In its recent paper, Update report into adtech and real time bidding (20 June 2019), the ICO has set out a biting criticism of how real time bidding (RTB) currently operates in the UK. The phrase disproportionate, intrusive and unfair occurs three times, and intrusive on its own is used an additional three times. The paper is not intended as formal guidance, but it gives a clear sense of direction. The ICO also adds that the issues it raises in this paper are not the only concerns it has with programmatic advertising.
Although the ICO has stated that it will take another six months to investigate further, it is already clear that the ICO will intervene. The ICO’s paper, and its forthcoming intervention, are likely to have a substantial impact in the programmatic industry in the EU and the US. It is no exaggeration to say that the ICO’s intervention is likely to have a bigger impact on this industry than the GDPR. To give some idea of scale: the worldwide spend of on programmatic advertising is expected to reach US$98bn in 2020, representing 68% of total expenditure on digital media advertising. In Europe, the UK is by far the largest market, followed by Germany and then France (approx.. US$15bn, US$8bn, US$4bn, respectively, in 2018).
The ICO’s activity can be traced back to number investigations led by the CNIL in last few years, culminating in Vectaury in October 2018 and the subsequent €50m fine of Google in January 2019. In those cases, the CNIL had exposed how companies improperly obtained personal data and then traded that data amongst each other as part of RTB. The CNIL has been particularly critical of the implementation of consent as a lawful basis (generally improperly carried out), a general laxity around the handling of personal data (Vectaury had been ordered to delete 67million user records collected from RTB), and the use of contractual warranties amongst the companies involved in lieu of consents directly obtained from the data subject.
Against that background, it would have been very difficult for the ICO to ignore the issues raised by RTB. Earlier this year the ICO held a workshop with members of the industry to gather information on how the programmatic advertising worked in practice, and the recent paper one of the results of that workshop.
In its paper, the ICO reached the following conclusions.
- The intrusive nature of RTB meant that, under the GDPR, the only lawful basis available is consent. Elements of the industry had argued that legitimate interest was a viable basis: the ICO strongly disagreed.
- Some of the data being processed was special category data: clearly this required consent.
- Lack of transparency was also a concern. Not only lack of transparency in the usual sense that the purposes for which the data to be used were insufficiently described, but also in the sense that – because the RTB ecosystem involved more than 1000 players which would participate, or not participate, on an ad hoc basis – it was impossible for users to get any real idea of who their data would be shared with.
- The industry was set up so that each player claimed to be a controller: that then imported the accountability principle. The accountability principle required that you were able to demonstrate that you actually had consent: it was enough to show that you were part of a contractual chain of warranties, each referring back to the original company that had collected the consent.
- There was insufficient discipline around the handling of personal data. The nature of RTB was that individuals’ profiles were freely traded amongst participants in the RTB process, with little regard to who received the data, its subsequent deletion, and so on.
- In the ICO’s view, RTB was both large scale and high risk: it therefore met the criteria for mandatory DPIAs. DPIAs were few and far between in the RTB world.
Consent and legitimate interest
Starting with the requirement of consent for marketing and advertising cookies, the ICO went on to conclude that that consent was the only lawful basis for RTB under GDPR. However, this seems like a clear non-sequitur: it is not because you need consent for some uses that you need consent for all uses, and requiring GDPR consent for all data processing that flows from a non-essential cookie, however benign that processing might, is a stretch. In fact, the ICO seemed unusually inconclusive on this point: “whilst associated processing of personal data may be able to rely on an alternative lawful basis, consent is also the most appropriate lawful basis for processing of personal data beyond the setting of cookies.” [emphasis added]. “Most appropriate” does not sound like a legal conclusion about what the GDPR allows or does not allow.
The key problem here is that the E-privacy Directive/PECR and the GDPR simply to do not fit together. To give a simple example, PECR requires that the information given for non-essential cookies be “clear and comprehensive”. However, presumably this is not the GDPR Article 13 standard which uses 533 words to specify its transparency requirement. The GDPR refers to the need to adjust the E-privacy Directive so that it more closely aligns to the GDPR (Recital 173), but this seem unlikely to happen any time soon.
Transparency and accountability
According to the ICO, although the GDPR allows for privacy notices to specify “recipients or categories of recipients”, if the recipient of the data is going to rely on consent as the lawful basis, the identity of the recipients needs to be provided to the individual when his or her data is first collected. Arguably this is a creative reading of the GDPR (consent can be just as freely given, specific, informed and unambiguous in relation to a category, as it can be in relation to an individual) but in practice it is unlikely to make much difference. If participants in RTB are relying on consent, then they must be able to demonstrate that they have consent (Article 7.1). And then, as controllers, they must be able to demonstrate accountability in relation to the data they process: what data they receive, how they hold it, what they do with it, how they protect it. The ICO was far from convinced that most participants in RTB would able to do so.
Special categories of data
RTB uses taxonomies to classify people and websites. Existing classification types include Heart and Cardiovascular Diseases, Mental Health, Sexual Health and Infectious Diseases Reproductive Health, Substance Abuse, Health Conditions, Politics and Ethnic & Identity Groups, all of which, if used in relation to an individual, reveal special categories of data. The ICO’s investigations showed that these taxonomies were used both to determine the advertisements that were served to the consumer and also to determine the advertisements that would appear on a particular website. For example, if the taxonomy showed that a user was a vegetarian, serving him or her with an advertisement for cheap beef would be pointless. Equally, it would not make much sense to serve an advertisement for cheap beef to a vegetarian website. The ICO’s view was that both these uses, when they involved special categories of data, required consent. While the first usage, based on the taxonomy of a particular person, is clearly processing of personal data, it is hard to see how the latter (a rule matching website types to advertisement types) can be, since it the rule exists independently on any particular individual.
However, the ICO’s main point is clear: the way that RTB presently occurs is disproportionate, intrusive and unfair. It expects participants, the industry as a whole, and in particular the owners of two protocols that allow RTB to take place – the IABs OpenRTB and IAB Europe’s Transparency and Consent Framework (TCF); and Googles Authorized Buyers framework – to go back and rethink their whole approach.
A key question though, is why now? Why is the ICO carrying out an in-depth investigation of RTB now when RTB has been around for a number of years? Is it because the previous CNIL investigations had highlighted RTB that the ICO felt emboldened, or was it the arrival of the GDPR which gave it the confidence to take on a whole industry? It is odd to see the ICO so aghast in its report when it must have known that RTB was fairly standard practice. In fact, even in 2011, the ICO guidance on third party advertising stated: “However, using personal data in this way is not intrinsically unfair or intrusive, and the DPA provides various options for processing this information legitimately – i.e. there are alternatives to consent.”
There are probably two main reasons. The first is the imminent arrival of the internet of things which will multiply hugely the amount of data collected about individuals and allow geographical and cross-device tracking with increased facility. No doubt the ICO felt that, with the horse already half out of the stable, it had to act now or the horse would be long gone.
Secondly, the ICO has finally come of age. In the space of a few weeks it has decided to take on an industry, and also announced its intention to fine British Airways £189 million and Marriot Hotels more than £99 million, both fines far in excess of any fine it has previously levied. In the world of data protection, at least in the UK, the centre of gravity has shifted.
The ICO acknowledges that RTB is a complex area. It therefore plans to take a “measured and iterative approach” before undertaking a further review in six months’ time. However, some kind of intervention seems inevitable. In fact, the report says a much “We do not think these issues will be addressed without intervention.” The most likely outcome is that ICO will come back with a stepped timetable by which it expects RTB players to comply more closely with the GDPR. Whether they will able to, and preserve existing revenues, is another matter.
 See here for an account. https://thisisdpo.co.uk/2018/11/27/french-ico-orders-deletion-of-67-million-records/
 See here for an account. https://thisisdpo.co.uk/2019/01/26/cnil-v-google-what-google-got-wrong/