The British data protection watchdog ICO is investigating how personal data is used in digital ads. It does not look good. In an interim report, the ad tech industry is blamed for not protecting our data sufficiently in the real time bidding process (“RTB”). The profiles created about individuals are extremely detailed and are repeatedly shared among hundreds of organisations for any one bid request, all without the individuals’ knowledge, according to the report.
Sensitive data is being shared and used without people’s consent, according to the British Information Commissioner, ICO, who in late June published their interim report on AdTech and Real Time Bidding. And it is on a scale that feels ‘disproportionate, intrusive and unfair’, particularly when people are often unaware it is happening, it says.
Harsh words to an industry whics a growing number of users are trying to evade with adblockers.
RTB enables buying and selling of advertising inventory in real time – that is in the time it takes a webpage to load in a user’s browser . It is based on an auction pricing mechanism – who pays the highest price fastest. It is a type of online advertising that is most commonly used either on the website of a publisher or via a publisher’s app.
But it is not legal, and the ICO has given the ad tech industry 6 months to comply with the GDPR (General Data Protection Regulation). Or rather, in 6 months time ICO will do another review, and
“In the meantime, we expect data controllers in the adtech industry to re- evaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the RTB ecosystem”, ICO states.
The problems in a nutchell:
- Sharing of sensitive data. According to the report the advertisers share data such as ‘Heart and Cardiovascular Diseases’, ‘Mental Health’, ‘Sexual Health’, ‘Infectious Diseases’, ‘Reproductive Health’, ‘Substance Abuse’, ‘Health Conditions’, ‘Politics’ and ‘Ethnic & Identity Groups’
- Lack of consent and explicit consent. Organisations cannot always provide the information required, particularly as they sometimes do not know with whom the data will be shared. For example, the vendor list that forms part of IAB Europe’s (International Advertising Bureau) TCF has over 450 organisations, each with separate privacy policies to the online service the user is actually visiting39.
- Massive profiling. RTB also involves the creation and sharing of user profiles within an ecosystem comprising thousands of organisations. These profiles can also be ‘enriched’ by information gathered by other sources, eg concerning individuals’ use of multiple devices and online services, as well as other ‘data matching’ services. The creation of these very detailed profiles, which are repeatedly augmented with information about actions that individuals take on the web, is disproportionate, intrusive and unfair in the context of the processing of personal data for the purposes of delivering targeted advertising.
According to the report part of the adtech industry seems to be of the perception that consent is ‘challenging’ and legitimate interests is the ‘easy option’. But ICO states; “We believe that the nature of the processing within RTB makes it impossible to meet the legitimate interests lawful basis requirements. This means that legitimate interests cannot be used for the main bid request processing.”