On June 20, 2019, the UK's Data Protection Authority (ICO) published a report on adtech and real-time bidding. The report highlights the main problems faced by the industry when applying the General Data Protection Regulation's (GDPR's) stringent requirements, and calls for further engagement on these issues by the different adtech players in the space.
Real-time bidding (RTB) is currently the cornerstone of programmatic advertising, both on publisher websites and apps, enabling the buying and selling of advertising inventory in real time, generally through a public auction. The ICO previously highlighted the privacy risks involved in web and cross-device tracking in its Technology Strategy for 2018 - 2021, and has now provided a report on RTB. The adtech sector will be asked to respond to the report, and make changes where required while the ICO continues to map out the adtech landscape and issues. The ICO stresses that it will take a measured and iterative approach before undertaking a further industry review in six months' time, but it already concludes that there is a lack of maturity of the sector when it comes to GDPR compliance.
The ICO report addresses three key interlocking issues in its findings, which are outlined below:
The report clarifies that although it is theoretically possible for online behavioral advertising companies to rely on the legitimate interests legal ground, they should not do so in practice because:
The ICO caveats this report, stating that it does not represent the full nature of the ICO's concerns with either RTB or the adtech space. The ICO further acknowledges that there are a number of existing frameworks in the marketplace and it is working with the relevant organisations to revise these and ensure compliance.
In the ICO's view, the adtech industry does not appropriately address the issues above, with many players failing to conduct data protection impact assessments (DPIAs). Given the technologies used, the scale of the processing, the involvement of vulnerable individuals, and the use of profiling, the ICO takes the position that DPIAs are required. The industry has made progress towards reconciliation of its activities with the GDPR and PECR through a number of protocols but, according to the ICO, these efforts fall far short of the legal standard.
This report is a call to arms for the industry. Given the complexity of the space, and RTB in particular, the ICO is asking for the sector to fully engage and put forward a solution for compliance. Whilst the ICO is clear that adtech remains a key focus and is firmly on its radar, its next steps lean towards further industry engagement, rather than immediate or decisive enforcement.
Josephine Jay contributed to the preparation of this WSGR alert.