UK’s data protection regulator ICO (Information Commissioner’s office) has published a report highlighting how thousands of companies are sharing personal data on hundreds of millions every day without a legal basis. The report also says, how most of today’s online advertising is illegal at a ‘general, systemic’ level. The report was in response to a series of complaints made in the UK around the security and legality of the adtech ecosystem. These complaints were made by Mr. Veale, an academician and Jim Killock, executive director of the Open Rights Group, as well as campaign group Privacy International.
RTB (Real time bidding) uses adtech to enable the buying and selling of advertising inventory in real time on an impression by impression basis, typically involving an auction pricing mechanism. It is a type of online advertising that is most commonly used at present for selling visual inventory online, either on the website of a publisher or via a publisher’s app.
RTB relies on the potential advertiser seeing information about you. That information can be as basic as the device you’re using to view the webpage, or where in the country you are. But it can have a more detailed picture, including the websites you visited, what your perceived interests are, even what health condition you’ve been searching for information about. The complexity of this type of online advertising poses a number of risks about the level of data protection compliance. Hence the ICO has investigated this issue and summarized how the ad tech sector should comply with GDPR.
In this report, ICO has prioritized two areas: the processing of special category data, and issues caused by relying solely on contracts for data sharing across the supply chain.
The report highlights “Under data protection law, using people’s sensitive personal data to serve adverts requires their explicit consent, which is not happening right now. Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, raises questions around the security and retention of this data.”
Key findings from ICO’s report
Adtech is disregarding Special and Non-special category data
Non-special category data is being processed unlawfully at the point of collection. Online advertisers believe that legitimate interests can be used for placing and/or reading a cookie or other technology (rather than obtaining the consent PECR requires). Even if an argument could be made for reliance on legitimate interests, participants within the ecosystem are unable to demonstrate that they have properly carried out the legitimate interests tests and implemented appropriate safeguards.
Special category data- relating to especially sensitive data such as ethnic origin, health background, religion, political and sexual orientation- is also being processed unlawfully. This is because explicit consent is not being collected due to lack of proper data protection laws. DPIAs are tools that organizations can use to identify and minimize the data protection risks of any processing operation. Article 35 of the GDPR specifies several circumstances that require DPIAs where there is large scale processing of special category data.
ICO states that there appears to be a lack of understanding of, and potentially compliance with, the DPIA requirements of data protection law. This increases the risks associated with RTB which are probably being not fully assessed and mitigated.
Individuals have no control over their privacy
ICO claims that the Privacy information provided to individuals lacks clarity as it is overly complex. Individuals have no guarantees about the security of their personal data within the ecosystem.
Moreover, individual profiles are extremely detailed and repeatedly shared among organizations for any one bid request, all without the individuals’ knowledge.
Not just that, these organizations are processing these bid requests with inadequate technical and organizational measures to secure the data in transit and at rest. There is also little to no consideration as to the requirements of data protection law about international transfers of personal data.
ICO says organizations must understand, document and be able to demonstrate:
- how their processing operations work;
- what they do;
- who they share any data with; and
- how they can enable individuals to exercise their rights.
Contract-only approach for data protection legislation should stop
The adtech industry currently uses contractual controls to provide a level of guarantees about data protection-compliant processing of personal data. However, this contract-only approach does not satisfy the requirements of data protection legislation. Organizations cannot rely on standard terms and conditions by themselves, without undertaking appropriate monitoring and ensuring technical and organizational controls back up those terms. ICO says that the controllers must:
- assess the processor is competent to process personal data in line with the GDPR;
- put in place a contract or other legal act meeting the requirements in Article 28(3); and
- ensure a processor’s compliance on an ongoing basis, in order for the controller to comply with the accountability principle and demonstrate due diligence (such as audits and inspections).
What’s next for ICO
ICO states that its report requires further analysis and exploration.
- They will undertake targeted information-gathering activities related to the data supply chain and profiling aspects, the controls in place, and the DPIAs that have been undertaken, starting in July 2019.
- They will also continue targeted engagement with key stakeholders. They will continue bilateral engagement with IAB Europe and Google.
- They may also undertake a further industry review in six months’ time. The scope and nature of such an exercise will depend on their findings over the forthcoming months.
As obvious, this report was well appreciated by netizens.
The UK ICO reports that the way big tech sells ads may be illegal. They have the power to stop it. Big deal. https://t.co/oi0LJwrgZn
— mark_barratt (@mark_barratt) June 20, 2019
Also imagining Google, IAB and adtech lobby’s heads exploding reading this solid piece of journalism explaining facts that they’ve been working incredibly hard to avoid. Lessons here for CCPA roll-out.
— Jason Kint (@jason_kint) June 21, 2019
The UK’s @ICOnews with another brilliant report on Real Time Bidding and its privacy challenges. Advise; install an adblocker like AdblockPlus, AdblockFast, Ghostery and Ublock to avoid the invasive tracking https://t.co/7VaOs0N7gR
— DataEthics (@DataEthicsEU) June 21, 2019
However, some people had issues with it being just a guidance report, with a lack of real efforts.
I’ve flicked through the ICO’s report on #adtech, and I’m torn:
1) it’s great to see the regulator tackling one of the most pervasive, opaque surveillance mechanisms being operated today. But…
2) it’s a timid, tentative move, not a robust strike. https://t.co/PDPmev0Dsi
— Neil Brown (@neil_neilzone) June 20, 2019
They also criticized the next steps section.
If the way how data-driven online marketing currently works is illegal at scale, then it needs to be stopped from happening. Now. Each day EU data protection authorities let it continue to happen this:
– further violates people's rights and freedoms
– totally undermines the GDPR
— Wolfie Christl (@WolfieChristl) June 20, 2019
However, we need action. The next steps in this report need to be much more firm. AdTech is illegal in its current form: letting it continue undermines the GDPR in all sectors. pic.twitter.com/Ns9AQCB7bo
— Michael Veale (@mikarv) June 20, 2019
Another issue which cropped up was how in spite of issues, the adtech industry, is also responsible for generating a large percentage of revenues.
Carol, While there are issues with the adtech industry, (see the ICO report released y’day) it’s also responsible for generating a large % of the revenues that enable the Guardian to exist. Yes, Cannes is a ridiculous event but adtech is crucial to a free press
— Jon Mundy (@jonmundy) June 21, 2019
Although, ICO gave its reply. “RTB is an innovative means of ad delivery, but one that lacks data protection maturity in its current implementation. Whilst it is more the practices than the underlying technology that concerns us, it’s also the case that, if an online service is looking to generate revenue from digital advertising, there are a
number of different ways available to do this. RTB is just one of these. Whatever form organizations choose, if it involves either accessing or storing information on user devices, and/or the processing of personal data, there are laws that they have to comply with.”
Read the full report here.