GDPR put a significant spanner in the world of digital advertising, which disparate parties with different vested interests have been grappling with now for months. How can organisations provide transparency and collect valid consent when millions of snippets of personal data (including potentially Special Category data) are shared throughout a complex eco-system; a system which users have little understanding of and very little control?
At the DMA Data Protection 2019 Conference last week, programmatic advertising and real-time bidding (RTB) were firmly in the spotlight. RTB is a process that allows ad spaces on websites to be traded in near real time through an online auction process. This auction process provides personal data, such as device IDs, location and more, to multiple parties to enable them to bid for the ad.
In an impassioned opening speech, the DMA’s Chris Combermale said the data and marketing industry was a crossroads; “We can be an industry that puts short-term profit above long-term loyalty. An industry that uses data, technology and creative to trick customers into a quick sale. An industry that targets obsessively, as if our customers only want to buy what they have always bought. Or we can be an industry that chooses to create truly engaging customer experiences. An industry that reinforces community values. An industry that builds trust. An industry that earns respect for our talent, our skills and our sense of responsibility.”
For its part, the Information Commissioner’s Office seems to be taking a considered approach and is keen to understand how the eco-system operates and the risks involved. Unlike its French counterpart CNIL, the ICO has not taken any direct action (yet). The ICO is however under a degree of pressure to formulate a response to high profile complaints received from Brave and Privacy International.
Alongside consumer surveys aimed at understanding users’ knowledge of online tracking and the personal data floating around the system, the ICO has been holding bilateral conversations with the key players (media owners, publishers, ad tech companies and so on). The Regulator is holding a Fact-Finding Forum on 6th March, bringing together all the parties involved under one roof with the ambitious aim of hoping the industry, as a whole, can agree a potential solution.
The ICO’s Executive Director for Technology Policy and Innovation, Simon McDougall, told the DMA conference there were three key areas of interest;
2) Lawful Basis
Simply put, but complex to address.
Transparency: providing concise, clear, easy-to-understand notices to users is a challenge. Notices can be disruptive and a careful balance has to be struck between clarity, control and a good user experience.
Lawful basis: is the correct lawful basis Consent or can Legitimate Interests be relied on? An issue of much contention and as Simon McDougall put it, it’s as if the different players are driving on opposite sides of the road.
Security: Last but by no means least, Simon McDougall spelt out the clear problem of how controllers can be confident in such a complex eco-system that personal data is processed securely.
What’s clear is the ICO doesn’t want to take knee-jerk action without understanding the impact. The ICO is keen to stress that it is in everyone’s mutual interest to work this through and find an effective solution.
One person who claims to have the solution is Brave’s Dr Johnny Ryan. A solution that on the face of it seems so easy; if the personal data floating around the eco-system is removed, the risks will evaporate. For example, Dr Ryan says the strings of information shared could be limited to details such approximate location and a general description of the device.
A solution yes, but one that is unlikely to be palatable to many players who would see their revenue squeezed considerably – the commercial implications could be huge.
Philippa Donn, 4th March 2019
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.