The UK Information Commissioner’s Office (“ICO”) recently published an updated report on adtech, following a Fact Finding Forum held in March 2019 and consultation with industry players. The report focuses on whether and how organizations in the adtech sector can comply with the EU General Data Protection Regulation (“GDPR”) and the UK’s implementation of the e-Privacy Directive, known as the Privacy and Electronic Communications Regulations (“PECR”).
Much of the focus of the report was on the real-time bidding component of digital advertising, which is a process that allows for nearly instantaneous automated bidding for, and purchasing of, digital advertising space. In the ICO’s view, real-time bidding raises several issues under data protection law, including with respect to transparency, the processing of special category data, establishing an appropriate legal basis, and conducting data protection impact assessments (“DPIAs”). We have summarized a number of the ICO’s concerns about these issues below.
- Transparency: The ICO found that many controllers’ privacy notices lack sufficient clarity regarding what will happen to the data subject’s information in the digital advertising context. Providing genuine transparency is challenging on account of the complexities and volume of organizations involved in the adtech ecosystem.
- Special Categories of Personal Data: The ICO found that special categories of personal data such as race, ethnicity, sexual orientation and health information is actively used in the industry for segmentation purposes. Where special category information is involved, the GDPR requires explicit consent in support of the processing. Accordingly, the ICO stated that adtech businesses processing this type of data should modify their approach to obtaining consent or stop processing this type of data altogether.
- Legal Basis: The ICO has clarified that consent is likely the only available legal basis to rely on under the GDPR for the purposes of real-time bidding. Under the PECR consent is required prior to dropping of cookies. Following the implementation of the GDPR, this consent must now meet the GDPR’s consent standard (i.e., it must be freely given, specific, informed and unambiguous). The functioning of the adtech industry in the web context relies on dropping cookies. Generally, site publishers use cookie banners to collect the consent that is required under the PECR.
Because cookies operate by collecting and communicating personal data under the GDPR (particularly data that identifies the device and data that relates to the behavior or preferences of the individual operating that device), there is a separate requirement under the GDPR to establish a legal basis for the processing that real-time bidding entails. In its report, the ICO states that the scenarios where legitimate interests could be relied upon as a legal basis under the GDPR for real-time bidding are limited and, as such, it is likely that consent will be the only available legal basis for those in the ecosystem conducting “business as usual” real-time bidding. A number of third-party consent management platforms have been created to help adtech players verify that the appropriate information has been provided to the data subject, and consent collected where required, before they use the personal data for advertising purposes. These platforms generally function by presenting website or application visitors with a pop-up that allows them to opt in to the sharing of their personal data with third parties that conduct advertising. This pop-up provides publishers and advertisers the opportunity to provide required disclosures to data subjects and collect consent where required. Where consent is obtained, this signal is transmitted through the adtech ecosystem so that each party using the data can be made aware of what the data subject has or has not consented to. In its report, the ICO generally deemed these consent mechanisms to be insufficient from a data protection law perspective and questioned their practical utility given the number of participants in the adtech ecoystem.
- Data Protection Impact Assessments: The GDPR requires organizations to conduct data protection impact assessments (“DPIA”) regarding personal data processing activities when certain criteria are met. The ICO noted that a number of its previously published criteria that may trigger the need to conduct a DPIA are in-play in the context of real-time bidding. These include the use of new technologies, profiling individuals on a large scale, invisible processing, and tracking of behavior and geolocation data. The ICO also highlighted the use of personal data of children or other vulnerable individuals for marketing purposes, profiling or automated decision making as a relevant trigger. The ICO commented that even though organizations are legally required to perform DPIAs, it has found that DPIA requirements have not been fully recognized by those engaged in real-time bidding, and DPIAs frequently have not been carried out.
The ICO has invited responses to the report from the adtech sector, emphasizing that its aim is to take a “measured and iterative approach” to the issues. The ICO also has recognized that adtech goes hand-in-hand with products and services desired by consumers, and acknowledged the importance of digital advertising to the availability of content online. In the short term, the ICO expects controllers in the adtech industry to “re-evaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the real-time bidding ecosystem.”
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code