The update report clarifies the views of the ICO on adtech, in particular on the use of personal data in RTB (Real Time Bidding), as well as the planned next steps.
The ICO’s investigations have raised a number of concerns about data protection practices within the RTB. The following areas have been prioritised in the report:
- Transparency and Consent: The protocols used in RTB include data fields representing data of a specific category, which requires the explicit consent of the data subject. In addition, current practices for processing personal data generally remain problematic, even if the data of the special category have been removed. For example:
- the identification of a legitimate basis for the processing of personal data in the RTB remains a challenge, as the scenarios in which legitimate interests could apply are limited and the procedures for obtaining consent are often insufficient with regard to data protection requirements;
- the privacy notices for individuals are unclear and do not give them a complete overview of what happens to their data;
- the extent to which the creation and disclosure of profiles of personal data in RTB appears disproportionate, intrusive and unfair, in particular where data subjects are in many cases unaware that such processing is taking place; and
- It is unclear whether RTB participants have fully defined what data must be processed in order to achieve the desired result of targeted advertising to individuals. The complexity of the ecosystem means that participants will deal with it without fully understanding the privacy and ethical issues involved.
- Data supply chain: In many cases, contractual agreements are used to protect how data from bid requests is shared, secured, and deleted. This does not seem appropriate given the nature of the transfer of personal data and the number of intermediaries involved.
The prioritization of both the RTB and the above issues in the update report does not indicate that ICO believes that other areas of adtech and online advertising are “problem-free” in terms of data protection.
ICO has highlighted the lack of maturity of some market participants and the continuing economic incentives to associate personal data with alerts. Moreover, ICO does not believe that these problems can be solved without intervention. The ICO follows the following measured and iterative approach because:
- This is an extremely complex market, involving several technologies and players – and one will learn more about it in the future;
- there are a number of industry initiatives to address these challenges which can be further stimulated and accepted after initial action;
- there are additional considerations, in particular the economic vulnerability of many smaller publishers, which recommend that the ICO exercise caution and monitor the consequences of its actions; and
- adtech continues to grow and evolve rapidly, extending beyond the online environment – ensuring appropriate and responsible privacy practices is critical.
As part of this approach, the ICO wants to allow market participants a reasonable period of time to adapt their practices. At the end of this period, the UK data protection authority expects controllers and market participants to have taken their concerns into account.
In the short term, the ICO intends to do the following:
- to obtain further detailed comments from a selected data controllers on their management of bid request data in order to further improve their understanding of industry practices;
- further consult with IAB Europe and Google on the detailed scheme they use in their respective frameworks to determine whether certain data fields are excessive and intrusive and to agree (or mandate) possible revised schemes; and
- continue to exchange information with other data protection authorities in Europe and, where appropriate, identify opportunities for cooperation.