Security Experts:

UK Regulator Calls Out Compliance Failures in Targeted Advertising Industry

The UK regulator for data protection and privacy (the Information Commissioner's Office -- ICO) has published a report on its ongoing investigation into the adtech and real-time bidding (RTB) industries. This is a work in progress, but it is clear that the ICO is not confident that the collection of personal data and subsequent processing of that data by RTB conforms with current legislation.

The ICO is undertaking its investigation in relation to the UK's Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the Data Protection Act 2018 (the UK implementation of GDPR). Nevertheless, it would be reasonable to expect the findings and recommendations to be widely similar across all EU nations.

Its latest report (PDF) is not yet a formal guidance, nor a formal sanction on any part of the industry. The ICO hopes to work with the industry to find a mutually acceptable solution to its concerns -- but it is not at all clear that this will be possible without specific mandates from the regulator.

The RTB industry is that part of the advertising industry that allows advertisers to bid for targeted advertising slots on individual publications. When a user visits a website, RTB combines personal information -- possibly from multiple sources, but especially from tracking cookies and other tracking methods -- to allow relevant ads to be bought and placed on the visited website. This happens in real-time so that the visitor does not experience a delay in the web page loading; and it happens billions of times every hour around the globe.

Cookies used to track users are one of the ICO's major concerns. The use of cookies is not illegal. GDPR merely defines the data collected by cookies as personal data. Because it is personal data, GDPR imposes certain requirements (such as transparency, the need for a lawful basis to process the data, and the requirement to keep it secure -- including the GDPR controls over the export of personal data). PECR provides strict controls over how cookies may be used, such as the requirement for clear and comprehensive information about the purposes of any cookie or similar technology that stores information, and the need to obtain prior user consent before use.

The required transparency is a particular concern, and has been empirically found wanting by a separate ICO study. It commissioned Harris Interactive "To understand the public's awareness and perceptions of how online advertising is served to the public based on their personal data, choices and behaviour."

The report (PDF), published in March 2019, found that 63% of the 2,300 participants indicated they found it acceptable that ads funded free content. But after an explanation of how RTB actually works, the figure dropped to 36% -- providing a clear indication that RTB is not currently operating with sufficient transparency.

The ICO also found that some RTB participants rely on the concept of 'legitimate interest' to justify the use of cookies and processing of personal data; however, legitimate interest does not override the need for clear and comprehensive information, and prior user consent. "The only applicable condition is explicit consent," says the ICO. "No other condition can be relied upon and none of the public interest conditions within the DPA 2018 can apply to RTB specifically or online advertising more generally."

It is the size and complexity of the RTB industry that makes the concepts of transparency and consent (not to mention withdrawal of consent) challenging tasks. "Given the complexity and opacity of the RTB ecosystem, organisations cannot always provide the information required, particularly as they sometimes do not know with whom the data will be shared. For example, the vendor list that forms part of IAB Europe's TCF has over 450 organisations, each with separate privacy policies to the online service the user is actually visiting." The ICO wonders about the 'practical use to individuals' of such a list.

However, the complexity of the problem and the confusing nature of the requirement is best stated in this comment from the ICO: "in cases where the processing of personal data by third parties is intended to rely on a consent obtained by a first party, those third parties would need to be named as recipients of the data, and the nature of RTB means that the first party has no means of determining which third parties the data will be shared with. This leads to extensive lists of organisations who the data 'might' be shared with, depending on the specifics of the auction process."

The ICO is clearly not happy with the current state of transparency and consent within the RTB industry (there are other issues, such as uncontrolled export of EU data outside of the EU, and a failure to conduct data protection impact assessments). "The profiles created about individuals are extremely detailed and are repeatedly shared among hundreds of organisations for any one bid request, all without the individuals' knowledge," comments the ICO.

Nevertheless, the regulator doesn't wish to destroy the industry. Despite the current reservations, "the automated delivery of ad impressions is here to stay." The ICO intends to continue talking to the industry, to other stakeholders and its regulatory colleagues throughout Europe to see if the industry can be brought into compliance without sanctions. That is going to be a hard task.

Related: UK Regulator Issues Advice on 'Consent' Within GDPR 

Related: UK Data Watchdog Fines Leave.EU, Eldon Insurance 

Related: European Government Websites Are Delivering Tracking Cookies to Visitors 

Related: Advanced Malvertising Campaign Exploits Online Advertising Supply Chain

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.