Published on the 27/06/2019 | Written by Heather Wright
UK data protection regulator slams RTB, tells industry…
Data driven online advertising – a mainstay of social media advertising – is illegally profiling internet users according to a scathing assessment of real-time bidding and adtech from the UK Information Commissioner’s Office.
While the ICO’s report doesn’t directly impact the Australian and New Zealand markets, it does likely herald a global trend, with data protection increasingly coming to the fore. Australia’s ACCC is also looking at adtech as part of its Digital Platforms Inquiry – the final report of which is due this week.
The UK data protection regulator says in its report that the adtech industry appears immature in its understanding of data protection requirements.
“While the automated delivery of ad impressions is here to stay, we have general, systemic concerns around the level of compliance of RTB,” the ICO says in its report, which follows a several complaints to European regulators about the RTB system and its potential breaching of the GDPR regulations.
Real time bidding is the process by which website publishers auction a space on webpages consumers are viewing, enabling an advertiser to buy the slot to reach a specific target audience. Billions of online ads are placed on webpages and apps using real-time bidding (RTB) every day.
“While the automated delivery of ad impressions is here to stay, we have general, systemic concerns around the level of compliance of RTB.”
However, the process relies on potential advertisers seeing information about the end consumer, the ICO says. Tracking technologies such as first or third-party cookies and similar offerings are used to collect information about users as they visit sites. The information can then be used in ‘bid requests’ enabling advertiser to bid for the opportunity for their ad to be inserted into a relevant ad space.
“That information can be as basic as the device you’re using to view the webpage, or where in the country you are. But it can have a more detailed picture, including the websites you’ve visited, what your perceived interests are, even what health condition you’ve been searching for information about.”
It’s that use of personal data that sparked the ICO Update Report into Adtech and Real Time Bidding, which says explicit consent is not being gathered and there is a lack of transparency around the process.
The report also suggests adtech companies haven’t carried out due diligence on RTB.
Simon McDougall, executive director for technology policy and innovation at the ICO, said in a recent blog that while RTB is ‘an innovative means of advertisement delivery’, the ICO’s view is that in its current form it presents a number of ‘challenges to good data protection practices’.
“Under data protection law, using people’s sensitive personal data to serve adverts requires their explicit consent, which is not happening right now,” he says.
“Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, raises questions around the security and retention of this data.”
He warned that those operating in the adtech space need to look at what they’re doing now, and assess how personal data is being used.
McDougall says the ICO will be working with the sector over the next six months to ‘give the industry a chance to start making changes based on the conclusions we’ve come to so far’.
The Australian Competition and Consumer Commission’s Digital Platforms Inquiry preliminary report, released last December, flagged concerns about the extent of consumer data collected and used to enable targeted advertising.
It also prompted the ACCC to launch several other investigations into digital platforms, including one relating to whether one platform’s collection of particularly types of data have breached the Australian Consumer Law.
The final report is due this week.
Meanwhile, the UK report is also expected to provide further fuel for US campaigners lobbying for more data privacy scrutiny there, with Digiday reporting that the founder of one US adtech company had noted the analysis was not European, but was instead around the technological framework which is global by design.
California has already rolled out its version of the GDPR, with US Congress discussing whether to implement a federal law.