Forum Moderators: webwork
Commissioner’s foreword
Our work began by examining how people’s personal data was used and shared. More specifically, we wanted to see if that process complied with the law – both General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR).
...
To help answer our questions, we spoke to the different parts of the industry, from publishers to advertisers, from civil society to start ups, from adtech firms to legal counsel. We brought together more than a hundred people for a full day fact-finding event in London. We considered concerns we’d received from consumers about how their data was being handled.
What we found was an industry that understood it needed to make improvements to comply with the law. Our report today sets out where we expect to see change, and sets out the timescales in which we expect to see action.
...
Our report will be passed to the adtech sector for their response. We are clear about the areas where we have initial concerns, and we expect to see change. But we understand this is an extremely complex market involving many organisations and many technologies. We want to take a measured and iterative approach, before undertaking a further industry review in six months’ time.
Summary and conclusions
Overall, in the ICO’s view the adtech industry appears immature in its understanding of data protection requirements. Whilst the automated delivery of ad impressions is here to stay, we have general, systemic concerns around the level of compliance of RTB:
1. Processing of non-special category data is taking place unlawfully at the point of collection due to the perception that legitimate interests can be used for placing and/or reading a cookie or other technology (rather than obtaining the consent PECR requires).
2. Any processing of special category data is taking place unlawfully as explicit consent is not being collected (and no other condition applies). In general, processing such data requires more protection as it brings an increased potential for harm to individuals.
3. Even if an argument could be made for reliance on legitimate interests, participants within the ecosystem are unable to demonstrate that they have properly carried out the legitimate interests tests and implemented appropriate safeguards.
4. There appears to be a lack of understanding of, and potentially compliance with, the DPIA requirements of data protection law more broadly (and specifically as regards the ICO’s Article 35(4) list). We therefore have little confidence that the risks associated with RTB have been fully assessed and mitigated.
5. Privacy information provided to individuals lacks clarity whilst also being overly complex. The TCF and Authorized Buyers frameworks are insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent, with attendant implications for PECR compliance.
6. The profiles created about individuals are extremely detailed and are repeatedly shared among hundreds of organisations for any one bid request, all without the individuals’ knowledge.
7. Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.
8. There are similar inconsistencies about the application of data minimisation and retention controls.
9. Individuals have no guarantees about the security of their personal data within the ecosystem.
