The ICO has been investigating the adtech and real time bidding (RTB) industry over the past year. This is a huge industry and, from a compliance viewpoint, it is particularly complex due to the challenges of providing meaningful information and obtaining valid consent from users.
The ICO is concerned that that the creation and sharing of personal data profiles about people, on such a large scale, is disproportionate, intrusive and unfair, particularly when people are often unaware it is happening. The key issues are:
- identifying a lawful basis for the processing of personal data in RTB, as the scenarios where legitimate interests could apply are limited, and methods of obtaining consent are often insufficient;
- the privacy notices provided to individuals lack clarity and do not give them full visibility of what happens to their data;
- in many cases there is a reliance on contractual agreements to protect how bid request data is shared, secured and deleted. This does not seem appropriate given the type of personal data sharing and the number of intermediaries involved.
Industry bodies such as the IAB have been engaged with these issues looking for practicable solutions for some time. As a recent sign of the seriousness this is being taken in some quarters, Google recently proposed changes to its Chrome browser, including phasing out support for third party cookies within the next two years.
However, in a recent blog, the ICO has expressed frustration that many organisations involved in RTB appear to have their heads firmly in the sand.
The ICO has made it clear that those in the adtech chain cannot rely on “legitimate interests” as the lawful basis for the processing of personal data in RTB. Furthermore, they have said that the Data Protection Impact Assessments they have seen have been “generally immature, lack appropriate detail, and do not follow the ICO’s recommended steps to assess the risk to the rights and freedoms of the individual”. The ICO has indicated that they anticipate it may be necessary to take formal regulatory action in such cases. We could, therefore, see such actions in 2020.
The most effective way for organisations to avoid the need for regulatory action is to engage with the process for industry reform, and to encourage their supply chain to do the same. The ICO warns that those who have ignored the window of opportunity to engage and transform must prepare for the ICO to utilise its wider powers.