Who: Information Commissioner’s Office (ICO)
Where: United Kingdom
When: 22 January 2021
Law stated as at: 30 March 2021
What happened:
Having paused work in May 2020, earlier this year the ICO resumed their investigation into real-time bidding (RTB) and the adtech industry.
For those unfamiliar with the term, RTB is part of the technology behind those ads which seemingly follow you around the internet. It is underpinned by advertising technology which allows advertisers to compete for digital advertising space, usually in a matter of milliseconds.
When announcing the relaunch of its investigation, the ICO reiterated that its priorities for the review are to enable transparency and protect vulnerable citizens. There is particular concern around the use of sensitive personal data to serve adverts, use which requires explicit consent, consent which the ICO understands is not currently being obtained by many players in the industry.
Concerns around the widespread sharing of personal data were also set out. The ICO raised questions around the security and retention of such data, which it understands is being shared without assessment of potential recipients or of the risks of transfer.
The ICO’s October 2020 data broking investigation into offline direct marketing services will also shape this relaunched investigation, during which the ICO plans to review the role of data brokers in the RTB adtech eco-system.
Next steps for the ICO include a series of audits with a focus on data management platforms, a number of which may already have received assessment notices. The ICO hope that the audits will provide a clearer picture of the state of the industry.
The ICO used the relaunch announcement to remind all organisations operating in the adtech space that they should be assessing how they use personal data as a matter of urgency, particularly as comprehensive guidance in this area already exists.
Organisations were reminded that the ICO’s general guidance on consent, legitimate interests, data protection by design and data protection impact assessments apply to RTB and adtech in the same way it does to other types of processing. Shortly before reopening the investigation, the ICO’s executive director for technology and innovation, Simon McDougall, expressed confidence that any organisation that has not properly addressed the issues which the ICO raised back in June 2019 in its Update report into adtech and real time bidding risks operating in breach of data protection law.
Work continues between the ICO and the CMA on Google’s Privacy Sandbox proposals to phase out support for third-party cookies on Chrome. There is also praise for the Internet Advertising Bureau (IAB), who have taken steps to begin addressing the ICO’s published concerns, including through the development of guidance for organisations on security, data minimisation, and data retention, as well as UK-focused guidance on the content taxonomy and plans to educate the industry.
The ICO will continue to engage with IAB UK to ensure their proposals are executed in a timely manner and will engage with the industry where this will drive the most effective outcome from data subjects. Commitments have also been received from other UK advertising trade bodies to produce guidance for their members.
Why this matters:
RTB has seen rapid growth and development in recent years. Advertisers place billions of online adverts on webpages and apps in the UK every day using the technology.
The relaunch of the investigation comes at a time of a growing awareness in data subjects (many of whom have been living online versions of their lives for the past 12 months) about the use of personal data by the ad industry and the value it has.
The ICO believes data protection compliance issues in RTB and adtech are a systemic problem, one which can only be addressed by the industry itself collectively reforming RTB. This will require organisations to take ownership for their own data processing, to educate themselves of the requirements, and address current compliance gaps using the guidance and resources already available. In the meantime, expect to see more guidance and awareness campaigns from industry bodies (like the IAB’s recently published GDPR guidance on LIAs for digital advertising). For those organisations that are operating RTB and ad tech businesses without addressing issues raised by the ICO to date, we are yet to see how widely the ICO will pursue enforcement.
