Earlier this year, the Information Commissioner’s Office (“ICO”) announced plans to restart its investigation of the AdTech industry, with a particular focus on real-time bidding (“RTB”). The initial investigation started in 2019 but was paused in 2020 due to the impact of the Covid-19 pandemic.
The ICO’s main concerns with the current RTB model centre around how AdTech businesses are using and sharing personal data, and whether these practices are in breach of privacy laws.
What is RTB?
RTB is an online ad auctioning process, where advertisement space on websites is bought and sold almost instantaneously, in the time it takes users to load webpages. During the auction process, consumer data from cookies is often shared with multiple advertisers, helping them to make informed, targeted bids that are more likely to get a return on investment. For end-users, this makes the advertising experience feel more relevant and personalised.
While you might not have heard of RTB, there’s no doubt you will have experienced it. Often when you visit a website, you’ll see advertisements being displayed to you. You may have even felt that these advertisements were eerily accurate or tailored to your search engine history – like you’re being watched. This is the dark side of RTB, and exactly what the ICO is concerned about.
Understanding the issues
In its review of RTB, the ICO raised a number of data privacy issues. Here are the top five:
- Meeting compliance standards: The ICO is concerned that the RTB ecosystem is failing to meet compliance standards for cookies. These are governed by the Privacy and Electronic Communications Regulation (“PECR”). In fact, when it comes to cookies, PECR supersedes the General Data Protection Regulation (“GDPR”). Trouble has arisen because many businesses are unsure about the differences in requirements and what applies to them, creating the potential for privacy violations.
- Opacity: Both the GDPR and PECR clearly establish that organisations need to be transparent. This means they must clearly and concisely explain to users how their personal data will be processed. However, the RTB ecosystem is inherently vast, complex and opaque. As a result, organisations often fail to explain to individuals how their data is being handled, which is a clear data protection breach.
- Special category data: The GDPR defines special category data as sensitive information, including political opinions, ethnicity and religious beliefs. Organisations must gain users’ explicit consent to collect and share this kind of data, or it is deemed illegal. Right now, there are worries that special category data is being shared during RTB auctioning processes, without users knowing or understanding this is the case.
- The data supply chain: A single RTB bid involves user data being shared with hundreds of companies, often across multiple geographies. This raises numerous security concerns. Many businesses are relying on third parties to use the data they share lawfully and appropriately, but there are no guarantees. Plus, because personal data is shared so quickly and widely, it’s near impossible to keep track of how and where it is being used.
In other countries, businesses using RTB have already faced hefty fines from their national data protection bodies. Earlier this year, for example, Norway’s Data Protection Authority, Datatilsynet, fined the dating app Grindr €10 million for what it deemed unlawful use of personal information for RTB.
In the UK, the ICO’s renewed interest in the AdTech space means that fast action is needed. For AdTech players, the pressure is on to urgently review their data protection practices and ensure regulatory compliance. It’s likely that we will see a lot of change in this space in the coming months, as many AdTech companies overhaul their current data protection policies to meet compliance standards.
But it’s not just AdTech players who need to be concerned – it’s the whole ecosystem. From third-party advertisers to the businesses that publish ads on their websites, all those who play a role in RTB bidding are vulnerable to data protection violations.
To avoid a costly fine, proactivity is needed. Organisations need to review their data protection practices thoroughly, with the aim of creating authentic transparency for the end-user and, of course, ensuring they obtain lawful consent.