ICO update on Adtech Real Time Bidding Report

What can businesses do to minimise the regulatory risks of processing of personal data in relation to real time bidding (RTB)?

The key takeaway

The ICO’s main concerns are based around the data supply chain and the lack of clarity and transparency granted to individuals. Market participants now have six months to review their practices and implement the changes recommended by the ICO. 

The background

The ICO set out to investigate the risks posed by RTB in relation to data protection due to RTB’s complexity and scale. 

After analysing the position, the ICO decided that the issues which were highlighted would not be addressed without its intervention. However, the ICO has stated that it intends to allow businesses a period of approximately six months to adjust their practices. 

There are two themes which can summarise many of the ICO’s observations and concerns, namely (i) matters relating to the data supply chain and (ii) transparency and clarity.

The guidance 

In particular, the ICO highlighted the following seven practices, which are often overlooked by businesses in the RTB market:

• do not share individuals’ special category data unless you have their explicit consent. Explicit consent should be sought whether the information is processed directly or by inference. Special category data is information relating to health, religion, political views, sex life, race and ethnicity
• consider whether your lawful basis for processing holds out. The scenarios when businesses can rely on the “legitimate interests” basis are limited. This basis can only be used where there is a minimal privacy impact, the use of personal data is proportionate and individuals would not be surprised by the processing or likely to object. It is unlikely that these conditions will be satisfied in the case of RTB
• make sure your privacy notices are transparent and clear (ie ensure to give individuals sufficient information relating to the processing of their data). This is difficult for businesses engaging in RTB because of the complexity of their data supply chains, meaning that it is difficult for them to explain how their processing operations work and who the businesses share individuals’ data with, among other things
• do not create or share individuals’ profiles in a way which is “disproportionate, intrusive and unfair”. Such profiles are repeatedly shared without the concerned individual’s knowledge
• make sure to use the correct legal basis for the placing of cookies/other tracking technologies. The ICO states that businesses are often unclear about the rules governing the placing of cookies, including the requirement that individuals must give prior consent for their use
• comply with the key data protection principles, especially relating to international transfers of data, data minimisation, data retention and technical and organisational measures. RTB contains a risk of “data leakage” and as such, businesses should pay particular attention to the GDPR’s accountability principles, which require processes and policies to be put in place
• complete a Data Protection Impact Assessment (DPIA).

Why is this important?

Data processing relating to RTB is one of the ICO’s regulatory priorities. To avoid any potential future adverse findings by the ICO, businesses should take heed of the ICO’s recommendations. 

Any practical tips?

It goes without saying that you should aim to bring your business in-line with the ICO’s recommendation by December 2019, if possible. However, you may also consider engaging with the ICO to “have your say” while it is in the process of deciding its future approach to RTB. Finally, check out IAB Europe's “Transparency and Consent Framework (TCF) 2.0”. This is the most comprehensive effort yet in finding solutions for the adtech industry. See here.