Last week, the ICO released a report on the compliance state of the adtech market, a bit over a year after the onset of GDPR in Europe. The implications of the report are important for all of digital media, as adtech is the commercial backbone of just about everything that you consume online. The report makes it clear the the ICO (the UK data protection regulator) is not comfortable with the compliance posture of the market, including positions that many companies operating in good faith have assumed. The market is effectively on notice that certain practices will need to change. We can expect a regulatory ‘sweep’ in the near future and a further review of the industry’s progress in six months.
The ICO seems committed to an ongoing dialogue and acknowledges the importance of economic and competitive concerns, but the bottom line is that the ICO, one of the most prominent and generally sympathetic European DPAs, is signaling an intent to act in market impacting ways. If you are operating in the adtech market, think of the current moment as a last chance to alter your course if you are heading towards any of the ICO’s areas of concern.
‘What we found was an industry that understood it needed to make improvements to comply with the law.’ … ‘We are clear about the areas where we have initial concerns, and we expect to see change.’
Concerns raised in the ICO adtech report:
- Profiling: ‘the creation and sharing of personal data profiles about people, to the scale we’ve seen, feels disproportionate, intrusive and unfair, particularly when people are often unaware it is happening.’ This is not a statement that profiling in adtech cannot be compliant, but it makes clear that the ICO feels that adtech scale inferences about device IDs is a substantial data protection issue and will be scrutinized as such.
- A very broad view of special category data: contextual inferences, receipt of IAB publisher category data, use of such data for targeting or negative selection. ‘We have heard assertions that, in some cases, such fields are not used for profiling individuals, but instead for alerting advertisers to the nature of the website being visited by the user, thereby enabling advertisers to prevent their adverts being placed on unsuitable websites. However, for both protocols, some of the published documentation states that these fields are used for both targeting and exclusion. Also, regardless of how the advertisers intend to use this data, their collection alongside the identifiers and other personal data in a bid request indicates the processing of special categories of data either directly or by inference.’ This has broad implications for companies, and suggests that a review of data in custody for inferred or received special categories used for any purpose is in order. The industry has no effective compliance strategy for special category data, so unless you have a robust and dedicated strategy, special category data should be eliminated. This ties back to the ICO’s broader concerns about the overuse of personal data within the adtech ecosystem in general.
- Transparency: Concern about the sufficiency of notice systems as currently deployed (unclear on how directly this addresses emerging practices from Google, IAB EU TCF, etc.)
- Pushback on industry initiatives: ‘Privacy information provided to individuals lacks clarity whilst also being overly complex. The TCF and Authorized Buyers frameworks are insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent, with attendant implications for PECR compliance.’ On the surface, this sounds damning to those efforts, but elsewhere in the report the ICO makes clear that they intend to dialogue with industry and provide direction on iterations. These efforts are works in progress, and the ICO has not lost faith that they could play a critical constructive role. But definitely do not look to these industry efforts as a ‘set it and leave it’ compliance strategy. Your mileage varies in accordance with your range of compliance obligations, which are specific to each company, and the frameworks will need to continue their evolution and overall adoption trajectories.
- Data supply chain: The ICO issues a clear warning to any company relying on contractual assurances alone for the compliance of their supply chain. This is in clear reference to the letter of the GDPR and earlier guidance by ICO and the former Article 29 Working Party: Diligence and verification will be expected. You will be pressed on this if the UK regulator (or their European counterpart they are partnering with) ever come calling.
- Given the array of concerns that the ICO believes are raised by the scale and nature of adtech data processing — in RTB particularly and in the targeted ad marketplace generally — DPIAs are required. ‘Many of the above factors constitute criteria that make data protection impact assessments (DPIAs) mandatory.’
- Door closed on ‘legitimate interest’ for adtech? Yes. Unless your processing is substantively dissimilar to most profiling use cases. The ICO is as clear as can be on this point and on the fact that PECR (the UK’s implementation of the e-Privacy Directive) is paramount. The next step will be clarifying their intent to enforce based on this interpretation on the heads of a few select hold outs. ‘Our guidance also states that if organisations are required to obtain consent for marketing in accordance with PECR, then in practice consent is the appropriate lawful basis under the GDPR. Furthermore, trying to apply legitimate interests when an organisation has GDPR-compliant consent would be an entirely unnecessary exercise and would cause confusion for individuals.’ … ‘We believe that the nature of the processing within RTB makes it impossible to meet the legitimate interests lawful basis requirements. This means that legitimate interests cannot be used for the main bid request processing.’
- Data leakage and proper transparency in a market where data sharing is not pre-determined. This is a systemic issue that the industry has, frankly, not adequately addressed. As adoption of industry frameworks increases, these frameworks might find themselves in a position to provide more holistic control and protection. Unfortunately, this will take time… and joint effort. ‘As bid requests are often not sent to single entities or defined groups of entities, the potential is for these requests to be processed by any organisation using the available protocols, whether or not they are on any vendor list and whether or not they are processing personal data in accordance with the requirements of data protection law.’ … ‘The nature of the processing is what leads to the risk of ‘data leakage’, which is where data is either unintentionally shared or used in unintended ways. Multiple parties receive information about a user, but only one will ‘win’ the auction to serve that user an advert. There are no guarantees or technical controls about the processing of personal data by other parties, eg. retention, security etc. In essence, once data is out of the hands of one party, essentially that party has no way to guarantee that the data will remain subject to appropriate protection and controls.’ … ‘Individuals have no guarantees about the security of their personal data within the ecosystem.’
Other critical bits from the report:
‘Our work has highlighted the lack of maturity of some market participants, and the ongoing commercial incentives to associate personal data with bid requests. We do not think these issues will be addressed without intervention.’
’As part of this approach, we intend to provide market participants with an appropriate period of time to adjust their practices. After this period, we expect data controllers and market participants to have addressed our concerns.’
A practical note on legal basis:
The ICO has put companies in a real bind, at least for the moment. By pulling away legitimate interest as a valid basis for most market participants and simultaneously expressing skepticism about current consent methods, companies are left without a comfortable landing spot. As a practical matter, it would appear that legitimate interest has been considered and broadly dismissed, while consent is … a work in progress. Companies looking to build to future requirements should be moving in this direction. But it’s hard to blame companies with significant infrastructure in place around a legitimate interest posture from taking their time with a transition. They will naturally want to see the ICO (and other DPAs) confirm that they have a safe landing spot in the consent world and that their peers are with them. Will they get this clarity before the enforcement waters encircle legitimate interest? Unclear.
On balance, the ICO adtech report is a serious challenge to the industry. But if the industry takes the report as constructive feedback, there is also the opportunity to close off activity the ICO views as high risk and maintain a constructive, iterative dialogue with the regulator.
If you found this piece valuable, please give us a few hearty claps and follow us for ongoing updates. We also welcome discussion — please leave your comments and feedback in a response below!
The Lucid Privacy Group actively manages privacy strategy and operations and serves as DPO for startups and rapidly scaling technology companies. We come at the issues with a pro-privacy, product and technology orientation, and can translate arcane legalese into real world, pragmatic terms. Drop us a line at email@example.com or visit us on the web or Twitter.