UK’s data protection regulator ICO (Information Commissioner’s office) has published a report highlighting how thousands of companies are sharing personal data on hundreds of millions every day without a legal basis. The report also says, how most of today’s online advertising is illegal at a ‘general, systemic’ level. The report was in response to a series of complaints made in the UK around the security and legality of the adtech ecosystem. These complaints were made by Mr. Veale, an academician and Jim Killock, executive director of the Open Rights Group, as well as campaign group Privacy International.
[box type=”shadow” align=”” class=”” width=””]Adtech is a term used to describe tools that analyze and manage information (including personal data) for online advertising campaigns and automate the processing of advertising transactions.
RTB (Real time bidding) uses adtech to enable the buying and selling of advertising inventory in real time on an impression by impression basis, typically involving an auction pricing mechanism. It is a type of online advertising that is most commonly used at present for selling visual inventory online, either on the website of a publisher or via a publisher’s app.[/box]
RTB relies on the potential advertiser seeing information about you. That information can be as basic as the device you’re using to view the webpage, or where in the country you are. But it can have a more detailed picture, including the websites you visited, what your perceived interests are, even what health condition you’ve been searching for information about. The complexity of this type of online advertising poses a number of risks about the level of data protection compliance. Hence the ICO has investigated this issue and summarized how the ad tech sector should comply with GDPR.
In this report, ICO has prioritized two areas: the processing of special category data, and issues caused by relying solely on contracts for data sharing across the supply chain.
The report highlights “Under data protection law, using people’s sensitive personal data to serve adverts requires their explicit consent, which is not happening right now. Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, raises questions around the security and retention of this data.”
Non-special category data is being processed unlawfully at the point of collection. Online advertisers believe that legitimate interests can be used for placing and/or reading a cookie or other technology (rather than obtaining the consent PECR requires). Even if an argument could be made for reliance on legitimate interests, participants within the ecosystem are unable to demonstrate that they have properly carried out the legitimate interests tests and implemented appropriate safeguards.
Special category data- relating to especially sensitive data such as ethnic origin, health background, religion, political and sexual orientation- is also being processed unlawfully. This is because explicit consent is not being collected due to lack of proper data protection laws. DPIAs are tools that organizations can use to identify and minimize the data protection risks of any processing operation. Article 35 of the GDPR specifies several circumstances that require DPIAs where there is large scale processing of special category data.
ICO states that there appears to be a lack of understanding of, and potentially compliance with, the DPIA requirements of data protection law. This increases the risks associated with RTB which are probably being not fully assessed and mitigated.
ICO claims that the Privacy information provided to individuals lacks clarity as it is overly complex. Individuals have no guarantees about the security of their personal data within the ecosystem.
Moreover, individual profiles are extremely detailed and repeatedly shared among organizations for any one bid request, all without the individuals’ knowledge.
Not just that, these organizations are processing these bid requests with inadequate technical and organizational measures to secure the data in transit and at rest. There is also little to no consideration as to the requirements of data protection law about international transfers of personal data.
ICO says organizations must understand, document and be able to demonstrate:
The adtech industry currently uses contractual controls to provide a level of guarantees about data protection-compliant processing of personal data. However, this contract-only approach does not satisfy the requirements of data protection legislation. Organizations cannot rely on standard terms and conditions by themselves, without undertaking appropriate monitoring and ensuring technical and organizational controls back up those terms. ICO says that the controllers must:
ICO states that its report requires further analysis and exploration.
As obvious, this report was well appreciated by netizens.
However, some people had issues with it being just a guidance report, with a lack of real efforts.
They also criticized the next steps section.
Another issue which cropped up was how in spite of issues, the adtech industry, is also responsible for generating a large percentage of revenues.
Although, ICO gave its reply. “RTB is an innovative means of ad delivery, but one that lacks data protection maturity in its current implementation. Whilst it is more the practices than the underlying technology that concerns us, it’s also the case that, if an online service is looking to generate revenue from digital advertising, there are a
number of different ways available to do this. RTB is just one of these. Whatever form organizations choose, if it involves either accessing or storing information on user devices, and/or the processing of personal data, there are laws that they have to comply with.”
Read the full report here.
GDPR complaint in EU claim billions of personal data leaked via online advertising bids
European Union fined Google 1.49 billion euros for antitrust violations in online advertising
At Packt, we are always on the lookout for innovative startups that are not only…
I remember deciding to pursue my first IT certification, the CompTIA A+. I had signed…
Key takeaways The transformer architecture has proved to be revolutionary in outperforming the classical RNN…
Once we learn how to deploy an Ubuntu server, how to manage users, and how…
Key-takeaways: Clean code isn’t just a nice thing to have or a luxury in software projects; it's a necessity. If we…
While developing a web application, or setting dynamic pages and meta tags we need to deal with…