UK regulator investigates RTB in compliance with GDPR; Google and IAB Europe cooperate

Seven European Data Protection Authorities have received complaints about programmatic advertising and real-time bidding. ICO, the UK regulator, was the first to publish a report, last month, that initiate the investigation on RTB (Real Time Bidding). ICO is providing 6 months for the industry to review the report. After 6 months, in 2020, ICO may undertake a further industry review.

ICO (Information Commissioner’s Office) is a non-departmental public body which reports directly to UK Parliament. Is the UK national data protection authority responsible for the GDPR, and other national and European data/information laws.

Elizabeth Denham, ICO’s Information Commissioner, says that ICO is looking with priority to adtech due to the complexity and the large sale system. ICO is looking if OpenRTB meet the the requirements of GDPR (General Data Protection Regulation) and PECR (Privacy and Electronic Communications Regulation). Besides, ICO’s Information Commissioner said this report is showing the initial concerns, and that ICO expect to see change.

“The rules that protect people’s personal data must be followed. Companies do not need to choose between innovation and privacy.”Elizabeth Denham, Information Commissioner

ICO states that it’s moving carefully to observe the consequences of the their actions. ICO noticed the market dominance of so-called big tech firms, and the vulnerability of the small UK publishers.

Financial Times, however, did the following headline “Adtech industry operating illegally, rules UK regulator” but the regulator says that for now the content of the report is not a formal outcome representing a legally-binding decision. ICO clarifies the report only includes findings and views that may contribute to future guidance.

Google and IAB Europe are cooperating with ICO for the industry review. ICO says that is continuing bilateral engagement with these two entities. IAB is responsible for the OpenRTB Protocol, and Google is responsible for the Google’s Authorized Buyers Real Time Bidding Protocol.

ICO found 6 risks on RTB

• Profiling and automated decision making;
• Large-scale processing (including of special categories of data);
• Use of innovative technologies;
• Combining and matching data from multiple sources;
• Tracking of geolocation and/or behaviour; and
• Invisible processing.

New tracking capabilities pose greater risks for individuals

On the profiling, ICO identified that cookies have not diminished and new tracking methods are surging – device fingerprinting, browser fingerprinting, and canvas fingerprinting. ICO says the new “tracking capabilities are becoming more common and pose greater risks in terms of systematic monitoring and tracking of individuals.”

For start, the UK regulator has initial 9 concerns about RTB on the Update report into adtech and real time bidding.

ICO’s 9 concerns about RTB

Processing of non-special category with legitimate interest

“Processing of non-special category data is taking place unlawfully at the point of collection due to the perception that legitimate interests can be used for placing and/or reading a cookie or other technology (rather than obtaining the consent PECR requires).”

ICO found out that RTB market participants have different controls on data processing.

Processing of special category data without consent

“Any processing of special category data is taking place unlawfully as explicit consent is not being collected (and no other condition applies). In general, processing such data requires more protection as it brings an increased potential for harm to individuals.”

ICO found out that IAB content taxonomy, and Google’s publisher verticals contain fields related with health, drugs, politics, and identify groups. Although this contextual classification was designed for target exclusion, it enables market participants in RTB to profile these users.

Legitimate interests without testing and safeguards

“Even if an argument could be made for reliance on legitimate interests, participants within the ecosystem are unable to demonstrate that they have properly carried out the legitimate interests tests and implemented appropriate safeguards.”

DPIA requirements of data protection law

“There appears to be a lack of understanding of, and potentially compliance with, the DPIA requirements of data protection law more broadly (and specifically as regards the ICO’s Article 35(4) list). We therefore have little confidence that the risks associated with RTB have been fully assessed and mitigated.”

Lack of clarity on the privacy information

“Privacy information provided to individuals lacks clarity whilst also being overly complex. The TCF and Authorized Buyers frameworks are insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent, with attendant implications for PECR compliance.”

Detailed profiling shared among hundreds of organizations

“The profiles created about individuals are extremely detailed and are repeatedly shared among hundreds of organisations for any one bid request, all without the individuals’ knowledge.”

Special category data is one of the most explored concerns on the ICO’s Update report into adtech and real time bidding. ICO says “market participants “must modify existing consent mechanisms to collect explicit consent, or they should not process this data at all.”

Special category data can be found on OpenRTB, and on Google Authorized Buyers. Special category data is information related with politics, religion, ethnic groups, menthal heal, and physical health. ICO found out that the bid requests include special category data and other information about the users, including device IDs, cookie IDs, and location data.

Data not secured on the bid requests

“Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.”

Inconsistencies on data minimisation and retention controls

“There are similar inconsistencies about the application of data minimisation and retention controls.”

No guarantees about the security of the data

“Individuals have no guarantees about the security of their personal data within the ecosystem.”