Data protection impact assessments are mandatory for RTB
The ICO’s report states that many adtech organisations have yet to carry out any data protection impact assessments (DPIAs) in respect of the personal data they control. The EU General Data Protection Regulation (GDPR), which came into force last year, requires DPIAs to be undertaken where new technologies are used to process personal data and the processing is likely to pose a high risk to the rights and freedoms of the individuals concerned.
By their very nature, RTB activities trigger the requirement. If your organisation operates within the digital advertising ecosystem, it should (if it hasn’t already done so) carry out a DPIA as soon as possible. This can then be used to consider how best to minimise any disproportionate or intrusive data sharing.
Individuals’ consent is required to process their personal data in RTB
RTB involves processing user data falling within the scope of the GDPR’s definition of ‘personal data’. This definition includes ‘online identifiers’ and therefore covers website users who could potentially be identified from the bid-request information sent by a webpage to its advertising suppliers.
The GDPR only permits processing personal data on the basis of certain lawful grounds. Many website publishers that use RTB have been relying on the ‘legitimate interests’ ground, but the ICO’s adtech report states that the nature of RTB processing make the criteria for relying on this ground impossible to satisfy. Instead, the ICO considers obtaining users’ consent to be the only appropriate lawful basis in this context. The GDPR standard for consent, however, is high: it must be a ‘freely given, specific, informed and unambiguous indication’ communicated ‘by a clear affirmative action’. This standard also now applies to the consent required under the Privacy and Electronic Communications Regulations (PECR) to place the non-essential cookies on users’ devices that are needed for RTB advertising.
Website publishers will therefore need to ensure that they obtain GDPR-standard consent via express opt-ins from users; otherwise, there will be no lawful basis on which to remit the relevant data to adtech suppliers. The ICO’s report particularly emphasises the importance of obtaining explicit consent from users where their ‘special category’ (sensitive) personal data is processed – for example, in relation to their health or political views. Adtech participants will need to modify their existing consent mechanisms to obtain explicit consent in respect of this data or refrain altogether from processing such ‘special category’ data.
Obtaining explicit consent in adtech is, however, no easy task. The ICO is clear that using a ‘cookie wall’, where users are required to agree to the processing of their personal data as a condition of accessing a website, is no solution. It is therefore difficult to see how website publishers that use RTB-based programmatic advertising can meet the GDPR standard of consent without having to present users with detailed consent wordings and multiple opt-in tickboxes.
This could risk ‘consent fatigue’ among individuals who visit several websites each day and don’t have the time to read multiple lengthy privacy and cookie notices. Further industry engagement is needed to determine how to prevent data protection compliance from becoming counterproductive to the goal of providing transparency to users on how their data is used.
What should adtech participants do now?
While the ICO did not mince its words in its report into RTB, calling the adtech industry ‘immature in its understanding of data protection’, it is seeking to engage with industry rather than simply to penalise it. The regulator is all too aware that simply hamstringing adtech would inevitably diminish advertising’s funding of free online services when there is still little increase in demand for paid-for, ad-free content.
An update report from the ICO is expected next year, following a further industry review. In the meantime, the ICO expects all data controllers in the adtech industry to re-evaluate their approach to using personal data. Given the potential fines for non-compliance with the GDPR (up to €20 million or 4% of worldwide turnover, whichever is greater), industry participants should use this grace period as an opportunity not only to revisit their existing privacy and cookie notices and to re-evaluate the way in which they obtain user consent to data processing, but also to focus on data quality. After all, it makes little commercial sense to process large volumes of personal data without fully understanding whether this brings any meaningful return of investment.
Interested in hearing leading global brands discuss subjects like this in person?
Find out more about Digital Marketing World Forum (#DMWF) Europe, London, North America, and Singapore.