09 December 2019 - Post by:Karishma Brahmbhatt
On 19 November 2019 the UK ICO held a follow-up to its Adtech Fact Finding Forum (held in March 2019). With several key adtech players having aired their concerns, challenges and frustrations back at the March forum, the mood at this latest event was markedly different. There was an air of acceptance that the status quo is no longer an option, and that approaches must change to comply with European privacy laws. The question now is, how?
One of (several) challenges that adtech players are facing is that currently we all only have an idea of what ‘bad’ adtech practice looks like; for example, accumulating rather than minimising data, opacity or incomprehensibility of information (such as overloading individuals with long lists of adtech vendors and jargon) and processing on the basis of invalid consent. It is generally understood what ‘good’ personal data processing theoretically entails, but this does not fit neatly (or, some would argue, at all) into the adtech machine.
The ICO’s November event engaged a similar cross-section of adtech stakeholders as those in its March forum – ranging from publishers, advertisers and adtech companies to lawyers, privacy campaigners and supervisory authorities. The agenda for the event was to take stock of movement in the adtech industry, and the ICO’s thinking, since the ICO issued its Update report into adtech and real time bidding (the “Report”) earlier this year, and to figure out what ‘good’ adtech practice looks like in the context of European privacy laws.
In its Report the ICO gave adtech players six months to evaluate their approach to privacy notices, use of personal data, and lawful basis applied to their real time bidding activities. That six month period expires on 20 December 2019. With that in mind, here’s a countdown of the top take-aways from the event:
8. The findings in the Report remain valid. The ICO’s extensive industry engagement since 20 June this year has only confirmed its view of the adtech landscape, and its prioritisation of the privacy issues identified in the Report.
7. ‘Good’ legitimate interests assessments in the adtech context seem to be elusive. The ICO considers that it is not for supervisory authorities to specify which legal basis can be relied upon for specific processing activities. That being said, the ICO has been unimpressed with the adtech-related legitimate interests assessments (“LIAs”) it has seen to date. What a ‘good’ adtech LIA looks like has not been articulated. The ICO is therefore asking adtech players to submit adtech LIAs for its consideration broadly on the basis that, on this occasion, it will not penalise companies that submit adtech LIAs falling short of the mark.
6. There is an over-reliance on contracts. Contractual measures only protect rights and freedoms of individuals to a limited extent. Adtech players need to supplement contractual protections with, for example, third party due diligence and audit. However, this is no mean feat given that a company’s ability to implement non-contractual measures depends on a variety of factors, such as resourcing and financial constraints, and company size and bargaining power.
Interestingly, a major adtech facilitator has already substantially invested in evaluating counterparty compliance with data protection laws and its policies. From Q1 2020 it will start periodically auditing counterparty compliance with its policies. These audits will take place via questionnaires and on-premises site visits with dedicated audit teams carrying out virtual and physical audits
5. The ICO is still one of several EU supervisory authorities focussing on adtech. Consistent with the ICO’s statement in the Report that it would continue to liaise and share information with its European colleagues, it re-iterated that it has regular discussions with other European supervisory authorities about adtech. Indeed, at least four supervisory authorities were present at the event.
4. There was much discussion on three data protection issues in particular: the role of various adtech participants as controller/processor, the minimum volume and nature of data required in bid requests, and security. The privacy challenges and commercial tensions on each of these have been outlined in our previous adtech blogs, but these have not subsided over the last nine months.
3. Two key adtech players have been discussing with the ICO the detailed schema they are using in their respective frameworks. Both have been working on measures to align their frameworks with GDPR and ePrivacy requirements, and have started to publicise some of these measures.
2. The issue of privacy in adtech is not going away… The ICO emphasised that it is “really engaged in this area now” and will continue working on privacy in adtech until its concerns have been addressed. It has no intention of de-prioritising this, or re-allocating resources.
1. …but the ICO will not be calling off Christmas! The ICO is aiming to release its next adtech blog and a summary of the November event in mid-December, but does not expect to be bringing any enforcement action before the end of 2019.
Achieving privacy compliance in the adtech ecosystem is a complex problem of a global nature. Despite enhanced regulatory scrutiny in this area, it is universally accepted that there is no silver bullet that can fix the problem. The ICO’s events have helped to open the channels of communication between adtech participants, and pave the path for more honest and practical dialogue in bilateral arrangements. But as the clock ticks down to 20 December, the need for adtech players to figure out how to operate within the GDPR framework remains as pressing as ever.