Six months after its first warning the UK Privacy Regulator (ICO) is making clear that the issues with RTB (real time bidding) online advertising have not gone away, and it is now threatening to punish companies that are misbehaving.
- RTB advertising is under scrutiny in Europe for breach of personal data treatment, ICO is leading the charge
- Changes have been made by Google and IAB UK: structural changes are taking place. But worryingly some players are still unaware or ill-informed on the impact of GDPR on the business. ICO will start fining them.
- MEF members welcome the level playing-field, many have worked in getting their RTB advertising compliant with regulation. However, we should not let the market be fragmented by different national implementations : harmonisation should take place or the economies of scale in Adtech investments might disappear.
ICO is happy with the progress that some have made since July 2019, but remains unsatisfied. ICO had highlighted multiple issues in the way companies exchanged user information to support online ads when landing on a webpage. With RTB the user information is shared with hundreds advertising agencies, so that all can bid in real time (using pre-set maximum values) to win the right to deliver the online advertising to that specific user in milliseconds.
An Adtech marvel that could turn in to a privacy nightmare if not properly managed. When a person visits a site, the web-browser shares information on the person including location, hobbies, preferences, gender and in some mis-guided cases, sensitive information such as political views or medical history.
Good and bad players
MEF reported and discussed with its members the feedback from ICO in July. The debate showed how MEF members were already in line with ICO and the European data regulation GDPR, but there are bad players in the market that have not engaged with the regulations. The industry suffers from weak elements in the chain ruining the market for all. This is in line with comments from Simon McDougall, ICO Executive Director of Technology and Innovation, “We are confident that any organisation that has not properly addressed these issues risks operating in breach of data protection law. […] Many organisations are on board with the changes that need making, some appear to have their heads firmly in the sand.”
The most effective way for organisations to avoid the need for further regulatory scrutiny or action is to engage with the industry reform and transformation, and to encourage their supply chain to do the same.” Simon McDougall, ICO Executive Director of Technology and Innovation
McDougal is now openly threatening companies: “The most effective way for organisations to avoid the need for further regulatory scrutiny or action is to engage with the industry reform and transformation, and to encourage their supply chain to do the same. I am both heartened at how much progress we have made, and disappointed that there are some who are still ignoring our message. Those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilise its wider powers.” It is music to the ears of MEF members that have been active in discussing, planning and educating the market in terms of personal data and advertising. MEF will continue to host debate, share news and guidelines.
The 7 issues found by ICO for RTB
What are the issues that ICO has been complaining about? Here is a short summary:
- Little GDPR knowledge – Many RTB participants define themselves as data controllers without a proper understanding of the legal terminology, or the implications of the role. Little real knowledge of the regulation is a big concern.
- Special category data– Some of the personal data should be treated with additional care: politics, religion, ethnic groups, mental health and physical health information can only be processed with the explicit consent from the users. Unfortunately, this was found to be part of some of the taxonomy of information shared by some RTB exchanges. This data should not be collected by RTB.
- Consent – Even for non-special data, user consent should be obtained by the users according to ICO guidelines.
- Lack of transparency – consent might be given by users but complexity or RTB and the user experience make it unclear to the user to what they are agreeing. Work is needed to establish best practices.
- The Data Supply Chain – there are issues with security and data sharing caused by the large supply chain. Personal data can be shared in exchanges with as many as 450 different RTB recipients in Europe. The potential of data leakage with these numbers is exponentially higher.
- Data protection impact assessments (DPIAs). Impact assessments are required: companies in RTB have to review their risks and remedies; a DPIA is mandatory in the case of RTB according to ICO guidelines. However, few companied had engaged with these.
- Industry initiatives to address issues – there are ongoing initiatives to change the way the RTB ecosystem operates, but these are not fully mature, more work is needed.
The Industry Improvements so far – positive steps
It’s not all bad, McDougal adds that the industry collectively is reforming RTB. Here are some of the actions that are taken in UK:
- The Internet Advertising Bureau (IAB) UK has provided guidance on the principles of actions and it will be developing its own guidance for organisations on security, data minimisation, and data retention, as well as guidance on the content taxonomy specific for the UK market. It will also work on an education program for the industry on special category data and cookie requirements.
- Google, the largest actor in the industry, will remove certain content categories, and improve its process for auditing counterparties. It has also recently proposed changes to the Chrome browser, including phasing out support for third party cookies within the next two years.
MEF to support opening the discussion outside of UK
Some of the issues are not just due to the individual companies but the systemic way that RTB has been built. Here the UK market might make some initial inroads, but RTB is a global market, and it would be good for the industry to stimulate the harmonising of these approaches. A fragmentation of the online advertising market with different sets of regulation will only limit the competition and the technological innovation. However, the industry has to review its models and guarantee a proper treatment to user data – this is a global issue, and global solutions should apply.
RTB is the most common way to buy online advertising – according to eMarketer 90% of the UK online display market uses RTB, worth $ 7.59 billion. RTB is not just under close scrutiny in the UK: the Irish data protection watchdog is also opening an inquiry into Google display advertising practice, and the topic is also under investigation in another 11 other countries including Belgium, Luxembourg, the Netherlands, Poland and Spain. It is good that these actions are running in parallel; RTB platforms are international, so a change to the interpretation of the GDPR into RTB should take an international approach not just a UK one. There is work to be done to align the guidance internationally to guarantee a long term success of RTB, within a new personal data framework guidance.
