Whilst AdTech is only part of the online advertising ecosystem, the UK Information Commissioner's Office (ICO) has being vocal about its intention to investigate it due to the risks it poses to the rights and freedoms of individuals under the General Data Protection Regulation (GDPR).1 The French DPA (CNIL) has also issued a statement on its plans to elaborate an action plan in order to outline the applicable rules and to help stakeholders in their compliance process.2
In this article we will examine the data protection challenges for AdTech and real-time bidding (RTB) companies, as well as some ways to ensure ongoing compliance, including the Internet Advertising Bureau (IAB) Europe's transparency and consent framework (TCF).
AdTech is a term used to describe tools which analyse and manage information (including personal data) for online advertising campaigns and automate the processing of advertising transactions.3 It covers the end-to-end lifecycle of the advertising delivery process, which often involves engaging third parties for one or more aspects of these services, although some advertising is still placed directly between advertisers and publishers.
RTB uses AdTech to enable the buying and selling of advertising inventory in real time – i.e. in the time it takes a webpage to load in a user's browser – on an impression by impression basis, typically involving an auction pricing mechanism. It is a type of online advertising – specifically, a subtype of programmatic advertising that is most commonly used for selling visual inventory online, either on the website of a publisher or via a publisher's app. RTB is differentiated from static auctions by the per-impression bidding mechanism, whereas static auctions can entail thousands of impressions bought together as a package deal.
RTB poses a number of risks to data protection, including the following:
Linking each processing operation to a single purpose: Website visitors must be produced with information about the above lawful basis (and provide consent where relevant) prior to the processing operation in order to comply with the principle of transparency.
Obtaining consent: Consent is the lawful basis on which to rely when processing personal data for interest-based advertising purposes, i.e. to target viewers on the basis of their browsing history, and webpage currently being loaded. Consent is also relevant as it is needed under the ePrivacy Directive in order to place cookies (except where these are strictly necessary to provide a service which the data subject has requested) and will likely be necessary under the new ePrivacy Regulation expected to come into force in 2020 and take effect by 2023. In addition, explicit consent is the only valid lawful basis for processing of special categories of data such as health data. Consent must be freely given, specific, informed and an unambiguous indication of the data subject's wishes. This has a number of implications for consent in the AdTech industry:
Actively given: Pre-ticked consent boxes are not permitted because they do not demonstrate an unambiguous indication of the data subject's wishes.
Informed: A reasonable amount of information (including third parties which may receive personal data) must be presented to the individual before consent is obtained.
Specific: Consent cannot be bundled but must be obtained for each processing operation.
Freely given: Website visitors must be given a genuine choice. If, for example, a visitor cannot access a website without giving consent to tracking cookies which are not an essential part of supplying the website, the consent is unlikely to be freely given.
Revocable: Ad viewers must have the option to revoke their consent that is at least as prominent, user-friendly and effective as the method used to collect their consent.
AdTech is a complex industry with multiple stakeholders and technical parameters that pose specific risks to the rights and freedoms of individuals. Adopting industry solutions such as the IAB transparency and consent framework will enable AdTech companies to continue their business under the GDPR. The key steps are: identifying and relying on an appropriate legal basis for processing, especially consent for internet-advertising purposes, linking each processing operation to a single purpose for processing, and ensuring that the consent obtained fulfils the GDPR's requirements.
1UK ICO, Update Report into AdTech and Real Time Bidding, 20 June 2019, ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf; McDougall S, AdTech – The Reform of Real Time Bidding Has Started and Will Continue, 17 January 2020, ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/01/blog-adtech-the-reform-of-real-time-bidding-has-started/.
2CNIL, Online Targeted Advertisement: What Action Plan for the CNIL? 28 June 2019, https://www.cnil.fr/en/online-targeted-advertisement-what-action-plan-cnil.
3UK ICO, Update Report into AdTech and Real Time Bidding, 20 June 2019, https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf
4McDougall S, AdTech – The Reform of Real Time Bidding Has Started and Will Continue, 17 January 2020, ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/01/blog-adtech-the-reform-of-real-time-bidding-has-started/.