European Union: Update Report Into Adtech And Real Time Bidding

1. Executive summary

Real-Time Bidding (RTB) is a set of technologies and practices used in programmatic advertising. It has evolved and grown rapidly in recent years and is underpinned by advertising technology (adtech), allowing advertisers to compete for available digital advertising space in milliseconds, placing billions of online adverts on webpages and apps in the UK every day by automated means.

Whilst RTB is only part of the online advertising ecosystem, we decided we needed to investigate further due to its complexity and scale, the risks posed to the rights and freedoms of individuals and the concerns we've received.

This update report therefore clarifies the ICO's views on adtech, specifically the use of personal data in RTB, and our intended next steps. The findings have come from our:

• research undertaken as part of our Technology Strategy¹ ;
• stakeholder engagement with industry;
• consideration of concerns we have received² ; and
• recent Fact Finding Forum (where participants from across the adtech industry met to discuss lawful basis, transparency and security challenges) ³ .

While many RTB market participants place some controls on their processing and sharing of personal data, it's become apparent during our work that there are substantially different levels of engagement and understanding of how data protection law applies, and the issues that arise.

Our initial investigations raised a number of concerns with the data protection practices within RTB. For the purposes of this report we have prioritised the following areas:

• Transparency and consent: The protocols used in RTB include data fields that constitute special category data, which requires the explicit consent of the data subject. Furthermore, current practices remain problematic for the processing of personal data in general, even if the special category data were removed. For example:
• • identifying a lawful basis for the processing of personal data in RTB remains challenging, as the scenarios where legitimate interests could apply are limited, and methods of obtaining consent are often insufficient in respect of data protection law requirements;
  • the privacy notices provided to individuals lack clarity and do not give them full visibility of what happens to their data;
  • the scale of the creation and sharing of personal data profiles in RTB appears disproportionate, intrusive and unfair, particularly when in many cases data subjects are unaware that this processing is taking place; and
  • it is unclear whether RTB participants have fully established what data needs to be processed in order to achieve the intended outcome of targeted advertising to individuals. The complex nature of the ecosystem means that in our view participants are engaging with it without fully understanding the privacy and ethical issues involved.
• Data supply chain: In many cases there is a reliance on contractual agreements to protect how bid request data is shared, secured and deleted. This does not seem appropriate given the type of personal data sharing and the number of intermediaries involved.

Our prioritisation of both RTB and the above issues in this report is not an indication that we think other areas in adtech and online advertising are 'issue-free' in terms of data protection. Additionally, we are aware of the wide range of non-data protection issues that are also associated with RTB and adtech more generally, including fraud (eg from the use of 'bots'), the market dominance of so-called 'big tech' firms, and the financial vulnerability of some publishers; these are also beyond the scope of this report. This report is issued as part of our role as the data protection regulator; however, these other issues, to the extent they impact on data protection,, have been considered as factors in determining our next steps.

Our work has highlighted the lack of maturity of some market participants, and the ongoing commercial incentives to associate personal data with bid requests. We do not think these issues will be addressed without intervention. We are therefore planning a measured and iterative approach, so that we act decisively and transparently, but also in ways in which we can observe the market's reaction and adapt our approach accordingly. This is because:

• this is an extremely complex market involving multiple technologies and actors – and we will doubtless learn more going forward;
• there are some industry initiatives to address these challenges that may gain further impetus and adoption following our initial interventions;
• there are additional considerations, in particular the economic vulnerability of many smaller UK publishers, which make it advisable for us to move carefully and observe the consequences of our actions; and
• adtech continues to grow and develop rapidly, and is spreading beyond the online environment – ensuring appropriate and responsible data protection practices is crucial.

As part of this approach, we intend to provide market participants with an appropriate period of time to adjust their practices. After this period, we expect data controllers and market participants to have addressed our concerns.

In the short term, we will:

• obtain further detailed submissions from a sample of data controllers on their management of bid request data, to enhance further our understanding of industry practices;
• further consult with IAB Europe and Google about the detailed schema they are utilising in their respective frameworks to identify whether specific data fields are excessive and intrusive, and possibly agree (or mandate) revised schema; and
• continue to share information with other data protection authorities across Europe and identify opportunities to work together where appropriate.

Footnote

1 https://ico.org.uk/media/about-the-ico/documents/2258299/ico-technology-strategy-2018-2021.pdf

2 Specifically, the concerns raised by Michael Veale, Jim Killock and Dr Johnny Ryan made in September 2018 (https://brave.com/adtech-data-breach-complaint) and by Privacy International in November 2018 (https://privacyinternational.org/advocacy/2434/why-weve-filed-complaints-against-companies-most-peoplehave-never-heard-and-what).

3 See https://ico.org.uk/about-the-ico/research-and-reports/adtech-fact-finding-forum/ and https://ico.org.uk/about-the-ico/news-and-events/blog-adtech-fact-finding-forum-shows-consensus-on-needfor-change/

To read the full article click here

Originally published by ico.org

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.