Real time bidding, programmatic advertising and privacy risks
Our Vlog this week covers adtech and real time bidding (RTB).
Real-Time Bidding is a set of technologies and practices used in programmatic advertising that allow advertisers to compete for available digital advertising space in milliseconds, placing billions of online adverts on webpages and apps by automated means.
In a nutshell, our fingerprint generates a lot of data about our activity on the internet. This data is collected by the advertisers and we are targeted according to it. The website publishers, from their side, auction in real time a space on the page we are viewing, and then the publishers bid for such space in order to display ads we may be interested in.
Does this comply with the GDPR? The ICO has recently launched a report about this aiming at addressing the main challenges that come from the use of RTB.
- Most of them are related to transparency and consent:
- identifying a lawful basis for the processing of personal data in RTB remains challenging, as the scenarios where legitimate interests could apply are limited, and methods of obtaining consent are often insufficient in respect of data protection law requirements;
- the privacy notices provided to individuals lack clarity and do not give them full visibility of what happens to their data;
- the scale of the creation and sharing of personal data profiles in RTB appears disproportionate, intrusive and unfair, particularly when in many cases data subjects are unaware that this processing is taking place; and
- it is unclear whether RTB participants have fully established what data needs to be processed in order to achieve the intended outcome of targeted advertising to individuals.
- In many cases there is a reliance on contractual agreements to protect how bid request data is shared, secured and deleted. This does not seem appropriate given the type of personal data sharing and the number of intermediaries involved.
RTB carries a number of risks. These include:
- profiling and automated decision-making;
- large-scale processing (including of special categories of data);
- use of innovative technologies;
- combining and matching data from multiple sources;
- tracking of geolocation and/or behaviour; and
- invisible processing. Beyond these, many individuals have a limited understanding of how the ecosystem processes their personal data.
These issues make the processing operations involved in RTB of a nature likely to result in a high risk to the rights and freedoms of individuals. Many of the above factors constitute criteria that make data protection impact assessments (DPIAs) mandatory.
In our view, and especially considering the new ICO guidance on cookies, controllers should take some actions previous to the processing, as putting in place a DPIA and gathering consent for RTB. RTB should have a separated explanation and toggle in the pop-up and settings, the same as it is required for non-essential cookies.