UK Regulator Calls Out Compliance Failures in Targeted Advertising Industry
The UK regulator for data protection and privacy (the Information Commissioner’s Office — ICO) has published a report on its ongoing investigation into the adtech and real-time bidding (RTB) industries. This is a work in progress, but it is clear that the ICO is not confident that the collection of personal data and subsequent processing of that data by RTB conforms with current legislation.
The ICO is undertaking its investigation in relation to the UK’s Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the Data Protection Act 2018 (the UK implementation of GDPR). Nevertheless, it would be reasonable to expect the findings and recommendations to be widely similar across all EU nations.
Its latest report (PDF) is not yet a formal guidance, nor a formal sanction on any part of the industry. The ICO hopes to work with the industry to find a mutually acceptable solution to its concerns — but it is not at all clear that this will be possible without specific mandates from the regulator.
The RTB industry is that part of the advertising industry that allows advertisers to bid for targeted advertising slots on individual publications. When a user visits a website, RTB combines personal information — possibly from multiple sources, but especially from tracking cookies and other tracking methods — to allow relevant ads to be bought and placed on the visited website. This happens in real-time so that the visitor does not experience a delay in the web page loading; and it happens billions of times every hour around the globe.
The required transparency is a particular concern, and has been empirically found wanting by a separate ICO study. It commissioned Harris Interactive “To understand the public’s awareness and perceptions of how online advertising is served to the public based on their personal data, choices and behaviour.”
The report (PDF), published in March 2019, found that 63% of the 2,300 participants indicated they found it acceptable that ads funded free content. But after an explanation of how RTB actually works, the figure dropped to 36% — providing a clear indication that RTB is not currently operating with sufficient transparency.
It is the size and complexity of the RTB industry that makes the concepts of transparency and consent (not to mention withdrawal of consent) challenging tasks. “Given the complexity and opacity of the RTB ecosystem, organisations cannot always provide the information required, particularly as they sometimes do not know with whom the data will be shared. For example, the vendor list that forms part of IAB Europe’s TCF has over 450 organisations, each with separate privacy policies to the online service the user is actually visiting.” The ICO wonders about the ‘practical use to individuals’ of such a list.
However, the complexity of the problem and the confusing nature of the requirement is best stated in this comment from the ICO: “in cases where the processing of personal data by third parties is intended to rely on a consent obtained by a first party, those third parties would need to be named as recipients of the data, and the nature of RTB means that the first party has no means of determining which third parties the data will be shared with. This leads to extensive lists of organisations who the data ‘might’ be shared with, depending on the specifics of the auction process.”
The ICO is clearly not happy with the current state of transparency and consent within the RTB industry (there are other issues, such as uncontrolled export of EU data outside of the EU, and a failure to conduct data protection impact assessments). “The profiles created about individuals are extremely detailed and are repeatedly shared among hundreds of organisations for any one bid request, all without the individuals’ knowledge,” comments the ICO.
Nevertheless, the regulator doesn’t wish to destroy the industry. Despite the current reservations, “the automated delivery of ad impressions is here to stay.” The ICO intends to continue talking to the industry, to other stakeholders and its regulatory colleagues throughout Europe to see if the industry can be brought into compliance without sanctions. That is going to be a hard task.