← Return to Blog

How the industry has to change for adtech and real-time-bidding to comply with GDPR and PECR

On the 20th June, the Information Commissioner’s Office (ICO) published their report on adtech and real-time bidding.

The ICO went into detail about the way real-time bidding (RTB) and adtech works together and then went on to summarise their opinions on what changes need to happen in the market and the industry to ensure not only compliance with GDPR, but also with Privacy and Electronic Communications Regulations (PECR).

In short, the whole report can be summarised by two key bullet points:

  • Any organisation that identifies as a data controller and is trying to use ‘legitimate interest’ in the collection of any cookies is acting unlawfully. All collection of cookies is governed by Regulation 6 of PECR and therefore, requires consent. This covers any type of cookie usage.
  • RTB is incredibly complex and difficult to understand/follow the trail of information sharing. Therefore, all organisations that process special category data and/or use RTB must carry out a Data Protection Impact Assessment (DPIA) and the ICO has requested more transparency from the IAB and Google.

However, when going into more detail, nine central themes were detailed;

  1. The ICO decided to undertake this exercise because they appreciated the confusion around RTB and adtech.
  2. They noted that many organisations are relying on legitimate interest both for processing of personal data and the use of cookies. Regulation 6 of PECR takes precedence over GDPR in respect to cookies and so requires clear and comprehensive information about the use of cookies or “similar technologies” (defined here). Therefore, any use of cookie data must have explicit consent.
  3. The ICO report also notes the use of cookie data for exclusion purposes and has decided that any use of cookie data to profile or exclude falls into the same bucket.
  4. They also found that explicit consent wasn’t being collected properly for “special category data” – defined here.
  5. Even if there is an argument for legitimate interest, the ICO found that the test to ensure enough safeguards were in place were not happening.
  6. The RTB space is incredibly confusing and very technical. The IAB Europe’s Transparency and Consent Framework (TCF), that the ICO focuses on as the industry’s framework of how RTB works, lists over 450 vendors, each with their own privacy policy. The ICO accepts that this is a) too technical and complicated for a user to understand, and b) does not include all the potential vendors an organisation could be working with. They cite that the TCF and Google’s Authorized Buyers Framework (formerly DoubleClick Ad Exchange) as lacking clarity and both need to be revisited to provide more transparency.
  7. Contractual agreements between parties are not enough to ensure that GDPR and PECR is being upheld.
  8. As a result, the ICO recommends organisations action a Data Protection Impact Assessment (DPIA). They set the guidelines of how to measure if you need to do the assessment if you do any of the following:
    1. Use new technology
    2. Any profiling of individuals on a large scale
    3. Collect personal data that has not been obtained from the individuals directly
    4. Track an individual’s geolocation or behaviour
    5. Use personal data of children or other vulnerable individuals
  9. What the ICO is doing next:
    1. More information gathering as they appreciate how complicated this is
    2. Work with the IAB and Google to develop more transparency
    3. Work with European counterparts to keep everything aligned
    4. They will be reviewing the issue in six months following actioning the above

All Response Media viewpoint

It was inevitable that the ICO was going to issue a report on this sector as it has been the one with the least clarity since GDPR came into effect last year. The report does provide a lot of clarity in terms of the landscape but stops short of actioning any change. Although some direction has been given around consent when adtech and RTB are involved, the actual legality, clarity and transparency of working with RTB still needs a lot of work. As a result, ARM will closely monitor the developments and keep an eye on any new information that the ICO may share.


For more information on the digital services, we offer click here.