Adtech sector comes under increasing ICO pressure

In 2018 the French Data Protection Authority (CNIL) reported that 21% of GDPR-related complaints concerned marketing activities in the broad sense. Specifically this has renewed focus on use of cookies and the requirement for “clear, affirmed, informed, specific, freely given and unambiguous” consent. 

The CNIL plans to issue new guidelines in July 2019. Implied consent for use of cookies will no longer be considered as valid consent, although adtech companies will be granted a 12 month grace period to amend practices, during which implied consent will continue to be valid. 

With a focus on the adtech sector active on this side of the Channel, the UK Information Commissioner’s Office recently published an updated report on adtech. This follows industry consultation and focuses on the realities of organisations within the adtech sector complying with GDPR and the UK’s implementation of the e-Privacy Directive (PECR).

Much of the report looks at the real-time bidding component of digital advertising. The ICO considers that this raises several issues under data protection law, relating to transparency, the processing of special category data, establishing an appropriate legal basis, and conducting data protection impact assessments.

In particular the ICO raised concerns over the lack of clarity regarding what will happen to the data subject’s information in the digital advertising context. 

The ICO also raised concerns over the use of special categories of personal data (race, ethnicity, sexual orientation, health information etc) for segmentation. 

The ICO supported the plans issued by CNIL and clarified that consent must meet the GDPR’s standards (it must be freely given, specific, informed and unambiguous). To back this up, the ICO has even updated its own cookie policy wording. Importantly, under the PECR, consent is required prior to dropping of cookies and this poses considerable challenges for the adtech sector, which usually uses banners and cookies to collect the data.

The ICO noted that real-time bidding might trigger the need to conduct a DPIA and that, to date, organisations involved in this activity are not carrying them out. Reasons for a DPIA might include the use of new technologies, profiling individuals on a large scale, invisible processing, tracking of behaviour and geolocation data, as well as the use of personal data of children or other vulnerable individuals for marketing purposes, profiling or automated decision making as a relevant trigger. 

The ICO appears keen to engage with the adtech sector, inviting responses and emphasizing that it aims to take a “measured and iterative approach”. The ICO also acknowledged the importance of digital advertising to the availability of content online and consumer decision-making/engagement. The ICO has encouraged those in the adtech industry to “re-evaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the real-time bidding ecosystem.”