The Fact Finding Forum was designed to help the ICO better understand the key data protection issues around adtech, and in particular around Real Time Bidding (RTB) in programmatic advertising, by listening to stakeholders’ ideas, concerns and challenges.

The day was structured around three discussion themes: transparency, lawful basis and security. Each session began with short presentations by guest speakers holding different viewpoints to facilitate an open discussion from the floor.

A blog by Simon McDougall, ICO Executive Director – Technology Policy and Innovation, was published shortly after the event.

As the workshop was held under the Chatham House Rule, this report of the day does not attribute comments, beyond the ICO introduction.

Transparency

The aim of this session was to discuss three key questions:

  • How can users be fully informed about what personal data is being used and collected, and which organisations have access?
  • How do organisations provide specific information about individual’s rights?
  • How can the workings of this complex ecosystem be explained in a language that people understand?

Simon McDougall introduced the session by highlighting that RTB is often complex even to those who have technical knowledge. For those without technical knowledge, it is not well understood. For example, the ICO commissioned Harris to undertake research into online advertising. 54 per cent of 2,300 participants indicated they would rather see ads relevant to them and 63 per cent said it was acceptable how adverts fund content. Following a simple explanation of RTB, the participants were asked the same question again, only 36 per cent agreed that it was okay. This raises questions around transparency, and if website and app users genuinely understand how their data may be used in RTB.

It was suggested that RTB broadcasts personal data in bid requests over a billion times each day, with a lack of control over where this personal data is shared and a lack of transparency. An approach of removing or truncating some of the information in the bid request was discussed, which it was argued would remove identifying information from the request.

It was discussed that unsuccessful bidders should not retain information, although there is no way of ensuring this at present.

It was suggested that data in RTB is also used for negative targeting to protect the data subject, for instance to online advert is not served due to the harmful impact on the data subject. Examples included vulnerable groups such as gamblers and children. But the challenge of this still involving sensitive data was discussed.

The use of the AdChoices icon, defined as a self-regulatory tool and used by 170 countries, was discussed.

Some publishers felt that, as the first link in the advertising supply chain, they carried a lot of the compliance obligations around transparency and consent, and that it was important to maintain trust with users. Some were concerned with the reputational risk of using RTB and had made an organisational decision to avoid it in some circumstances. However others felt that participating fully in RTB was the only commercially viable option available to them right now.

Participants noted the tension between reducing privacy risk through reducing the number of third party actors involved in a publisher’s website, and maximising revenue though creating competition for the publisher’s advertising space.

Concern was expressed by some publishers that more visible consent mechanisms, which provide users with a choice upfront, may encourage more people to click ‘no’. There was concern that bigger industry players who have consent (e.g. through social media platforms) would then “sweep up the revenue”.

Participants (particularly publishers) were concerned that what they saw as the stringent nature of the General Data Protection Regulation (GDPR) was having a negative impact on maintaining a sustainable business in a declining market. Any further increases in the compliance burden would exacerbate this problem. It was stated by some that there was a commercial risk to over-compliance, and there was ‘first mover disadvantage’ for any organisation implementing a more robust compliance approach before their competitors. This prompted a view that less compliant publishers benefited commercially, and in the long run may be more sustainable.

Also discussed:

  • As controllers, when publishers used the IAB Europe Transparency & Consent Framework (TCF), it was not practically possible to validate the operations and processing of all the vendors specified on the list.
  • It was felt that there was an unclear distinction between controllers and processers in the RTB ecosystem.
  • It was noted that RTB conversations involved consequences around collecting data beyond adtech, and that including martech in the conversation show a broader picture.

Lawful basis

The aim of this session was to discuss the lawful basis, required under GDPR, to process personal data in the RTB process. Consent and legitimate interests are the most common lawful bases used. If processing special category data, a condition from Article 9 of the GDPR is also needed.

The ICO provided a brief overview of the law, covering consent, legitimate interest and the Privacy and Electronic Communications Regulations (PECR).

Participants had conflicting approaches regarding which lawful basis to use.

It was discussed that obtaining consent was not simple. Some participants noted the high threshold for consent made it a difficult lawful basis to rely on for them, although some felt it was sometimes the only viable option. From a publisher perspective, it was noted that there can be a pressure to obtain consent where it is not practically possible, as it is difficult to validate the purposes vendors have specified.

The fact that PECR requires consent for cookies that aren’t classed as strictly necessary was discussed, with some highlighting an approach to deal with the legal requirements of both separately.

It was noted that the majority of users accept the use of cookies, and a very small amount actually then go to actively manage their settings. Some participants argued that this high level of consent should be treated with caution as not many users understand what they are consenting to.

Security

This session was an opportunity to note the obligations and challenges of maintaining security in adtech and spoke of the likelihood of a data controller needing to undertake a Data Protection Impact Assessment for many instances of RTB.

Earlier points about the opacity and complexity of the RTB ecosystem were restated and explored in the context of maintaining security between the various controllers and processors that may be involved in a bid request.

Participants discussed alternatives approaches to adtech, including privacy preserving advertising structures that undertook the ‘ad exchange’ features of RTB locally on the device. It was argued that this could reduce security and privacy risks, and give greater control to users.

The ICO offered a window for additional written submissions to be provided following the event.