• Skip to primary navigation
  • Skip to main content
  • Skip to footer
  • 020 3330 7010
  • marketing@allresponsemedia.com
  • E-mail
  • Facebook
  • Instagram
  • LinkedIn
  • Twitter
  • YouTube
ARM logo

All Response Media

  • Home
  • About ARM
    • About ARM
    • Meet the Team
  • Our Services
    • TV
    • Digital
      • PPC
      • SEO
      • CRO
      • Social Media
      • Programmatic
    • Offline Media
      • TV
      • TV Execution
      • Press
      • Radio
      • Inserts
      • Door to Door
      • Outdoor
      • DRTV
    • Analytics
    • ARMalytics®
  • Success Stories
    • Client Success Stories
    • TV Star Competition UK
    • TV Star Competition NL
    • Our Work With Startups
  • Content Hub
  • Careers
  • Contact Us
You are here: Home / Digital / How the industry has to change for adtech and real-time-bidding to comply with GDPR and PECR

How the industry has to change for adtech and real-time-bidding to comply with GDPR and PECR

8th July 2019 by Maria Yiangou

On the 20th June, the Information Commissioner’s Office (ICO) published their report on adtech and real-time bidding.

The ICO went into detail about the way real-time bidding (RTB) and adtech works together and then went on to summarise their opinions on what changes need to happen in the market and the industry to ensure not only compliance with GDPR, but also with Privacy and Electronic Communications Regulations (PECR).

In short, the whole report can be summarised by two key bullet points:

  • Any organisation that identifies as a data controller and is trying to use ‘legitimate interest’ in the collection of any cookies is acting unlawfully. All collection of cookies is governed by Regulation 6 of PECR and therefore, requires consent. This covers any type of cookie usage.
  • RTB is incredibly complex and difficult to understand/follow the trail of information sharing. Therefore, all organisations that process special category data and/or use RTB must carry out a Data Protection Impact Assessment (DPIA) and the ICO has requested more transparency from the IAB and Google.

However, when going into more detail, nine central themes were detailed;

  1. The ICO decided to undertake this exercise because they appreciated the confusion around RTB and adtech.
  2. They noted that many organisations are relying on legitimate interest both for processing of personal data and the use of cookies. Regulation 6 of PECR takes precedence over GDPR in respect to cookies and so requires clear and comprehensive information about the use of cookies or “similar technologies” (defined here). Therefore, any use of cookie data must have explicit consent.
  3. The ICO report also notes the use of cookie data for exclusion purposes and has decided that any use of cookie data to profile or exclude falls into the same bucket.
  4. They also found that explicit consent wasn’t being collected properly for “special category data” – defined here.
  5. Even if there is an argument for legitimate interest, the ICO found that the test to ensure enough safeguards were in place were not happening.
  6. The RTB space is incredibly confusing and very technical. The IAB Europe’s Transparency and Consent Framework (TCF), that the ICO focuses on as the industry’s framework of how RTB works, lists over 450 vendors, each with their own privacy policy. The ICO accepts that this is a) too technical and complicated for a user to understand, and b) does not include all the potential vendors an organisation could be working with. They cite that the TCF and Google’s Authorized Buyers Framework (formerly DoubleClick Ad Exchange) as lacking clarity and both need to be revisited to provide more transparency.
  7. Contractual agreements between parties are not enough to ensure that GDPR and PECR is being upheld.
  8. As a result, the ICO recommends organisations action a Data Protection Impact Assessment (DPIA). They set the guidelines of how to measure if you need to do the assessment if you do any of the following:
    1. Use new technology
    2. Any profiling of individuals on a large scale
    3. Collect personal data that has not been obtained from the individuals directly
    4. Track an individual’s geolocation or behaviour
    5. Use personal data of children or other vulnerable individuals
  9. What the ICO is doing next:
    1. More information gathering as they appreciate how complicated this is
    2. Work with the IAB and Google to develop more transparency
    3. Work with European counterparts to keep everything aligned
    4. They will be reviewing the issue in six months following actioning the above

All Response Media viewpoint


It was inevitable that the ICO was going to issue a report on this sector as it has been the one with the least clarity since GDPR came into effect last year. The report does provide a lot of clarity in terms of the landscape but stops short of actioning any change. Although some direction has been given around consent when adtech and RTB are involved, the actual legality, clarity and transparency of working with RTB still needs a lot of work. As a result, ARM will closely monitor the developments and keep an eye on any new information that the ICO may share.

Read more information on our digital services.

Subscribe For More

Newsletter Signup

Footer

ARM logo

The Leading Performance Media Agency

Building businesses and brands by providing clients with an Unfair Competitive Advantage.
ARMalytics®

Get In Touch

London: Sutton Yard, 65 Goswell Road, EC1V 7EN
Phone: +44 (0) 20 3330 7000

Leeds: Marshalls Mill, Marshall Street, LS11 9YJ
Phone: +44 (0) 20 3330 8050

Amsterdam: Koivistokade 3, 1013 AC
Phone: +31 6 3761 9020

marketing@allresponsemedia.com

Privacy Policy | Cookie Policy | Modern Slavery Policy

  • E-mail
  • Facebook
  • Instagram
  • LinkedIn
  • Twitter
  • YouTube

Our Newsletter

Subscribe to receive exclusive media insights straight to your inbox. We respect your privacy.

Newsletter Signup

We are using cookies to give you the best experience on our website.

You can find out more about which cookies we are using or switch them off in settings.

ARM logo
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

These cookies are essential to provide you with services available through our website and to enable you to use certain features of our website.

If you disable this cookie, we cannot provide you certain services on our website and we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

Analytical and Performance Cookies

These cookies are used to collect information to analyse the traffic to our website and how visitors are using our website.

For example, these cookies may track things such as how long you spend on the website or the pages you visit which helps us to understand how we can improve our website for you.

The information collected through these tracking and performance cookies do not identify any individual visitor.

Please enable Strictly Necessary Cookies first so that we can save your preferences!

Advertising and Targeting Cookies

These cookies are used to show advertising that is likely to be of interest to you based on your browsing habits.

These cookies, as served by our content and/or advertising providers, may combine information they collected from our website with other information they have independently collected relating to your web browser's activities across their network of websites.

If you choose to remove or disable these targeting or advertising cookies, you will still see adverts but they may not be relevant to you.

Please enable Strictly Necessary Cookies first so that we can save your preferences!

Cookie Policy

More information about our Privacy Policy and Cookie Policy