The Internet Advertising Bureau UK has announced a range of commitments to help advertisers that use real-time bidding meet their data protection obligations amid an investigation by the UK’s data watchdog.
The six actions are launched ahead of an expected update by the Information Commissioner’s Office on its probe into RTB, having heavily criticised the practice in June 2019. The ICO warned that sensitive data about internet users may be being broadcasted through bid requests and thus breaching Europe’s General Data Protection Regulation without the necessary consent.
Each of the IAB commitments respond to key issues that the ICO identified in its latest update report, in which the data watchdog gave six months for companies involved in the RTB supply chain to get their houses in order because the adtech industry appears "immature" in its understanding of GDPR compliance.
Regulators such as the ICO are empowered to fine GDPR violators up to €20m (£17.9m) or 4% of the offending company’s annual turnover (whichever is highest).
Through the RTB process, a wide range of data is broadcast to multiple advertisers via an auction that uses this data to serve ads to online users in a fraction of a second.
The IAB, which develops industry standards and provides legal support for the digital advertising industry, has committed to:
- Develop good-practice guidance covering data security, minimisation and retention, and work with IAB Europe to explore how the requirements in the Transparency and Consent Framework policies could be enhanced;
- Carry out a range of actions to be taken on special category data, including education for the industry on restrictions (developed with other trade bodies, particularly on the buy side), and work to identify potential controls to minimise risks arising from the content of referred URLs in bid requests;
- Educate its members on the consent requirements of UK online privacy regulations, with reference to the ICO’s current cookie guidance, and promoting the use of the TCF for obtaining user consent in a GDPR-compliant way;
- Educate its members on Legitimate Interests Assessment requirements and work with IAB Europe to develop resources to support companies to meet these requirements;
- Educate members on Data Protection Impact Assessment requirements and encourage them to review their processing operations in light of the ICO’s existing guidance. It will also identify whether additional guidance is needed for the industry and work with relevant trade bodies as they develop their own DPIA approaches and guidance;
- Provide transparency and fairness of information to consumers.
Simon McDougall, the ICO’s executive director for technology and innovation, said: "Our ‘update report’ documented our concerns with how personal data is processed using RTB and our subsequent engagement work with the adtech industry has largely validated these concerns.
"We’re very pleased with the engagement we’ve had so far and, while we still have a long way to go, we’re optimistic that an industry-led solution is possible. We look forward to continuing our constructive discussions with the IAB and the industry as it implements the proposals made."
However, the IAB has also said it does not believe that including context category fields in bid requests, such as "health" or "religion", necessarily leads to special category data being used.
In the IAB’s full response to the ICO, published last month, it said: "[Context category fields] do not in themselves constitute special category data because, on their own, they do not reveal information about the individual user or concern their health, sex life or sexual orientation.
"Rather, they are derived from categorising the nature of the environment (eg surrounding page content) where the ad impression has become available. The nature of the environment is independent from the user and cannot be attributed to the user by default. Whether the content-based data in a bid request constitutes personal data on the basis that it can identify a person, directly or indirectly, will depend on what other data the company in question holds or has access to."