On June 20, 2019, the United Kingdom’s Information Commissioner’s Office (ICO) released a report that has severe implications for the ad-tech world when it comes to the real-time bidding (RTB) process. (link to ICO Report) In a nutshell, the ICO announced that the ad-tech industry has been relying on the wrong regulation when it comes to processing data retrieved from cookies and used in the RTB process. How the ICO handles this situation is of broader concern for the ad-tech world because it has everything to do with consent and third-party transfers just like the California Consumer Privacy Act (CCPA), and California regulators will likely use the EU approach when developing its regulatory spin of the ad-tech industry.

Activities At Issue

The ICO report lists transparency, improper grounds for processing data, and third-party transfer during the RTB process as the reasons for prioritizing ad-tech regulation. Specifically, the ICO opinion touched on the following issues:

Misplaced reliance on legitimate interest as a lawful basis for processing data. Lack of transparency when informing data subjects how their data is shared. Data leakage, where data is shared in unintended ways.

A Basis by Any Other Name is Not Always Compliant

The ICO report starts by pointing out that RTB participants erroneously rely on the General Data Protection Regulations (GDPR) legitimate interest instead of consent when processing and transferring cookie data. Instead, the ICO points to the Privacy and Electronic Communications Regulations (PECR) as the controlling regulation when it comes to setting and collecting cookie data. The reason for this distinction, according to the report, is because cookies store information that is later accessed from the end users computer as defined under PECR Regulation 6. Unfortunately, this causes PECR to take precedence over GDPR when it comes to cookie sourced data. And that means the entire ad-tech industry has been using the wrong regulation to operate.

In fact, according to the ICO, RTB participants are unable to rely on legitimate interest as a basis for processing personal data altogether. To use legitimate interest as an exception to GDPR, the controller must first show an underlying reason for processing personal data that passes the purpose, necessity and balancing tests. Since PECR Regulation 6 takes precedence because this data is cookie-generated, the GDPR legitimate interest exception never even comes into play for RTB participants.

Even if RTB participants could get past the PECR requirements and make it to the GDPR exceptions, consent is still required when viewed in light of the EDPB Opinion 05/2019 and WP 29 06/2014. EDPB Opinion 05/2019 evaluates the different scenarios where GDPR or ePrivacy take controlling precedence. The WP 29 06/2014 opinion states, “. . . this does not mean they could rely on legitimate interests ‘to unduly monitor the on-line or off-line activities of their customers, combine vast amounts of data about them from different sources that were initially collected in other contexts and for different purposes and create – and for example, with the intermediary of data brokers, also trade in – complex profiles of the customers' personalities and preferences without their knowledge, a workable mechanism to object, let alone informed consent.” Which is a pretty wordy description of the way data is used by RTB participants.

Who gets this bidding data?

That is a great question, and unfortunately, neither Supply (SSP) nor Demand Side Platforms (DSP) have an answer for that. The ICO found that many SSP and DSP organizations do not have information about third-party recipients participating in the bidding process. For instance, the IAB Europe Transparency and Consent Framework (TCF) lists over 450 organizations using the service, however, this list is incomplete because some TCF service providers use additional third parties to process data. When this happens, there can be no valid consent because a data subject lacks the information necessary to make valid decisions under either PECR or GDPR. Again, both regulations require full disclosure of all third parties receiving personal data to meet informed consent requirements.

Compounding the issue is that RTB participants rely on contractual agreements to comply with their third-party transfer obligations under the TCF; this mechanism was set up to account for consent being collected and retained by website publishers. The RTB participants then rely on contractual obligations with website publishers that valid consent was acquired before any personal data transfer. Unfortunately, as was articulated in CNIL’s Vectaury decision (link to article), a controller is obligated to have on-hand the data subject’s actual expression of consent and may not rely on a contractual agreement as a replacement.

And that leads to the third point in this ICO report because SSPs and DSPs operate like an auction there are no guarantees or technical controls around data use. The SSPs and DSPs take cookie data and broadcast that data to a group of bidders looking to place an advertisement. Transmitting personal data to start the bidding process is where the ICO takes exception with the process mechanics because once it starts, data recipients are not bound by any retention, permitted use, or adequate protections; and there may be thousands of bidders gaining access to this personal data per millisecond! Again, this is how Vectaury (link to article) was found to have violated GDPR provisions.

What is the Outcome?

Well, the ICO has placed RTB participants on notice that they are expected to re-evaluate their approach to privacy notices, use of personal data, and the reliance on legitimate interest as a lawful basis for processing personal data. The good news is that the ICO is still in research mode for the time being. That means the ad-tech industry has time to adjust operating processes and more importantly raise comments to the ICO before definitive rulings are handed down. In the meantime, SSP and DSP network participants have little time to do the one thing they dread most, document their processes!