Analysing adtech series part 1
In the words of Simon McDougall, Executive Director for Technology Policy and Innovation at the Information Commissioner's Office (ICO), "advertising is as old as commerce itself". But, just as technology has revolutionised so many other areas of our lives, advertising has been transformed by the digital revolution. The vast amount of data that businesses now hold about us makes it easier than ever to personalise and target ads to generate maximum engagement, leading to an explosion of the advertising technology, or "adtech", industry.
But the use of that data has been high on regulators' and courts' radars over the last year. The first fine under the General Data Protection Regulation 2016 (GDPR), to the tune of €50 million, related to Google's digital advertising practices. The ICO is in the midst of an investigation into data protection practices in adtech and released a damning interim report in July 2019 indicating severe compliance issues in practices around real time bidding. Cookies, on which adtech relies heavily, are also under scrutiny, with the recent Planet 49 case in the Court of Justice of the European Union (CJEU) confirming that relying on implied consent makes cookies compliance crumble.
All of these developments highlight significant challenges for data protection compliance in the adtech space.
Adtech involves a complex web of different stakeholders, from advertisers and publishers, to ad exchanges, to demand- and supply-side platforms. It can often be difficult to work out which entities are acting as data controllers and data processors and therefore what contractual frameworks and obligations should be in place. Several different stakeholders may also be "joint controllers", even if some of those stakeholders have no access to personal data. The 2018 Wirtschafakademie case in the CJEU held that an organisation running a Facebook fan page was a joint controller with Facebook in respect of personal data used by Facebook to collate visitor statistics which were then sent to the organisation in an anonymised format. This was on the basis that the organisation set the demographic parameters on which it wished to receive statistics (for example, occupation, age, interests etc.) Joint controller relationships give rise to joint and several liability and an obligation to set out in writing which controller is responsible for which elements of compliance (e.g. who provides the privacy notice).
The ICO's real time bidding report identified the lack of transparency in real time bidding (as well as adtech more widely) as a major issue. In such a complex ecosystem, it is difficult a) to provide information about personal data processing in a format and language that users will understand; and b) to identify, on a practical level, where and how such information will be provided. Particularly in an online context, where content can be accessed by numerous different demographics, privacy notices provided will need to be intelligible to audiences of all ages and abilities. The language of such privacy notices, as well as the point in the user journey at which they are provided to individuals, will be crucial in demonstrating best practice in transparency compliance.
When personal data is processed in an adtech context, organisations must identify the appropriate "lawful basis" for the processing of that data. Often, this may be consent; the Privacy and Electronic Communications Regulations 2003 (PEC Regs) imposes a separate requirement to obtain consent if personal data is collected by cookies or if the advertising in question constitutes "electronic direct marketing". Where this is the case, the ICO's view is that consent is also the most appropriate GDPR lawful basis (indeed, the real time bidding report stresses that current practices that attempt to rely on "legitimate interests" for the collection of data by advertising cookies are unlawful). Organisations will need to consider the practicalities of obtaining consent, including who is responsible for managing consent and how opt-out requests are flowed through the supply chain. If consent is not required under the PEC Regs, it may be possible to rely on "legitimate interests", but this will always require a balancing test to be carried out between the organisation's interests and users' rights.
The ICO's investigation into adtech and data protection is continuing and further reports and guidance may be issued in the coming months. There may also be further court cases and fines that will affect how organisations navigate the adtech ecosystem. In the meantime, organisations looking to process personal data in the adtech space should consider taking the following steps:
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2019. Specific advice should be sought for specific cases. For more information see our terms and conditions