It was only a matter of time. U.K. data protection authority the ICO has investigated how the ad tech sector still uses personal data for the purposes of real-time bidding in programmatic advertising. Its verdict: not good enough.

The regulator has given ample time to businesses to show how they have adapted business processes in order to comply properly with the General Data Protection Regulation, introduced last May. But bar a small contingent of publishers and ad tech vendors, many continue to flout the law rather than risk any drop in ad revenues complying more strictly would cause.

On June. 20, the ICO released a report that specifically focuses on how the ad tech sector should comply with GDPR — an area that would be hard for it to ignore given the multiple privacy complaints made against the use of RTB in programmatic advertising by privacy activists.

The report will be circulated to the ad tech sector, and the ICO will check that its stipulations have been followed in six months’ time. It may decide then to write future guidance. The Irish DPA is also investigating many of the same issues raised in the report. Although the ICO hasn’t made any serious threats to businesses that don’t comply, it does intend for this additional clarity on certain areas of GDPR to be adhered to.

“We are clear about the areas where we have initial concerns, and we expect to see change,” wrote Information Commissioner Elizabeth Denham in the report.

Here’s a primer:

Legitimate interest is a goner
There have always been serious question marks over ad tech vendors claiming they have a legitimate interest to process individuals’ personal data for advertising purposes. But that hasn’t been enough of a deterrent it seems. While a lot more businesses have adopted more consent-led strategies after initially adopting legitimate interest strategies at the start, some continue to hide behind it.

The ICO has made it abundantly clear that claiming legitimate interest as a compliance strategy is impossible if a business is using real-time bidding. It cannot be used for bid-request processing, the only option is for businesses to obtain consumer consent.

Ad tech is flouting special-category data rule
GDPR outlines that special-category data — relating to especially sensitive data such as ethnic origin, and health background, to religion, political and sexual orientation — has always been dangerous ground for any ad tech business. Processing this kind of data requires an extra layer of protection as GDPR specifies that it risks harming individuals if misused. The ICO has now stated that any processing of this kind of data is unlawful without explicit consent. But it has also flagged that is has witnessed this GDPR stipulation being flouted by companies which use it within bid requests along with other information like device IDs, cookie IDs and location data.

IAB Europe and Google GDPR framework flaws highlighted
The ICO has examined the attempt at an industry standard around GDPR compliance, led by the Interactive Advertising Bureau Europe, and Google’s own version referred to as its “Authorized Buyers network,” having not yet synced with the IAB version. While the IAB Transparency and Consent Framework is currently undergoing an overhaul, the ICO has made it clear several fundamental areas won’t cut it. The simplest: there are over 450 companies registered with the framework, but a lot more who aren’t and continue to operate with the RTB environment. As such, consumers aren’t likely to understand the extent to which their data is used and by who.  “The TCF and Authorized Buyers frameworks are insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent,” stated the report.

Contractual agreements are worthless
In the digital ad trading ecosystem, any data used to buy ads on the open exchange is vulnerable to leakage. If an agency or a publisher agrees to a contract with a demand-side platform or a supply-side platform, there is no way to ensure that vendor won’t knowingly or unknowingly leak that data to countless other third parties in the process of an ad impression being bought and executed. That’s why a large number of publishers, agencies, advertisers, and vendors have relied on contractual agreements to cover their backs. These contracts declare the onus for any data-privacy breach to fall directly onto the shoulders of the company processing the data on the other’s behalf. However, the ICO has now stated that these kinds of contractual agreements are void. Data controllers must triple check themselves how and where their partners share data.

Life-raft extended to small publishers
The ICO has been careful to show its recognition that despite the non-compliant use of real-time bidding on the open exchange, many smaller publishers are also reliant on this form of advertising for survival. “There are additional considerations, in particular, the economic vulnerability of many smaller UK publishers, which make it advisable for us to move carefully and observe the consequences of our actions,” stated the report.

However, it may be that publishers — particularly the larger ones — aren’t to get off lightly either. The ICO is preparing to issue a similar warning to publishers shortly, on different areas of their GDPR implementation such as consent collection, and give them a certain number of months to comply, according to advertising sources. An ICO spokesperson didn’t confirm this with Digiday but added that next week the regulator will issue detailed guidance on the use of cookies under GDPR.

  • LinkedIn Icon