The Information Commissioner's Office (ICO) recently
released its report into real-time bidding and ad technologies.
The UK data regulator's report indicates a number of concerns with data protection practices within real-time bidding on website advertising, particularly due to the “lack of maturity" of market participants. The report indicates that data controllers should adjust their privacy practices to ensure compliance with the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR)1 or risk enforcement action.
While the report does not address New Zealand data protection regulation, it does demonstrate the global trend towards enhancing data protection and is an issue to watch at a time where the New Zealand's Privacy Bill is undergoing its second reading.
Introduction to real-time bidding technologies
Real-time bidding involves the buying and selling of advertising inventory on webpages that consumers are accessing in “real time". Essentially, in the time it takes a webpage to load in a user's browser, advertising inventory is bought and sold, usually on an open auction basis. Real-time bidding occurs on a global scale, with millions of online advertisements placed on digital platforms daily.
Real-time bidding works by using information generated from cookies and other data harvesting technologies implemented by websites and other online services to identify likely matches between online audiences and product types. The type of information collected usually relates to user IP address, location, time zone, language, user ID, device type, and search history. Collected information is incorporated by a publisher into a bid request, which is transmitted into a bidding eco-system. Buyers then bid on an impression and the winning bid is instantly displayed on the relevant site or other online service. This process occurs in a matter of milliseconds, often without the user being aware that it is taking place.
Real-time bidding usually involves three key players:
Publishers: organisations that operate online services that collect and disclose information used to inform real-time bidding processes in order to sell space for online advertisements.
Advertisers: organisations that seek to display advertisements via online services to target audiences using real-time bidding processes.
Intermediaries: organisations that provide services to advertisers and publishers to enable the purchase and delivery of advertisements via real-time bidding.
As acknowledged by the ICO, the real-time bidding process can be complex, and may involve a variety of technologies used by market participants. For example, publishers may use supply side platforms to help manage and sell their advertising inventories. Advertisers may use demand side platforms, which automate the purchasing of online advertising on behalf of advertisers. Advertising exchanges might be used by both parties as a platform to facilitate the exchange. This can seriously complicate things from a privacy point of view, as it can sometimes be unclear which organisations are operating, and in which areas.
So, what's the problem?
The ICO is concerned that real-time bidding creates key issues in relation to transparency, the lawfulness of collection, and data security.
Lawfulness of collection: the ICO is concerned there is a lack of clarity by market participants as to whether they have a lawful basis for processing information during the real-time bidding process. The ICO is particularly concerned by the collection and processing of “special category data"2, which is recognised as requiring more protection than other data types in the GDPR. The ICO considers the current consents provided under real-time bidding protocols are non-compliant and that data use on the basis of a “legitimate interest"3 for marketing activities cannot be met due to the nature of real-time bidding technology.
Lack of transparency: the ICO is concerned that organisations cannot always provide the information required to meet the transparency requirements of the GDPR. This is because real-time bidding systems are often complex and opaque, with users not always being aware of who personal data will be shared with (particularly where there are multiple vendors with capabilities to participate in real-time bidding). The ICO also identifies key issues with transparency in relation to the data supply chain, as even where there is documentation underlying real-time bidding technologies and protocols, often this documentation is extensive and technical. Further, some members of real-time bidding technologies are unaware of how they function or how personal data is processed. This means the accountability principle imposed by the GDPR is not being complied with. Finally, the ICO considers the scale of sharing and creation of data profiles is disproportionate, intrusive and unfair (particularly as data subjects are apparently unaware that any data processing is taking place).
Data safety: there are also concerns about data leakage, in that once information has been released by a party for the purposes of real-time bidding, that party no longer has control over the data. The ICO acknowledges that industry wide, contractual controls have been used to provide some guarantees about data use and protection. However, it views controls based in contract alone as insufficient to satisfy the requirements of EU data protection legislation.
Complaints against real-time bidding practices have already been filed with regulators in several jurisdictions, such as the
against Google alleging that its real-time bidding practices breach the safety requirements of the EU data protection regime. Ireland's Data Protection Commission is leading the investigation into Google's practices (which is expected to take many months). Fines for similar conduct have also already been issued in the EU, for example earlier this year
Google was fined €50 million by French data regulator CNIL for lack of transparency, inadequate information and lack of valid consent regarding ad personalisation. The Polish Personal Data Protection Office also fined a digital marketing company (suspected to be Bisnode) approximately €220,000 for failing to comply with the information obligation in Article 14 of the GDPR following data scraping activities.
Moving forward, the ICO intends to consult with key stakeholders to explore the implications of real-time bidding, and will provide market participants time to adjust their practices to address the concerns set out in the report. It is likely that if the ICO's concerns are not appropriately managed, the ICO will undertake enforcement action. Currently, the ICO considers there to be sufficient guidance on legal compliance, however it has indicated that it may, following further investigation, release additional guidance tailored towards real-time bidding practices.
The New Zealand position
Under the Privacy Act 1993, organisations must ensure that (i) individuals are made aware that their personal information is being collected, and (ii) personal information is only used and disclosed in accordance with the purposes for which the information was obtained (unless an exception applies). Organisations must also ensure that any personal information is reasonably secured against loss, unauthorised access, use, modification or disclosure, and against other misuse.
For the reasons identified by the ICO (summarised above) there is a risk that real-time bidding practices also operate in breach of the key obligations imposed by the Privacy Act. In particular, real-time bidding practices may raise issues in relation to the notification obligations, use and disclosure obligations, and security obligations imposed under the Act (depending on how those practices are carried out, and how informed consumers are about each step of the real-time bidding process).
The trend towards increased protection of personal data in real-time bidding practices is likely to have serious implications for New Zealand businesses operating both locally and in overseas jurisdictions. It remains to be seen what the Office of the New Zealand Privacy Commissioner makes of real-time bidding technologies under New Zealand's Privacy Act and the Privacy Bill, which began its second reading in June.
Data protection comparison chart|
European data protection requirements
Article 5(1)(a) of the GDPR requires personal data to be processed lawfully, fairly and in a transparent manner ('lawfulness, fairness and transparency').
Article 5(1)(b) of the GDPR requires personal data to be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes ('purpose limitation').
Article 5(1)(c) of the GDPR requires personal data to be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed ('data minimisation').
Article 5(1)(f) of the GDPR requires personal data to be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').
Article 5(2) of the GDPR requires organisations to be responsible for, and be able to demonstrate compliance with, the above principles.
Article 6 of the GDPR stipulates data processing will only be lawful in a number of specific circumstances, including where consent has been given, processing is necessary to perform a contract, or processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
New Zealand data protection requirements*
Information Privacy Principle 3 of the Privacy Act requires personal information to be collected only where the individual concerned is aware of (inter alia) the fact that the information is being collected, the purpose for which the information is being collected, and the intended recipients of the information.
Information Privacy Principle 4 of the Privacy Act stipulates that personal information must not be collected by unlawful means, or means that are unfair, or intrude to an unreasonable extent upon the personal affairs of the individual concerned.
Information Privacy Principle 5 of the Privacy Act requires personal information to be protected by (reasonable) security safeguards against loss, access, use, modification, disclosure or other misuse.
Information Privacy Principle 10 of the Privacy Act stipulates that personal information only be used for the purpose for which it was obtained.
Information Privacy Principle 11 of the Privacy Act stipulates that personal information must not to be disclosed to another party unless the individual concerned has consented, or otherwise disclosure is one of the purposes in connection with which the information was obtained.
* The Privacy Bill intends to retain the Information Privacy Principles currently set out in the Privacy Act, and the requirements contained therein, subject to minor drafting changes.
If you or your business would like to discuss any of the matters raised in this article, please contact the authors or your usual
Bell Gully advisor.
This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.