ICO: online ad industry 'leaving millions at risk of harm'

The online ad industry’s “immature” understanding of data protection is triggering the mass unlawful use of consumer data for real-time bidding systems, leaving millions of users at risk of potential harm.
That is the damning conclusion of a new report by the UK Information Commissioner’s Office into the adtech and real-time bidding industry, which sets out nine “systemic concerns” the regulator has with the level of compliance of RTB, programmatic and behavioural advertising systems.
The report follows confirmation from the Irish Data Protection Commission that it is launching a statutory inquiry into whether Google Ad Exchange is in breach of GDPR.
Official complaints – on behalf of tech start-up Brave, the Open Rights Group and University College London – were lodged in September last year with the aim of triggering an EU-wide investigation. Since then, the trio have presented further evidence to support their case.
Among the issues the ICO has highlighted in its report – published today – are the fact that “the processing of non-special category data is taking place unlawfully at the point of collection due to the perception that legitimate interests can be used for placing and/or reading a cookie or other technology (rather than obtaining the consent PECR requires)”.
The ICO also points out that this “processing of special category data is taking place unlawfully as explicit consent is not being collected (and no other condition applies). In general, processing such data requires more protection as it brings an increased potential for harm to individuals”.
It goes on: “If an argument could be made for reliance on legitimate interests, participants within the ecosystem are unable to demonstrate that they have properly carried out the legitimate interests tests and implemented appropriate safeguards”.
Other concerns include:
– There appears to be a lack of understanding of, and potentially compliance with, the data protection impact assessment requirements of data protection law more broadly (and specifically as regards the ICO’s Article 35(4) list). We therefore have little confidence that the risks associated with RTB have been fully assessed and mitigated.
– Privacy information provided to individuals lacks clarity whilst also being overly complex. The Transparency & Consent and Authorized Buyers frameworks are insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent, with attendant implications for PECR compliance.
– The profiles created about individuals are extremely detailed and are repeatedly shared among hundreds of organisations for any one bid request, all without the individuals’ knowledge.
– Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.
– There are similar inconsistencies about the application of data minimisation and retention controls.
– Individuals have no guarantees about the security of their personal data within the ecosystem.
In the report, the ICO says it has two prioritised areas of concern – the processing of special category data without explicit consent and the complexity of the data supply chain – which require further analysis and exploration.
The regulator has vowed to undertake targeted information-gathering activities related to the data supply chain and profiling aspects, the controls in place, and the data protection impact assessments undertaken. This will start next month.
The ICO will also continue targeted engagement with key stakeholders. This autumn, it plans to hold an event, similar to its “Fact-Finding Forum” to continue dialogue and update stakeholders on developments. It will also continue bilateral engagement with IAB Europe and Google.
In addition, the regulator has said it may undertake a further industry review in six months’ time, although the scope and nature of the exercise will depend on its findings over the forthcoming months.
It concludes: “In the meantime, we expect data controllers in the adtech industry to reevaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the RTB ecosystem. Following these initial activities, we will continue to focus on both RTB and adtech in general, and may issue a further update report in 2020.”