The UK’s Information Commissioner’s Office (ICO) suspended its investigation into adtech industry practices in May due to pandemic complications but is now resuming the matter. The focus is on RTB systems (Real Time Bidding), one of the cornerstones of the target industry. ICO is investigating how much sensitive personal data is being collected and used by these systems without the consent or knowledge of the subject. The result could deal another major blow to a data broker industry already hit by Apple’s new privacy measures and tightening of global regulations.
RTB systems checked
RTB is one of the basic adtech systems that enable personalized advertising. When data subjects surf the Internet and use different apps, data brokers collect profiles (often secretly) of their interests and assumed demographic categories. RTB systems allow advertisers to bid for “just-in-time” advertising that is only delivered to those who have the desired demographics and interests.
In order for the RTB system to work, advertisers must submit a standing bid for a specific type of buyer. When an adtech network detects that it comes across one of the web pages or mobile apps it’s embedded in, the ad is displayed and the advertiser charged accordingly. The fundamental problem is that often the data subject has not properly consented to much (if any) of this process, but protected categories of personal data are used to make these determinations.
The focus of the ICO is on the requirement of express consent to the use of certain categories of personal data, which was introduced under the General Data Protection Regulation (GDPR) but will continue after Brexit under the largely similar Data Protection Act (Data Protection Act). This includes not only the data collection process, but who it is shared with as well. Adtech companies sometimes provide this personal information to hundreds of advertising partners in an indiscriminate manner.
The investigation consists of a series of audits of digital market platforms that will be carried out in the coming months. ICO has also promised to study data brokerage platforms in a similar way to the three major credit bureaus research in 2020. There does not appear to be a set timetable and the specific subjects of investigation have not yet been identified, however the preliminary ICO refers the adtech companies to guidance in this area that they previously issued on data protection, consent and legitimate interests.
RTB systems are of concern as they often use data subjects’ browsing history and website or app activity to identify highly sensitive personal items that typically require explicit consent to be obtained: sexuality, political orientation, religious beliefs, and a certain GPS location among them. People often unintentionally come across adtech’s RTB systems while browsing the Internet or using free apps. Google’s DoubleClick is embedded in over eight million websites, and AT & T’s AppNexus is used by over 34,000 publishers.
You don’t have to have an account with any of these adtech companies to be tracked by them. The primary tracking mechanism is cookies, which are shared by each website on that particular advertising network and which log details about what visitors view on the website and what they interact with. Web sites can also have code snippets embedded that perform the same function. The best known of these is the “Facebook pixel”, which is available on over 4.7 million websites. RTB systems should be anonymized; The data subject is only identified by a number that is linked to their surfing habits in order to deliver a relevant advertisement. However, the data they collect is often so extensive that unethical data brokers can easily link real identities to these numbers. An example of this was the persecution of Black Lives Matter protesters last year, including the recording of their home addresses, information believed to have been leaked to government agencies. These monster profiles are also a constant risk of illegal access in the event of a data breach.
Adtech industry in Europe under attack, but ICO is slow to respond
The adtech industry has been besieged with complaints across Europe since the GDPR came into force, with RTB being a particular target of consumer anger since 2019. A coordinated group of complaints in different countries this year alleged a “widespread and systemic” breach of sensitive personal data under the provisions of the GDPR.
The fundamental problem is that the data subject has often not consented to much (if at all) of the #adtech RTB process. #GDPR # Regarddata
However, ICO was in no great rush to crack down on the adtech industry. Although the complaints have been flowing since 2018, ICO closed a prior investigation (which complainants, including the Open Rights Group, are planning to take to court over ICO’s inactivity) late this year. It is impossible to pinpoint exactly how serious ICO is with enforcement action this round, and the public is unlikely to know until the final report is released at some point in the future.