The ICO Report on Ad Tech and RTB: Takeaways and Next Steps for the Ad Tech Industry

The recent updated report by the UK’s Information Commissioner’s Office (ICO) on advertising technology and real-time bidding (RTB) has gained a lot of attention, for good reason. It deserves a thorough read and careful consideration by all ad tech companies that process personal data of EEA (European Economic Area) residents.

Overall, the ICO’s measured and iterative approach is welcome, as is the open door to industry to continue the dialogue about compliance. These underscore the fact that General Data Protection Regulation (GDPR) guidance and compliance are still evolving. The report comes at a time when practices have already been evolving over the first 12 months since GDPR came into enforcement, and it should be expected to continue evolving—not just due to the ICO report—for at least the next 12 months. 

It is also refreshing to have a regulator issue a detailed and thoughtful perspective that does not represent a strict regulatory conclusion, but rather a midway assessment based on research and discussions thus far. While the tone and stated concerns are at times startling, the report and overall process reflect recognition that this is a “dynamic debate” and that the ICO “look[s] forward to continuing our engagement in this area.” Indeed, this is a call to action for industry to continue making changes to better support compliance with GDPR and UK’s Privacy and Electronic Communications Regulations (PECR), and to actively engage with the ICO and other regulators throughout that process. 

The ICO, on July 3^rd, also published additional guidance on cookies, elaborating on how consent should be approached under the GDPR and PECR. This guidance largely mirrored the conclusions in the recent ICO report but also provided some additional key detail and clarifications highlighted below, including the widely mis-reported declaration that legitimate interest as a legal basis is “dead” under GDPR. 

The NAI is eager to assist member companies in continuing to develop compliance measures, and in engaging the ICO and other Data Protection Authorities, and we will look for opportunities to represent our membership in this debate as it evolves.

Transparency, Consent, Legitimate Interest and the Supply Chain

Beginning with an assessment of the lawful bases for processing personal data and the PECR, the report identifies “…a lack of clarity from a significant number of controllers regarding the appropriate lawful basis for processing, as well as the particular requirements of each basis.”

While the conclusion of the report can be summarized as arguing that industry has more work to do in order to meet many of PECR and GDPR requirements, including transparency, lawful basis (consent and legitimate interest), and accountability, we think there are important details and nuances worth noting.

On transparency, a high-level conclusion from the ICO is that, “in RTB the privacy information provided often lacks clarity and does not give individuals an appropriate picture of what happens to their data.” This is not the first criticism of industry transparency, and it identifies an area where industry has made great strides, but the complexity of RTB poses continued regulatory challenges. Collectively we need to continue working to strike a balance that achieves the “clear and comprehensive information” called for by the regulation, but that also is not overwhelming to consumers.  

The ICO also raises several concerns about processing on the basis of consent, which are also not entirely surprising in most cases.  With respect to the processing of special category data—referring to what is also known as sensitive personal data—the report finds that, “market participants must therefore modify existing consent mechanisms to collect explicit consent, or they should not process this data at all.” While the industry has collectively spent significant resources to develop mechanisms to obtain consent, such as the IAB Europe’s Transparency & Consent Framework (TCF), the TCF is not designed to collect explicit consent nor to establish one’s legal basis for processing special category data.

Additionally, with respect to the requirement for obtaining consent to comply with PECR – the report highlights the rules on the use of cookies and similar technologies in Regulation 6 of PECR, noting that they take precedence over the GDPR, where applicable, highlighting that its guidance “…states that if organisations are required to obtain consent for marketing in accordance with PECR, then in practice consent is the appropriate lawful basis under the GDPR.” One thing the report did not take into account is parties downstream in a bid request that may not be using cookie and similar technologies.The new cookie guidance could serve as an official clarification that PECR always requires consent for the setting of non-essential cookies (such as those used for the purposes of analytics, marketing and advertising). The ICO, however, acknowledges differing opinions on some points, particularly regarding the use of partial cookie walls. 

On legitimate interest, while most initial reactions characterized the report as a complete rejection of legitimate interest (it came across that way to many at first blush), the report is more nuanced. Specifically, the report asserts that legitimate interest cannot be used as a lawful basis for the “main” processing of bid requests (relying on older guidance focused on interest-based advertising). And the ICO does explicitly state that legitimate interest is not a lawful basis that may be used to comply with PECR, which is not a surprise and in-line with guidance from other regulators. However, the report leaves the door open to the notion that legitimate interest could be “applicable elsewhere in the RTB ecosystem,” provided that “organisations take on the extra responsibility for ensuring that the interests, rights and freedoms of individuals are fully considered and protected.” 

The ICO guidance on cookies clarifies that subsequent processing of cookie data may or may not require consent, depending on the “nature, scope, context and purpose(s) of the processing operations themselves,” though certain cases are “highly likely to require consent as its lawful basis.” The guidance notes that use of any other lawful basis to process data after cookie consent has been gained may confuse users, but it also recognizes that it “may be possible,” depending on careful consideration of the specific circumstances. The ICO is careful to not rule out specific circumstances in which legitimate interest or another basis might be used following initial consent for setting cookies. 

Finally, the ICO report expressed concerns regarding security in the data supply chain. Highlighting concerns about “data leakage,” the report states, “there are no guarantees or technical controls about the processing of personal data by other parties, eg retention, security etc.” Though, the TCF v2 specifically provides publishers with the ability to not only approve certain vendors but also to only surface the vendors it has approved—and vendors may only process personal data as communicated by the appropriate signal. 

Compliance Frameworks

The report reflects the ICO’s detailed assessment of the most widely adopted data protection compliance frameworks such as the IAB Europe Transparency and Consent Framework (TCF) and Google’s Authorized Buyers Program, as well as industry technical standards such as the OpenRTB protocol. The TCF remains the only industry-wide standard to address the ICO’s concerns about the ecosystem’s ability to meet the transparency, lawful basis and accountability requirements in the GDPR.  It enables publishers to provide transparency into the vendors they’ve approved to process the data of users visiting their digital properties and pass user choice about vendors and their processing purposes across the third-party ecosystem in a unified manner. Without an industry standard, there is no way for publishers and third parties to “speak the same language” about vendors, whether they’ve been disclosed to users and an individual user’s choice about those vendors. Therefore, it’s not surprising that in assessing the “various ongoing initiatives to change the way the RTB ecosystem operates,” the TCF is not only a central focus, but also specifically identified as one of the examples that “[in] due course . . . may address some or all of the issues that concern us.”  

Both the TCF and implementations of the tool are still evolving and maturing, at least partially based on direction received from the ICO and other regulators. The ability of the 3rd party ecosystem to function effectively and provide competition and choice in the market relies on its success. Therefore, the report shouldn’t change the widely-held conclusion that the digital advertising ecosystem would be well served by market participants continuing to implement and support the TCF Version 2.0. In fact, the flexibility of the TCF is a critical element, allowing different entities to offer differing implementations, but also providing opportunity for the ICO and other regulators to assess differing implementations. 

Conclusions and Next Steps

The ICO has clearly stated its intention to take an iterative approach to guidance, and that the conclusions in this report are not yet final. While the report encourages industry to rely on existing guidance for now, the ICO has left open the possibility of issuance of additional guidance if necessary.

The NAI is pleased that the ICO has committed to review its position again towards the end of the year in order to determine whether it still maintains the same concerns, and “whether further action is required.” Our industry therefore has 6 months to provide feedback into the ongoing RTB assessment process, including steps to be taken to address specific concerns, or discussions about differing perspectives about any current conclusions.  During this time, we welcome the opportunity to engage with the ICO, and we encourage ad tech companies to broadly do the same.