Whilst AdTech is only part of the online advertising ecosystem, the UK Information Commissioner’s Office (ICO) has being vocal about its intention to investigate it due to the risks it poses to the rights and freedoms of individuals under the General Data Protection Regulation (GDPR).1 The French DPA (CNIL) has also issued a statement on its plans to elaborate an action plan in order to outline the applicable rules and to help stakeholders in their compliance process.2
In this article we will examine the data protection challenges for AdTech and real-time bidding (RTB) companies, as well as some ways to ensure ongoing compliance, including the Internet Advertising Bureau (IAB) Europe’s transparency and consent framework (TCF).
What is AdTech?
AdTech is a term used to describe tools which analyse and manage information (including personal data) for online advertising campaigns and automate the processing of advertising transactions.3 It covers the end-to-end lifecycle of the advertising delivery process, which often involves engaging third parties for one or more aspects of these services, although some advertising is still placed directly between advertisers and publishers.
What is real-time bidding (RTB)?
RTB uses AdTech to enable the buying and selling of advertising inventory in real time – i.e. in the time it takes a webpage to load in a user’s browser – on an impression by impression basis, typically involving an auction pricing mechanism. It is a type of online advertising – specifically, a subtype of programmatic advertising that is most commonly used for selling visual inventory online, either on the website of a publisher or via a publisher’s app. RTB is differentiated from static auctions by the per-impression bidding mechanism, whereas static auctions can entail thousands of impressions bought together as a package deal.
Who are the main stakeholders?
- Advertisers: Advertisers are organizations which bid in real time to serve ad impressions to webpage visitors. The highest bidder wins, and their advertisement will be presented to website visitors.
- Publishers: Publishers are websites that sell space (inventory) for online advertisements.
- Advertising exchanges: Exchanges are platforms for comparing the price and quality of impressions. They serve as mediators and connectors for the bidding between advertisers and publishers.
- Supply Side Platforms (SSPs): SSPs help publishers manage and sell their advertising inventories.
- Demand Side Platforms (DSPs): DSPs buy inventory based on behavioural, and often personal data. If the impression matches the advertiser’s target audience, then a bid is placed via the DSP.
What are the specific data protection challenges?
RTB poses a number of risks to data protection, including the following:
- Profiling and automated decision-making. Each impression is profiled and evaluated in milliseconds during the auction process while a webpage loads.
- Large-scale processing (including of special categories of data). The reach of RTB enables advertisers to profile and evaluate impressions across a wide array of sites, making it possible to target audiences at scale.
- Use of innovative technologies for data processing. RTB is based on a complex set of technologies and practices used in programmatic advertising.
- Combining and matching data from multiple sources. The RTB data supply chain entails so-called data matching or enrichment.
- Tracking of geolocation and/or behaviour. Bid requests normally contain demographical data, location information and browser history, such that ad viewers can be targeted at a demographic, psychographic and behavioural level.
- Lack of reliance on a lawful basis, especially valid consent. Ad viewers are often unaware of the process that goes behind an ad impression before clicking on a website, let alone have consented to their data being used for such processing.
What steps can AdTech and RTB companies take to ensure GDPR compliance?
- Adopting industry solutions: The EU AdTech industry body, IAB Europe’s transparency and consent framework , is an attempt to promote GDPR compliance, particularly in relation to capturing consent. It aims to help publishers, advertisers, technology vendors and agencies capture, store and signal global consents obtained by publishers in an industry-standard manner. The system also provides a ‘white list’ of vendors which publishers can use when they collect user consent.4
- Having a lawful basis for processing: A lawful basis is necessary for the processing of personal data under the GDPR. AdTech companies have the additional challenge of multiple purposes being pursued for a single ad impression – interest-based advertising itself, but also analytics, reporting, and anti-fraud. Each of those needs to be assessed in terms of lawful basis. In the context of AdTech, this will most likely be the consent of the data subject, or the legitimate interests of the data controller.
- Linking each processing operation to a single purpose: Website visitors must be produced with information about the above lawful basis (and provide consent where relevant) prior to the processing operation in order to comply with the principle of transparency.
- Obtaining consent: Consent is the lawful basis on which to rely when processing personal data for interest-based advertising purposes, i.e. to target viewers on the basis of their browsing history, and webpage currently being loaded. Consent is also relevant as it is needed under the ePrivacy Directive in order to place cookies (except where these are strictly necessary to provide a service which the data subject has requested) and will likely be necessary under the new ePrivacy Regulation expected to come into force in 2020 and take effect by 2023. In addition, explicit consent is the only valid lawful basis for processing of special categories of data such as health data. Consent must be freely given, specific, informed and an unambiguous indication of the data subject’s wishes. This has a number of implications for consent in the AdTech industry:
- Actively given: Pre-ticked consent boxes are not permitted because they do not demonstrate an unambiguous indication of the data subject’s wishes.
- Informed: A reasonable amount of information (including third parties which may receive personal data) must be presented to the individual before consent is obtained.
- Specific: Consent cannot be bundled but must be obtained for each processing operation.
- Freely given: Website visitors must be given a genuine choice. If, for example, a visitor cannot access a website without giving consent to tracking cookies which are not an essential part of supplying the website, the consent is unlikely to be freely given.
- Revocable: Ad viewers must have the option to revoke their consent that is at least as prominent, user-friendly and effective as the method used to collect their consent.
AdTech is a complex industry with multiple stakeholders and technical parameters that pose specific risks to the rights and freedoms of individuals. Adopting industry solutions such as the IAB transparency and consent framework will enable AdTech companies to continue their business under the GDPR. The key steps are: identifying and relying on an appropriate legal basis for processing, especially consent for internet-advertising purposes, linking each processing operation to a single purpose for processing, and ensuring that the consent obtained fulfils the GDPR’s requirements.
1UK ICO, Update Report into AdTech and Real Time Bidding, 20 June 2019, ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf; McDougall S, AdTech – The Reform of Real Time Bidding Has Started and Will Continue, 17 January 2020, ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/01/blog-adtech-the-reform-of-real-time-bidding-has-started/.
2CNIL, Online Targeted Advertisement: What Action Plan for the CNIL? 28 June 2019, https://www.cnil.fr/en/online-targeted-advertisement-what-action-plan-cnil.
3UK ICO, Update Report into AdTech and Real Time Bidding, 20 June 2019, https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf
4McDougall S, AdTech – The Reform of Real Time Bidding Has Started and Will Continue, 17 January 2020, ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/01/blog-adtech-the-reform-of-real-time-bidding-has-started/.