DMA issues “Seven-Step Ad Tech Guide” in a bid to restore trust in online advertising

What needs to be done by UK businesses actively engaged in the programmatic delivery of digital advertising to ensure they protect the rights of individuals?

The key takeaway
The ICO has highlighted a number of critical issues with real-time bidding (RTB) and this new Guide by the Data & Marketing Association (DMA) seeks to help advertisers comply with their data responsibilities. The key message is that advertisers should work closely with tech firms and their agencies to ensure that their ad tech practices are compliant with the relevant laws, namely the GDPR and the ePrivacy Directive. 

The background
Programmatic advertising is the bringing together of buyers and sellers of digital ad space in an automated process where computers use data to decide which ads to buy and how much to pay for them. RTB is the buying and selling of online ad impressions through real-time auctions that occur in the time it takes a webpage to load. It has introduced an auction pricing mechanism which allows publishers to sell to the highest bidder in a matter of milliseconds and almost 90% of programmatic advertising now relies on RTB. The ICO has expressed data protection concerns about RTB and sought to conduct investigations into issues surrounding consent, transparency and controls in the RTB data supply chain. Although these investigations were paused due to the coronavirus pandemic, the DMA has released a “Seven-Step Ad Tech Guide” for advertisers (the Guide).

The Guide
The Guide pulls together old and new initiatives, highlights areas of risk and recommends best practices in the following seven steps:

1. Education and understanding
Advertisers must understand the ad tech ecosystem and take an active role in implementing organisational and technical measures. Cookie scans and cookie audits are also encouraged to ensure compliance with rules around consent. 
2. Special category data
Programmatic advertising will often process special categories of personal data, which is data that can be inferred from other information (for example it could be inferred that somebody who is interested in baby products has a baby on the way). This data cannot be drawn with the intention to use it in digital advertising within explicit consent. Further, if the processing of this type of data is necessary, it will be mandatory to conduct a data protection impact assessment (DPIA).
3. Understanding the data journey
A record of processing activities (ROPA) must be developed and there are a number of ICO templates that should be used. 
4. Conduct a DPIA
The DMA recommends conducting a DPIA in any situation where ad tech solutions are deployed. In addition, change control procedures implemented by advertisers should include a provision for reviewing DPIAs in case of relevant changes. 
5. Audit the supply chain
Due diligence must be carried out when data sharing or engaging processors and contractual warranties should not be relied upon without keeping sight of actual processing activities. The guidance has useful advice on what the ad tech contract should include and states that audits should be carried out on a periodic basis rotating between suppliers based on a risk assessment.
6. Measure advertising effectiveness
Controllers must not use excessive personal data. The use of personal data should be proportionate to achieving advertising goals. The Guide also recommends a move away from tracking-based modelling to other forms of effectiveness monitoring.
7. Alternatives to third party cookies (behavioural advertising)
This step recommends a shift towards contextual advertising which is considered less intrusive and does not rely on targeting segments.

Why is this important?
The Guide highlights a number of critical issues with RTB and offers useful practical tips for advertisers on how to minimise the risk of breaching GDPR rules. It is a collation of various credible industry initiatives and is approved by the ICO.

Any practical tips?
The Guide highlights the importance of understanding the basics and working closely with agencies and ad tech vendors on compliance matters. Advertisers should carefully review their ad tech practices and processes to ensure that they are GDPR and ePrivacy Directive compliant. In addition, media agencies should familiarise themselves with and prepare ROPAs, as well as conducting comprehensive ad tech vendor due diligence. Data protection training should also be provided to staff where appropriate.

Autumn 2020