Reflection of surrounding buildings on RPC's building.

Adtech and the data protection debate - where next?

Published on 02 June 2020

How has the discussion surrounding the regulation of real-time bidding (RTB) evolved since the publishing of the ICO’s Adtech Update Report last June?

The key takeaway

The ICO considers the lawfulness of the processing of special category data in the industry, the lack of explicit consent for that processing, and the use of contractual clauses to justify compliance with data law as areas of concern in RTB. If industry participants do not engage with reform, the ICO has indicated it may take formal regulatory action. 

The background

The ICO issued its Adtech Update Report on RTB back in June 2019. This concluded that the adtech industry appeared to be immature in its understanding of data protection requirements under GDPR for RTB. As a result, the ICO embarked on a 6-month fact-finding mission to further enhance its understanding of industry practices by consulting with industry participants. Upon the conclusion of this 6-month process, the ICO delivered an update on its findings, noting that the discussion has progressed to recognition that real change is needed.

The guidance

Whilst there are encouraging signs from the industry, some of the activity the ICO observed was considered unlawful, indicating that there is significant work to be done. The ICO considers there are 3 main areas that the industry should address:

  • the lawfulness of processing special category data
  • the lack of explicit consent by users for the processing of their special category data
  • the reliance on contractual clauses to justify onward data sharing to achieve compliance with the law in the absence of supporting case studies.

Why is this important?

The ICO was struck by number of insufficient justifications for the use of legitimate interests as the lawful basis for the processing of personal data in RTB. As Simon McDougall (Executive Director for Technology and Innovation at the ICO) says, some organisations appear to “have their heads firmly in the sand” and the Data Protection Impact Assessments (DPIAs) the ICO has seen “have been generally immature, lack appropriate detail, and do not follow the ICO’s recommended steps to assess the risk to the rights and freedoms of the individual”. Basic data protection controls around security, data retention and data sharing are also often seen to be insufficient. As Mr McDougall says, “those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilise its wider powers”.

Any practical tips?

This all points towards a hardening of the ICO’s line, and regulatory action seems increasingly inevitable. If you have not done so already, you should consider:
  • ensuring that senior management understand that industry practices are changing and encouraging them to review their current approach
  • carrying out (deep-reaching) DPIAs of your RTB activities 
  • employing a privacy by design approach to your use of RTB 
  • keeping engaged with your industry trade associations, both to make sure your voice is heard in the ongoing discussions and to track their best practice recommendations, in particular those of the Internet Advertising Bureau.