UK Information Commissioner’s Office Report Increases AdTech’s GDPR Obligations
The UK Information Commissioner’s Office fired a shot across the bow of AdTech companies subject to the GDPR in its June 20, 2019 report on AdTech and Real-Time Bidding (RTB). The industry has thus far tried to stay low-profile while complying with privacy laws, but the ICO’s report makes clear that regulators are looking more closely at the highly-technical space.
What is RTB?
RTB involves the real-time auction of advertising space on a website to multiple advertisers based on what the auction system (including Demand-Side Platforms, Supply-Side Platforms, Data Management Platforms, and others) knows about the user loading that site. These platforms often have access to hundreds of pieces of personal data about the user, such as:
the user's IP address;
cookie IDs;
user IDs;
a user-agent string identifying the user's browser and device type;
the user's location;
the user's time zone;
the detected language of the user's system;
· a user’s race, religion, or other sensitive data.
The GDPR forced many companies selling personal data in RTB out of business, but many companies continued to monetize personal data without consent from the end user, choosing legitimate business interest as the legal basis for their activities under the GDPR.
The ICO’s June 20 report closed that loophole, bluntly stating: “[i]n our view, the only lawful basis for ‘business as usual’ RTB processing of personal data is consent (i.e. processing relating to the placing and reading of the cookie and the onward transfer of the bid request).”
What does the ICO’s Guidance Change?
The primacy of user consent as a legal basis for processing creates a compliance headache for RTB participants because the personal data necessary for an informed auction is often far removed from the original consent of the user. AdTech companies have not universally adopted methods to ensure that each consumer has validly consented to the use of each piece of personal data used to serve an ad, or that withdrawal of user consent will propagate across the auction ecosystem. Without “legitimate business interest” as a fallback to defend against regulatory actions, AdTech companies will have to take extra care that their personal data sources can show valid consent.
Further, many platforms are unclear on what uses of personal data transform them from mere processors into controllers. In other words, if a user validly consents to marketing cookies for, say, a running shoe website, can a Supply-Side Platform legally use that cookie to place an advertisement for medical services? Many platforms currently depend on the answer being ‘yes’, but the ICO’s guidance casts doubt on that fundamental principle. Many players in the RTB ecosystem went away rather than retool their systems to procure consent.
How can AdTech Companies Comply?
In light of the report’s conclusions about consent and processing of sensitive personal data, AdTech companies should take away the following, all of which should be considered before the ICO’s second “industry sweep” in six months:
Consent is king; transparency is queen. If an RTB company does not know where its personal data comes from and cannot verify the original user has consented to the processing, the company takes a huge business risk. The ICO’s guidance affects privacy notices as well; any company selling personal data must revise their privacy notice to include “extensive lists of organisations who the data ‘might’ be shared with, depending on the specifics of the auction process.”
Prepare for regulation. The report stated that contracts between industry participants were inadequate unless they had regulatory blessing: “Organisations cannot rely on standard terms and conditions by themselves, without undertaking appropriate monitoring and ensuring technical and organisational controls back up those terms.”
Consider using a consent management platform and performing a data protection impact assessment (DPIA). Consent management platforms help procure and manage user consent for publishers, providing one more layer of protection against a charge of unauthorized processing of personal data. The ICO also repeatedly stressed the importance of conducting a DPIA to buttress a claim of legal processing.
Beware purchasing third-party data. Any purchase of personal data from third parties (so-called “third-party data”) to supplement user profiles should come with a thorough audit of the consent behind that data. Purchasing third-party data also raises the question of how to verify a user has not withdrawn their consent.
Reconsider the retention period for personal data. The longer you retain personal data, the greater the risk that (i) the user withdraws consent (ii) the information becomes stale, and (iii) you suffer a data breach. Buying the same information twice is unattractive for any business, so evaluate the useful life of any personal data your company processes.
Avoid predicting sensitive data. The personal data in RTB may enable you to make predictions about a user’s political affiliation, race, religion, or anything else families argue about over the dinner table. The ICO is clear that processing such information requires explicit consent, which is a higher bar than checking a box.
California Consumer Privacy Act Watchers, Take Note
The CCPA specifically targets AdTech, including explicit language for companies to include a “do not sell my personal information” button on websites. It stands to reason that the CCPA’s drafters would also want to hold RTB companies accountable for unauthorized processing of personal data in the auction ecosystem. With CCPA regulations expected in the next few months, it’s a good bet that California will look to the EU (and the ICO) for guidance on more technical issues.
***
Are you preparing to comply with the GDPR, CCPA, or another privacy law? Contact SK&S privacy attorney Thomas Codevilla at Codevilla@skandslegal.com or 720-608-4799. Thomas has extensive experience in CCPA, GDPR, and COPPA compliance.