Saturday February 13th 2021

In the midst of the COVID-19 crisis last spring, the adtech industry experienced a period of relief as regulators shifted resources away from investigating consumer privacy practices and focused on action to combat pandemics. A spokesman for the UK’s Data Protection Commissioner – the Information Commissioner’s Office (ICO) – made the following statement in May 2020: The ICO recently set out its regulatory approach during the COVID-19 pandemic, in which we talked about reassessing our priorities and resources . With this in mind, we’ve decided to stop our research into real-time bidding and the adtech industry. It is not our intention to apply undue pressure on an industry at this point, but our concerns about adtech remain and we aim to resume our work in the coming months when the time is right.

It now seems that the time is right. Citing concerns about the use of personal information to serve online advertisements through Real Time Bidding (RTB) and whether that practice meets the threshold required by GDPR and related UK data protection and e-marketing laws , the ICO announced on January 22nd. Investigations into the adtech industry and RTB will resume.

What is real-time bidding?

Real-time bidding is a programmatic method of buying digital advertising that allows marketers to purchase ad space over the Internet with greater flexibility. With the auction-based method, marketers can “bid” on advertising space in real time – as fast as in the milliseconds it takes to load and display a website for users – and whoever has the highest bid has the right to place their ad within the given space. In recent years RTB has become a significant part of online advertising, expanding beyond display and video advertising to other formats, including audio advertising and connected television. RTB’s ubiquity in the adtech industry depends largely on the ability of marketers to target specific categories of consumers. This, in turn, is aided by the flow of personal data from controllers to online publishers and other downstream businesses (and the main driver behind those participants’ revenue) leading the complex supply chain to increased risk of data misuse.

Adtech problems under European data protection law

Since the introduction of the GDPR in 2018, the adtech industry and RTB have been the subject of numerous complaints with the ICO as well as with regulators across the European Union, including inquiries about RTB’s behavioral advertising function in Ireland, Belgium, Luxembourg, the Netherlands and Spain. The questions that were specifically examined included whether the RTB’s underlying data processing mechanisms that can send personal data – including potentially sensitive data categories – to third parties in order to generate bids for advertising space can obtain the consent of the data subject and whether they can contain appropriate safety precautions.

In response to complaints filed in the UK, a June 2019 report released by the ICO cast doubts about the legality of certain programmatic advertising practices, including RTB. Among its concerns, the ICO found that participants were inappropriately relying on “legitimate interests” as the lawful basis for processing personal data and providing cookies to obtain such data, rather than on the basis of consent. On the subject of consent, the ICO has claimed that RTB participants process sensitive categories of data such as health data, religious or political affiliation and sexual orientation without the express consent required under Article 9 of the GDPR. With the rapid development of RTB technologies, including the introduction of new capabilities to make automated decisions or serve ads based on biometric data (e.g. facial recognition), there is also concern that attendees have failed to protect privacy Conduct Impact Assessments (DPIAs) to fully assess them and reduce privacy risks.

Although some of the complaints are more than two and a half years old at this point, the ICO warned that it will issue assessment notices to certain companies in the coming months and conduct audits of those companies’ practices regarding the use and disclosure of personal information. This subsequent investigation phase will also investigate another important stakeholder in the adtech ecosystem: data brokers.

The ICO is investigating data brokers

The ICO announcement follows an extensive investigation into how the three credit reporting agencies (Experian, Equifax, and Transunion) use personal data in their data brokerage departments for direct marketing purposes. The multi-year investigation resulted in an enforcement action against Experian requiring the company to inform consumers of the personal information held about them and the use of that information for marketing purposes. The ICO also directed Experian to stop using personal information from its credit reporting agency for direct marketing by January 2021. If Experian fails to implement the changes enforced in the enforcement notice, it faces a fine of £ 20 million, or four percent of its total annual sales.

By their very nature, data brokers have no direct relationships with the consumers whose personal data they process. This makes it difficult, if not impossible, to obtain consent to process personal data from individuals. In order for data brokers to comply with GDPR and UK data protection regulations, this presents particular challenges: the company can use the information received, but has to do so within a well-defined framework. For example, the legitimate interests of the data broker, which may be different from that of the organization that hired them.

This lack of privacy between data brokers and data subjects also limits the transparency that individuals have regarding the processing of information by data brokers, which, the ICO found, is often beyond the public’s reasonable expectations. In conjunction with Experian’s enforcement action, the ICO released a market research report detailing the public’s perception of how data brokers use and share their personal information. For an online audience, nearly nine in ten respondents expect to be notified by a company with which they have no direct relationship with the company’s data and how it is used.

Vermont and California regulate data brokers

Aside from the ICO’s investigation into the credit bureaus (which mostly focused on their offline marketing services), which are at the heart of the data broker’s business model and what makes them attractive to businesses – from commercial to political to nonprofit – is theirs Practice of collecting consumer personal data from different sources and executing that data using machine learning algorithms to create segmented profiles of similar groups of people. This processing of large amounts of data and the use of automated decisions have also led to increased control by the US regulatory authorities.

In 2019, Vermont became the first state to pass law to regulate companies that buy and sell information about consumers without offering services to those consumers. The Vermont Data Brokers Act requires any company that “knowingly collects and sells or licenses to a third party the personal information provided by a consumer with whom the Company has no direct relationship” (1) must register annually with the Vermont Secretary of State. including certain information about consumer opt-out options, buyer credentials, previous data breaches and information about minors, and (2) compliance with minimum standards of data security, e.g. B. Implementation of a written information security program with adequate administrative, technical and physical security measures .1

Vermont law also prohibits any company or individual – not just data brokers – from obtaining brokered personal information in a fraudulent manner or for the purpose of stalking, harassment, discrimination, or fraud.

The second (and currently only) state to enact data broker registration law was – you guessed it – California. Along with the CCPA changes in September 2019, California’s Data Brokerage Act requires, among other things, that data brokers must register on a published directory maintained by the California Attorney General by January 31, every year if the requirements of the ” Data Brokers “meets definition.2 Data brokers are required to provide their contact information, which is published online by the California Attorney General, but do not have the same disclosure requirements as Vermont law requires. Also, because data brokers, by definition, sell personal information under the CCPA, they must provide an opt-out mechanism that allows consumers to instruct the broker to stop such sales and, as required by the CCPA’s “Users treat -activated global privacy controls, such as privacy controls”, . B. a browser plug-in or a data protection setting, a device setting or another mechanism that communicates or signals[s] the consumer’s decision to decline the sale of personal data as an opt-out request.

California law differs from Vermont in that it does not define what a “direct relationship” is. It just says that a relationship can be established in several ways, e.g. B. by visiting a company’s business premises or Internet website, or by interacting positively and intentionally with a company’s online advertisements. In contrast, Vermont Attorney General TJ Donovan has issued guidance on what it means to have a “direct relationship” stating that a company has a direct relationship with past or present customers, customers, subscribers, users, registered users , Employees, contractors, agents, investors and donors.

Over the past year, Hawaii, New York, Rhode Island, and Washington have considered similar bills that require data brokers to register and provide information to consumers on how to opt out of collecting information. With state legislators back to work in 2021, taking consumer protection regulations into account, companies should prepare for further regulatory requirements.

  1. 9 VSA § 2430 ..
  2. Cal. Civ. Code §§ 1798.99.80-1798.99.82