ICO Updates GDPR Report on Real Time Bidding in AdTech Industry

The UK Information Commissioner’s Office (ICO) has updated its report on the use of personal data in real time bidding by the AdTech industry with regard to the EU GDPR. Real-Time Bidding is a set of technologies used in programmatic advertising to allow advertisers to compete for digital advertising space in milliseconds before a web page is loaded.

The ICO focused on this area because of what it saw as “a number of challenges to good data protection practices” as well as a “low level of data protection maturity”. The report suggests that the ICO is planning a measured, decisive response that gives market participants an appropriate period of time to adjust their practices.

As part of its efforts, the ICO intends to gather additional information from data controllers on management of bid request data to understand industry practices, consult with IAB Europe and Google, as well as share information with other data protection authorities across Europe.

In particular, the update indicated there were two areas of priority:

1. A company must be collecting explicit consent to use sensitive personal data to serve advertising, which is often not happening now.

2. Sharing data about people with hundreds of companies without assessing the risk raises questions around security and data retention.

As far as the consent requirement, the ICO report noted that identifying a lawful basis for RTB processing is challenging because the valid legitimate interests are limited. Additionally, there are problems with transparency as privacy notices do not give them full visibility and many data subjects are unaware of the scope of the processing taking place.

Among the risks to the rights of individuals identified within RTB as likely to result in a high risk to the rights and freedoms of individuals were profiling, automated decision-making, use of innovative technologies, combining and matching data from multiple sources, geolocation tracking, and invisible processing. As a result, the ICO said many of these factors constitute criteria that would make a data protection impact assessment (DPIA) mandatory under GDPR Article 35.

The ICO also recognized cross-device tracking as one of its regulatory priorities, which is also involved in RTB and AdTech.

Organizations that are involved in AdTech should carefully review the updated statement around RTB and contact Clarip at 1-888-252-5653 to discuss how our enterprise privacy management software can help with consent management, transparent disclosures, data protection impact assessments and other aspects of GDPR.