The UK Information Commissioner’s Office (ICO) halted its investigation into ad tech industry practices in May due to complications from the pandemic, but is now taking up the matter. The central focus is on “real-time bidding” (RTB) systems, one of the cornerstones of the targeted advertising industry. ICO is investigating how much sensitive personal data is collected and used by these systems without the consent or knowledge of the subject, and the result could deal another severe blow to a data brokerage industry that is already reeling from Apple’s new privacy moves. and the tightening of global regulation.
OTR systems examined
RTB is one of the fundamental adtech systems that makes personalized advertising possible. As data subjects browse the web and make use of various applications, data brokers accumulate profiles (often surreptitiously) of their interests and assumed demographic categories. RTB systems allow advertisers to bid on “just-in-time” advertising delivered only to those who exhibit the desired demographics and interests.
In order for the OTR system to work, advertisers must make a permanent offer for a particular type of buyer. When an adtech network detects that you come across one of the web pages or mobile applications in which you are embedded, it displays the ad and charges the advertiser accordingly. The fundamental problem is that the data subject has often not consented to much (if at all) of this process, yet protected categories of personal information are being used to make these determinations.
The ICO’s focus is on the explicit consent requirement to use certain categories of personal data, which was initiated under the General Data Protection Regulation (GDPR) but continues under the very similar Data Protection Act (DPA) after the Brexit. This includes not only the data collection process, but also with whom it is shared; Adtech companies sometimes make this personal information available to hundreds of advertising partners in a fairly indiscriminate manner.
The investigation consists of a series of audits of the digital market platforms that will be deployed over the next few months. ICO has also committed to investigating data brokerage platforms in a similar manner to its investigations of the three major credit reporting agencies in 2020. There appears to be no set timetable and the specific subjects of the investigation have yet to be named, But in the meantime, ICO is referring the adtech companies in this space to the guide it has previously issued on data protection, consent and legitimate interests.
RTB systems are concerning as they often use data subjects’ browsing history and site or app activity to determine highly sensitive personal items that typically require explicit consent to obtain: sexuality, political alignment, religious beliefs and specific GPS location between them. People often come across adtech RTB systems unknowingly during normal web browsing or using free apps; Google’s DoubleClick is integrated into more than eight million websites and more than 34,000 publishers use AT & T’s AppNexus.
You don’t need to have an account with one of these ad tech companies to be tracked by them. The primary tracking mechanism is cookies that pass through any website on that particular ad network, recording details about what visitors see on the site and what they interact with. Sites can also embed code snippets that perform the same function, the most famous being the “Facebook Pixel” found on more than 4.7 million websites. RTB systems are supposed to be anonymous; The interested party is only identified by a number that is linked to their browsing habits in order to provide a relevant name. However, the data they collect is often so voluminous that unethical data brokers can easily link real identities to these numbers; An example of this was the tracking of Black Lives Matter protesters last year to include their home searches, information that was presumably shared with government agencies. These monster profiles are also a constant risk of illicit access in a data breach.
Adtech industry under fire in Europe, but ICO is slow to act
The ad tech industry has been besieged by complaints across Europe since the GDPR went into effect, with RTB being a special target of consumer ire since 2019. A coordinated group of complaints in several countries that year alleged a violation. “large-scale and systemic” personal data under the terms of the GDPR.
The fundamental problem is that the data subject has often not given proper consent to much of the #adtech RTB process (if any). #GDPR #respectdata
However, ICO has not been in much of a rush to take action against the ad tech industry. Although complaints have been flowing since 2018, ICO stopped a previous investigation at the end of that year (which the whistleblowers, including the Open Rights Group, intend to take to court due to ICO’s inactivity). It is impossible to determine exactly how serious the ICO is about compliance actions in this round, and the general public will likely not know until the final report is issued at some indeterminate time in the future.