data guide personal rtb advertising ico
The 7-Step Ad Tech Guide – New guidance issued by industry bodies onprogrammatic advertisingThe Data & Marketing Association and the Incorporated Society of BritishAdvertisers have published a “Seven-Step Ad Tech Guide” (the Guide) to helpaddress the privacy challenges of Real Time Bidding (RTB) in programmaticadvertising.RTB is an automated auction process that allows advertising space to be boughtand sold on a per-impression basis. When a user visits a publisher’s property(usually a website or app), this triggers a bid request that usually containspersonal data (such as the user’s demographic information, browsing history,location and the page being loaded). The bid request goes from the publisher’sproperty to an ad exchange. It is then submitted to multiple advertisers whocan automatically submit bids to place their adverts on the publisher’sproperty so that it can be viewed by the user in real time, and the adimpression goes to the highest bidder.As the provision of targeted, personalised advertising through RTB relies onthe use of personal data (particularly as more detailed bid requests aredeemed to be more attractive to advertisers), various data protection issuesand challenges arise in relation to RTB, which have concerned the UK’sInformation Commissioner’s Office (ICO).The Guide was produced in consultation with the ICO and seeks to addressconcerns that the ICO identified in its investigation into RTB and the ad-techindustry. The ICO announced in early May that this investigation is currentlyon hold during the COVID-19 pandemic, but it plans to restart work in thecoming months as its concerns about ad-tech remain.The Guide sets out seven steps that businesses engaged in the programmaticdelivery of digital advertising should take to ensure that they adhere tolegal requirements and demonstrate their understanding of the ICO’s concerns:Step 1 – Education and understandingThis section of the Guide provides a description of the complex ad-techecosystem (including a detailed glossary) and the different types of suppliersthat operate within it (such as sell side platforms, demand side platforms,data management platforms and consent management platforms).It also provides a comprehensive introduction to cookies, explains whenconsent is required, sets out what should be provided in a cookie notice anddiscusses cookie governance (for example, cookie scans, audits, and cookiemanagement platforms).It makes it clear that in order to comply with the “accountability” principleunder the General Data Protection Regulation (GDPR), in the context of ad-tech, organisations should be implementing “data protection by design anddefault,” putting contracts in place with data processors, maintaining recordsof processing, implementing appropriate security measures, carrying out DataProtection Impact Assessments (DPIAs) and adhering to relevant codes ofconduct and signing up to certification schemes where possible.Step 2 – How to use special category dataThe ICO raised concerns that special category data is widely used in the RTBcontext for the targeting of adverts to individuals. Special category dataunder the GDPR is personal data revealing racial or ethnic origin; politicalopinions; religious or philosophical beliefs; trade union membership; geneticdata; biometric data where used for identification purposes; health; sex lifeand sexual orientation.The Guide states that explicit consent is needed to process this type of data.Organisations need to show how they have captured this higher standard ofconsent (over and above the usual consent required for non-essential cookies),and the explicit consent must cover all data processing involved – from datacapture through to profiling in order to create customer segments.Organisations should carefully consider whether special category data isgenuinely needed for RTB, and, if so, a DPIA must be carried out to assess andmitigate the risks.Step 3 – Understanding the data journeyThis section explains how organisations in this space should create a Recordof Processing Activity (required under the GDPR) that documents their dataprocessing activities. It also explains the difference between first-partydata (information collected directly from an audience or customers) and third-party data (information collected by a third-party organisation that does nothave a direct relationship with the individual). Third-party data is typicallyprocessed through data management platforms or other data aggregators that canuse the data sets to create audience profiles, which can then be categorisedinto audience segments for targeting purposes.It also provides details on the IAB’s Transparency and Consent Framework,which aims to help organisations in the ad-tech industry ensure that theycomply with the GDPR and ePrivacy Directive when processing personal data andusing cookies or similar technologies.Step 4 – Conduct a DPIAThe ICO considers that the processing activities involved in RTB are likely toresult in a high risk to individuals’ rights and freedoms, and therefore DPIAsshould be undertaken before any processing of personal data occurs. It isconcerned that many organisations within the RTB ecosystem have not undertakenDPIAs in practice to date.The Guide states that “it is hard to imagine any marketing activity in the ad-tech space that does not reach the threshold for completion of a DataProtection Impact Assessment” and provides guidance on how to complete DPIAs.Step 5 – Audit the supply chainThe ICO has stated that there is too much reliance on contractual arrangementsin the data supply chain to protect how bid request data is shared, securedand deleted, and considers that this does not seem appropriate given the typeof personal data sharing and the number of intermediaries involved. Further,itis concerned that much of the personal data used within RTB is not audited orinvestigated in any meaningful manner.This section of the Guide provides audit checklists and sets out questionsthat should be asked when negotiating contracts with and when auditing ad-techsuppliers.It advises that, in the absence of an approved certification scheme from theICO, alignment with the ISO 27701 (the privacy extension of the ISO 27001)represents good practice for those operating in the ad-tech space.Step 6 – Assess advertising effectivenessThe ICO has queried whether the large scale data processing activitiesinvolved in RTB are necessary to achieve the advertising outcome. This sectionof the Guide discusses the variety of tools available to help measureadvertising/marketing effectiveness, which can in turn help organisationsdetermine how much personal data is required in practice to buy, sell andtarget advertising effectively.Step 7 – Alternatives to behavioural advertisingThis section provides some suggestions on alternative methods of targeting. Inparticular, it discusses contextual targeting (whereby adverts on a websiteare targeted to be relevant to the page’s content), which avoids the use ofpersonal data when creating targeting segments. It also discusses someindividual industry initiatives (such as from IAB and Google) that areexploring different ways of targeting in a less intrusive manner.You can read the Guide here.