ICO seeks changes to online advertising data practices

Out-Law News | 25 Jun 2019 | 11:29 am | 2 min. read

Businesses in the online advertising industry must change the way they process data to meet the requirements of UK law, the Information Commissioner's Office (ICO) has said.

In a new updating report, the watchdog said that businesses must obtain data subjects' consent to process their data for real time bidding (RTB) in online advertising to comply with the Privacy and Electronic Communications Regulations (PECR) and the General Data Protection Regulation (GDPR).

The ICO is in the process of reviewing how personal data is used in RTB in programmatic advertising. It published an update on its review earlier this month.

RTB is where businesses participate in open auctions to fill advertising space on publishers' platforms. The companies that bid rely on the collection of internet users' personal data to understand what type of adverts to display. The whole process takes place in milliseconds in response to user interactions.

According to the ICO, some businesses currently rely on the 'legitimate interest' condition that is provided for under the GDPR for processing personal data in the context of RTB in online advertising.

Businesses are permitted to process personal data without having to obtain the data subjects' consent in certain circumstances under the GDPR. This includes if they are pursuing a 'legitimate interest' and their interests in processing the data do not unduly prejudice the rights and freedoms of individuals.

The ICO said, though, that it believes it is "impossible" for businesses to rely on the legitimate interest condition for data processing in the content of RTB in online advertising and meet their legal obligations under PECR and the GDPR.

It also said that, if the personal data being processed is of a sensitive nature and qualifies as 'special category' data under the GDPR, such as where the information concerns an individual's health, ethnicity or religious beliefs, businesses require data subjects' explicit consent to process that data. Businesses involved in RTB in online advertising "must therefore modify existing consent mechanisms to collect explicit consent, or they should not process this data at all," the ICO said.

In its report, the ICO also flagged the need for internet users to be provided with clear and comprehensive information about what happens to their data when it is used in the context of RTB, including in relation to whom that data is subsequently shared. The watchdog said it has examined the contractual framework within which bid request data is shared, secured and deleted and found that the "contract-only approach does not satisfy the requirements of data protection legislation".

The ICO raised further concerns about "the scale of the creation and sharing of personal data profiles" in the market, and said that some businesses in the sector are not carrying out data protection impact assessments when they should be.

Businesses in the market will be given "an appropriate period of time to adjust their practices", the ICO said.

"We have focused on RTB due to its complexity, the risks it poses and the low level of data protection maturity we’ve found through some of our initial engagement," said Simon McDougall, the ICO's executive director for technology and innovation. "Whilst we accept that RTB is an innovative means of advertisement delivery, our view is that, in its current form, it presents a number of challenges to good data protection practices."