The rapid development of the online advertising industry and advances in advertising technology have resulted in automated and nearly instantaneous auctions of ad space on websites and other digital environments. This process, known as “Real Time Bidding” (“RTB”), is currently an area of concern for the United Kingdom Information Commissioner’s Office (“ICO”), which recently published an update report (“Update Report”) criticizing the online advertising industry’s handling of data and concluding that standard industry practices are non-compliant with European Union privacy laws.
How Real Time Bidding Works
Sophisticated RTB can be a complex series of processes and interactions, but at its most basic, it refers to a process by which online advertisers compete for an audience. When a user visits a website or other environment where the owner of that website or environment has designated the placement of an ad, information is collected about the user through tools such as cookies and device fingerprinting. This information is packaged and disclosed to potential bidders with an invitation to bid on the opportunity to serve that user an ad.
The more information about the user that is included with the invitation to bid, the better able the bidders are to target users. If there is sufficient information in the invitation to bid, potential bidders can use that data to match the user with its own database of individuals, increasing its ability to target ads. In this way, a real time auction market of audiences is created.
The ICO’s Conclusions
The focus of the Update Report is the information that is included in the invitation to bid. In the ICO’s view, information being collected and transmitted through invitations to bid constitutes “personal data” under the European Union’s General Data Protection Regulation (“GDPR”). Information regulated by the GDPR is subject to restrictions on activities such as its collection, recording, use, and dissemination.
In light of the restrictions on processing personal data, the ICO concluded, among other things, the following:
- Under the GDPR, a processor must have a lawful basis for processing personal data. One of these bases, “legitimate business interests”, is relied on by RTB to justify such processing. However, the ICO concluded that the nature of data processing in RTB makes it impossible to meet the “legitimate interests” justification for processing personal data;
- As a result, the only lawful justification for processing that RTB can rely on is explicit consent; however, current industry consent frameworks do not meet the requisite standards for explicit consent, transparency and fair processing; and
- Contract-only approaches to preventing data leakage from invitations to bid are insufficient.
What Comes Next
While the ICO’s Update Report is not binding law, the ICO has explicitly stated that RTB is one of its regulatory priorities and it is likely that the ICO will take further action regarding RTB. While the ICO’s regulatory authority is of course limited to the United Kingdom, it is working with other European privacy regulators on the issue. The ICO’s views, and those of other EU regulators, will influence Canadian regulators’ views as well.
What This Means for Canadian Businesses
In Canada, the Office of the Privacy Commissioner (“OPC“) has yet to publish an opinion on RTB, though it did issue Guidelines on Privacy and Online Behavioural Advertising in 2011, and a policy position on online behavioural advertising in 2015. With the UK and European privacy regulators beginning to act on RTB, it can be expected that the Privacy Commissioner will soon consider how RTB fits, or does not fit, with Canada’s Personal Information Protection and Electronic Documents Act.
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business.