processing personal data in compliance with the GDPR.

The ICO caveats this report, stating that it does not represent the full nature of the ICO's concerns with either RTB or the adtech space. The ICO further acknowledges that there are a number of existing frameworks in the marketplace and it is working with the relevant organisations to revise these and ensure compliance.

Conclusion

In the ICO's view, the adtech industry does not appropriately address the issues above, with many players failing to conduct data protection impact assessments (DPIAs). Given the technologies used, the scale of the processing, the involvement of vulnerable individuals, and the use of profiling, the ICO takes the position that DPIAs are required. The industry has made progress towards reconciliation of its activities with the GDPR and PECR through a number of protocols but, according to the ICO, these efforts fall far short of the legal standard.

This report is a call to arms for the industry. Given the complexity of the space, and RTB in particular, the ICO is asking for the sector to fully engage and put forward a solution for compliance. Whilst the ICO is clear that adtech remains a key focus and is firmly on its radar, its next steps lean towards further industry engagement, rather than immediate or decisive enforcement.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues in Europe and beyond, and will monitor closely developments related to adtech in Europe. For more information, please contact Cédric Burton, Jan Dhont, Lore Leitner, Lydia Parnes, Chris Olsen, or another member of the firm's privacy and cybersecurity practice.

Josephine Jay contributed to the preparation of this WSGR alert.