Should organisations rely on legitimate interests or consent? A DPIA will consider all relevant factors in determining the correct basis
Ask any privacy professional to name current buzzwords in the data protection world and you can be sure that “adtech” will be high on the list. It is a key area of focus for the Information Commissioner’s Office (ICO), with online tracking identified as a priority area in its 2018-2021 technology strategy.
The ICO also commenced an investigation into adtech and real-timebidding (RTB) in February 2019. The regulator identified several key areas of interest in the investigation, one of which was the lawful basis for processing personal data in adtech. Identifying the lawful basis for processing is a vital part of demonstrating compliance with the General Data Protection Regulation (GDPR). It is not always a straightforward task and is further complicated in the adtech context by the interplay between the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
In this article, we look at the key considerations for adtech businesses, and brands looking to take advantage of the capabilities of adtech, in determining the lawful basis for processing.
It is helpful, as a starting point, to take a step back and consider what we mean when talking about “adtech”. The term is one of an ever-growing list of neologisms denoting disruptive technology in a particular industry (joined by the likes of “fintech”, “regtech”, “proptech” and “cleantech”). It stands, of course, for “advertising technology”.
Adtech is a wide term that refers to any software or set of tools used by brands and agencies to target and deliver advertising through digital channels. Some adtech tools work in a relatively simple way; for example, Facebook’s Custom Audiences tool involves sending a list of hashed email addresses to the social media platform, which are then matched with Facebook’s user base to retarget ads to the brand’s existing customers.
Others, like RTB, are far more complex. RTB is a type of “programmatic advertising” - an umbrella term for the automated buying and selling of ads online – that allows agencies to bid on ad space through real-time auctions. Those auctions take place in the time it takes a website to load, with numerous cookies being set and data being transferred to potentially hundreds of bidders in the space of microseconds.
Regardless of their complexity, most adtech tools will be reliant in some way on personal data, which is often collected by cookies and similar technologies.
Even where data may not be clearly linked to a user’s name, email address or other easily identifiable information, data will usually include device identifiers (such as IP addresses) and online user IDs. These will be “online identifiers”, which are explicitly included in the GDPR definition of “personal data”.
These identifiers will generally sit alongside other information about the user, such as their location and inferred interests generated from browsing data. Those inferred interests may constitute special category data, for example if they suggest an interest in health-related topics or certain political parties.
One of the key challenges of data processing in adtech is determining the controller, joint controller and processor relationships at play. This is important
for many reasons, but not least because this assessment will dictate which party is responsible for deciding which is the most appropriate lawful basis for processing.
When engaging in any adtech activity, a data protection impact assessment (DPIA) is likely to be essential to help the relevant parties to establish who is the controller, and therefore where the responsibility lies. Joint controllership is not unusual in an adtech context and can arise (for example) where a brand simply sets advertising parameters for an agency or publisher, without the brand accessing the personal data itself. In this instance, the parties need to determine between themselves who should decide on, and record, the lawful basis.
The two lawful bases most likely to be relevant for the processing of personal data in an adtech context are consent and legitimate interests. The DPIA will consider all relevant factors in determining the correct basis; these factors will vary case-by-case, but there are some questions which it is helpful to ask as a starting point.
The interplay of the GDPR with the PECR could have a significant impact on the lawful basis assessment. The ICO’s view is that where the PECR require consent to be obtained for certain activities involving the collection and processing of personal data, consent should also serve as the GDPR lawful basis. This is less confusing both for users, who do not have to grapple with understanding the difference between the legislative regimes, and organisations, who do not need to implement different procedures for what is essentially the same processing.
The ICO’s guidance makes clear that PECR consent will be required for storing cookies on an individual’s device, save in very limited circumstances where the cookies are essential to provide an online service at that person’s request. This means that, where adtech processing involves setting cookies (which is extremely common), consent is likely to be the most appropriate lawful basis for the processing of personal data collected by those cookies.
Similarly, if adtech activities involve “direct marketing” that requires PECR consent, legitimate interests as a lawful basis may be difficult to justify. Targeted ads served on web pages have not historically been seen as falling within the definition of “direct marketing”, but the ePrivacy Regulation (ePR), due to replace the PECR once finalised, may widen this definition. Several iterations of the draft ePR have included an amended definition of direct marketing which would capture this type of advertising.
As above, there are scenarios in which the personal data processed for adtech could include special categories of data, such as where a user’s assumed interests can lead to this information being inferred. An additional processing condition will need to be satisfied in order to process this type of data and it is unlikely that any processing condition other than consent will be possible. Unless it is possible to give users granular choice over exactly what data is collected, this means that where special category data is involved, consent will also be the best lawful basis for ordinary data processed as part of the same activity.
Many adtech tools make use of algorithmic decision-making to determine what ad space to buy and which ads to target at which users. The GDPR prohibits wholly automated decisions that have a legal or similarly significant effect on an individual, unless consent is obtained or the decision is necessary for entering into a contract. The majority of the time, these restrictions are unlikely to be engaged in adtech; serving potentially unwanted ads, whilst inconvenient, will not often be seen as a “legal or significant effect”. However, there are plausible scenarios in which the effect on the user could go beyond mere inconvenience or
It is easy to see how, for example, ads for gambling sites targeted at a gambling addict, or for diet plans targeted at a user recovering from an eating disorder, could be seen to have a significant effect on the user. If these decisions do cross the line into a “legal or significant effect”, consent is likely to be the best lawful basis.
Relying on legitimate interests is not as simple as identifying that an activity is in the controller’s, or a third party’s, interests. The processing must be “necessary”
for those interests and, crucially, those interests must not be outweighed by users’ rights and freedoms. When considering the viability of legitimate interests as a lawful basis, it is therefore crucial that these factors are assessed, by way of a legitimate interests assessment (LIA).
The impact of the processing on the user will be key in determining whether the balancing test is met, so this will require careful thought. If the processing could cause distress, or even severe annoyance, to users, there is a risk that the balancing test will fall down in favour of the user, thereby precluding legitimate interests as a possible lawful basis. Any benefits to users of adtech processing, such as seeing more relevant content and receiving personalised offers, will also be a relevant factor.
The lawful basis assessment should include consideration of whether the envisaged processing would be within users’ reasonable expectations. This is linked to the GDPR transparency obligations but is important more widely to ensure that processing is “fair”. Even if consumers have been provided with a detailed privacy notice, if adtech processing will be difficult for users to understand and easily digest (or, simply, could lead to advertising that users see as “creepy”), this will be an indicator that the balancing test for legitimate interests is not met.
Deciding on the lawful basis is not the end of the road. Consideration needs to be given to the practical steps that need to be taken to ensure that the relevant lawful basis is sound. If consent is the lawful basis, of course there will need to be consent mechanisms that are built into the user journey. If there is scope to rely on legitimate interests, compliance with the GDPR transparency obligations will be key in demonstrating that the impact on individuals has
Because of the particular complexities of adtech and the immediacy of the processing, it will not always be obvious how information will be provided and consents obtained, or who is responsible for this aspect. Brands are often distanced from the processing itself and reluctant to accept this responsibility, whereas adtech suppliers may see the brand as the ultimately accountable entity. In reality, it will be crucial for all entities involved in adtech processing to work together to ensure that all parties understand how the technology works and how data is processed.
Adtech businesses should develop a thorough understanding of how the GDPR and the PECR affect their offerings and build privacy by design solutions that will give brands reassurance that privacy rights have been considered and pragmatic processes put in place to comply with the legislation. Brands must ensure that they understand how the technology
they are proposing to use works and complete thorough DPIAs, with input from their adtech suppliers.
This proactivity and collaborative working between the parties involved is likely to be the best way to establish the easiest means of providing meaningful information to users and, where necessary, obtaining valid consent.
The most appropriate lawful basis will always depend on the facts and the functionalities of the particular adtech tools being used.
Broadly, however, legitimate interests may be an appropriate lawful basis:
Consent is more likely to be appropriate:
This article was first published in the Privacy Laws and Business UK Report, May 2020. For more information, see www.privacylaws.com/reports.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at May 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.