ICO Report Highlights Concerns With Adtech Industry Real Time Bidding Practices
The recent ICO report highlights adtech bidding and EU data protection regulations.
Ashlea Cartee · July 24, 2019
It’s been over a year since GDPR came into force in the EU. In this period, regulatory bodies have been cautious about enforcing the rules. However, there are signs that this could be set to change.
On June 20, the U.K.’s Information Commissioner’s Office (ICO) released its findings on whether the companies involved in the buying and selling of advertising space using real time bidding (RTB) techniques are doing enough to stay compliant with EU data privacy regulations.
The ICO said there are areas in which adtech will need to improve in order to stay compliant. However, it also said the investigation found “an industry that understood it needed to make improvements to comply with the law.”
What Are the ICO’s Main Concerns About RTB?
The main areas were the ICO found adtech can improve are related to how data is collected, used, and shared by companies involved in RTB. It mentioned nine specific concerns which we have summarised below.
- The processing of non-special category data is taking place unlawfully. Those who want to drop or read from cookies must gain consent from the end user before doing so. Adtech cannot rely on legitimate interest to justify placing and reading cookies.
- The processing of special category data is taking place unlawfully, which is problematic due to the sensitive nature of this data. The collection of this type of data—which includes information about a user’s political beliefs, religion, ethnicity, and health—is prohibited unless the user gives explicit consent.
- As mentioned in point one, participants within the adtech ecosystem rely on legitimate interest to justify their data collection practices. However, the ICO says that even if this argument was just, those involved haven’t put in place the safeguards required to use it.
- The ICO says there appears to be a lack of understanding of the Data Protection Impact Assessment (DPIA) requirements of data protection law. It isn’t confident the risks of RTB have been assessed and mitigated by those involved.
- Companies that collect data need to do more to let users know what happens to it. Organisations must document and share with users how their processing operations work, what they do, and who they share data with. They must also have a way to allow individuals to exercise their rights in regards to their personal data.
- The profiles created by data are highly detailed and shared among hundreds of organisations without the knowledge of users.
- The ICO says thousands of companies are processing bid requests every week. However, the steps taken to secure this data are inadequate. Companies also need to consider data protection laws about the international transfer of personal data.
- Under data privacy regulations companies are required to collect minimal data and limit how long they keep data for. The ICO says compliance with these rules is inconsistent.
- There are no guarantees about the security of personal data.
The findings of the report affect everyone involved in RTB. This includes advertisers, publishers, advertising exchanges, data management platforms, demand side platforms, supply side platforms, and consent management platforms.
The ICO said it wants to see change but that it will take a “measured and iterative approach” due to the complexity of the market. Those in the industry should begin to take steps to ensure their business is compliant with the privacy regulations.
How CookiePro Helps Websites Stay Compliant
According to EU privacy regulations, websites must gain explicit consent from the user before dropping cookies. This includes all cookies the website uses other than those deemed strictly necessary to the operation of the website.
The report says that often this doesn’t happen and, when there is an attempt to gain permission, it is done so in a way that is insufficient. While many websites do gain consent using cookie banners, these often lack clear information about how the cookies use and share the collected data.
CookiePro is cookie management platform that helps with the above issues. It offers users access to several tools they can use to stay compliant with both GDPR and IAB regulations.
- CookiePro provides websites with a cookie banner that asks the user to consent to cookies before dropping them; a key requirement of regulations. The banner will load on every web page until the user either accepts or rejects cookies.
- The banner provides links to the websites cookie notice and customisation settings which allow users to gain access to the information required to make an informed decision about accepting cookies.
- The cookie notice is automatically updated by CookiePro based on the cookies in use on the site. It provides information about what each cookie is for and who it shares data with.
- CookiePro provides a way for users to easily update their cookie preferences at any time.
If you think your company may be affected by the findings of the report, take our free privacy risk assessment scan to find out if your website is compliant with the new EU cookie laws.