The Information Commissioner’s Office has recently published its report into the data protection practices in the advertising sector, specifically looking at adtech and real-time bidding (RTB), following research and discussions with various industry stakeholders.
As an overall theme, the ICO considers that there is a general lack of maturity in relation to data protection law compliance in some areas of the advertising industry. We discuss some of the ICO’s specific concerns below.
The ICO has identified what it perceives to be a lack of clarity in the industry regarding the appropriate lawful basis for processing, as well as the requirements for each basis (e.g. the requirements for establishing a legitimate interest).
The report highlights the following examples:
- Special category data – some market participants are processing special category personal data without obtaining explicit consent from the data subject (or other relevant condition).
- Non-special category data – some market participants are seeking to rely on legitimate interests as a basis to process personal data where, instead, consent (under Privacy and Electronic Communications Regulations) may be required because the same participants are deploying cookies to collect the data.
Lack of transparency
The ICO is concerned that there is a lack of transparency over the use of the personal data within the sector, with some data subjects being unaware that processing is taking place because the privacy information provided by market participants is unclear.
Data supply chain
Adtech and RTB systems often involve the transfer of personal data to hundreds of businesses at a time. The ICO found that there is a tendency to over-rely on contractual mechanisms for protection of personal data transferred between businesses, with less emphasis being placed on other relevant measures such as monitoring and ensuring technical and organisational controls are in place.
The report does not impose any legal obligations on businesses operating in the adtech sector. If there is a criticism of the report, it is that any practical suggestions made by the ICO are at a high level and are likely to require systematic change to well-established industry practice. The ICO has indicated that it intends to give market participants an appropriate period of time to resolve concerns, although the ICO has indicated that it may undertake a further review in six months’ time (following further stakeholder engagement).
Businesses operating in the sector may wish to take the early opportunity to consider their own compliance with data protection laws and make adjustments where necessary. Practical measures could include:
- Ensuring that each relevant lawful basis for processing has been correctly identified and established, including ensuring that consent is obtained for the placement of cookies and explicit consent is obtained for processing of special category personal data.
- Reviewing privacy policies and documentation as well as cookie notifications to ensure that it is clear to data subjects what their personal data is being processed for.
- Undertaking internal reviews of data protection processes and technical and organisational measures to ensure they adequately protect personal data.