Real Time Bidding, AdTech & Data Protection

Back

A GDPR & Data Protection Advisory Note.

Published: 02/03/2020 Last Updated: 02/03/2020

Warning! Dull data protection update below*

  • The ICO thinks the AdTech industry “appears immature” in its understanding of data protection.
  • Thousands of organisations are processing billions of bid requests in the UK each week with inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.
  • Individuals have no guarantees about the security of their personal data.

What is Real-Time Bidding?

Real-Time Bidding (RTB) is a set of technologies and practices used in programmatic advertising. It has evolved and grown rapidly in recent years and is underpinned by advertising technology (AdTech), allowing advertisers to compete for available digital advertising space in milliseconds, placing billions of online adverts on webpages and apps in the UK every day by automated means.

In practice, this means that when you visit a website, some of the ads you see have been specifically selected for you. As the site was loading, the website publisher auctioned a space on the page you are viewing, and an advertiser bought it because it specifically wants to reach people like you. The process can involve many companies and happens in milliseconds.

The process relies on the potential advertiser seeing information about you. That information can be as basic as the device you’re using to view the webpage, or where in the country you are. But it can have a more detailed picture, including the websites you’ve visited, what your perceived interests are, even what health condition you’ve been searching for information about.

What are the data protection issues?

From a data protection point of view, RTB carries a number of issues. These include:

  • profiling and automated decision-making;
  • large-scale processing (including of special categories of data);
  • use of innovation technologies;
  • combining and matching data from multiple sources;
  • tracking of geolocation and/or behaviour; and
  • invisible processing.

These make the processing operations involved in RTB of a nature likely to result in a high risk to the rights of individuals. Many of the above factors constitute criteria that make data protection impact assessments (DPIAs) mandatory.

Who are the participants?

RTB involves multiple stakeholders including:

  • Advertisers: organisations that bid in real time to serve ad impressions to webpage visitors. The highest bidder ‘wins’, and their advertisement will be presented on the webpage to the user;
  • Publishers: websites that sell spaces for online adverts;
  • Advertising exchanges: Platforms for comparing the price and quality of impressions, the ‘location’ where the bidding aspect occurs. They serve as mediators and connectors between advertisers and publishers and operate on both the demand;
  • Data Management Platforms (DMPs): These platforms analyse, categorise and collate incoming data from multiple sources (including desktop, mobile web, mobile app, analytics, social media, and offline data), including bid requests, to support the personalised targeting of adverts;
  • Demand Side Platforms (DSPs): DSPs buy inventory (space on websites) based on behavioural, and often personal data. If the impression matches the advertiser’s target audience, then a bid is placed via the DSP;
  • Supply Side Platforms (SSPs): SSPs help publishers manage and sell their advertising inventories; and
  • Consent Management Platforms (CMPs): CMPs are intended to serve as a tool for publishers, for example to enable them to manage user consent, and to facilitate the operation of frameworks such as the IAB Europe’s Transparency and Consent Framework.

What are the key data protection risks?

The following key issues create risks to individuals.

  1. Lawful basis and PECR: In practice, there is often a lack of clarity from regarding the appropriate lawful basis for processing, as well as the particular requirements of each basis. For some participants, these are at best not fully understood or at worst ignored. Also, most participants are focused either solely or primarily on GDPR compliance, rather than the PECR.
  2. Special category data: A proportion of bid requests involve the processing of special category data, either at the point of collection or subsequently. Special category data constitutes the area of greatest potential harm to individuals.
  3. Lack of transparency: Whilst transparency and consent are closely linked in the context of RTB, in data protection terms they are separate concepts. For example, an organisation may meet the consent requirements (freely given, specific, informed, and unambiguous etc) but this does not necessarily mean it is compliant with the information requirements of the GDPR. However, in RTB the privacy information provided often lacks clarity and does not give individuals an appropriate picture of what happens to their data.
  4. The data supply chain: A single RTB request can result in personal data being processed by hundreds of organisations, each with their own privacy policy. Some of these will be in non-EU jurisdictions, meaning that international transfers of personal data are taking place. Multiple parties receive information about a user, but only one will ‘win’ the auction to serve that user an advert. There are no guarantees or technical controls about the processing of personal data by other parties. In essence, once data is out of the hands of one party, essentially that party has no way to guarantee that the data will remain subject to appropriate protection and controls.
  5. Data Protection Impact Assessments (DPIAs): DPIAs are tools that organisations can use to identify and minimise the data protection risks of any processing operation. The GDPR specifies several circumstances that require DPIAs and RTB matches a number of those and participants are therefore legally required to perform DPIAs.

Conclusion

RTB and AdTech are fast developing. The ICO will be paying more and more attention to this sector, which means that those that participate in it must ensure that their businesses understand their data protection obligations and responsibilities.

*We’re not sure if the above is interesting, but it’s definitely not legal advice.

I’m thrilled to have signed off on the CSaaS offering.  I’m looking forward to having the most complete cyber security package for the mid-market and continuing our successful working relationship with norm.

Richard Taylor, CIO
Summit Therapeutics

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO
Perpetuum

The biggest factor was that they had a data protection lawyer in-house who worked for them, which meant there was someone we could directly go to with specific questions about the (GDPR) regulation.

Phil Everitt, Management Information Systems Manager
Leicester Tigers

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group