The Data & Marketing Association and the Incorporated Society of British Advertisers have published a “Seven-Step Ad Tech Guide” (the Guide) to help address the privacy challenges of Real Time Bidding (RTB) in programmatic advertising.

RTB is an automated auction process that allows advertising space to be bought and sold on a per-impression basis. When a user visits a publisher’s property (usually a website or app), this triggers a bid request that usually contains personal data (such as the user’s demographic information, browsing history, location and the page being loaded). The bid request goes from the publisher’s property to an ad exchange. It is then submitted to multiple advertisers who can automatically submit bids to place their adverts on the publisher’s property so that it can be viewed by the user in real time, and the ad impression goes to the highest bidder.

As the provision of targeted, personalised advertising through RTB relies on the use of personal data (particularly as more detailed bid requests are deemed to be more attractive to advertisers), various data protection issues and challenges arise in relation to RTB, which have concerned the UK’s Information Commissioner’s Office (ICO).

The Guide was produced in consultation with the ICO and seeks to address concerns that the ICO identified in its investigation into RTB and the ad-tech industry. The ICO announced in early May that this investigation is currently on hold during the COVID-19 pandemic, but it plans to restart work in the coming months as its concerns about ad-tech remain.

The Guide sets out seven steps that businesses engaged in the programmatic delivery of digital advertising should take to ensure that they adhere to legal requirements and demonstrate their understanding of the ICO’s concerns:

Step 1Education and understanding

This section of the Guide provides a description of the complex ad-tech ecosystem (including a detailed glossary) and the different types of suppliers that operate within it (such as sell side platforms, demand side platforms, data management platforms and consent management platforms).

It also provides a comprehensive introduction to cookies, explains when consent is required, sets out what should be provided in a cookie notice and discusses cookie governance (for example, cookie scans, audits, and cookie management platforms).

It makes it clear that in order to comply with the “accountability” principle under the General Data Protection Regulation (GDPR), in the context of ad-tech, organisations should be implementing “data protection by design and default,” putting contracts in place with data processors, maintaining records of processing, implementing appropriate security measures, carrying out Data Protection Impact Assessments (DPIAs) and adhering to relevant codes of conduct and signing up to certification schemes where possible.

Step 2 – How to use special category data

The ICO raised concerns that special category data is widely used in the RTB context for the targeting of adverts to individuals. Special category data under the GDPR is personal data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data where used for identification purposes; health; sex life and sexual orientation.

The Guide states that explicit consent is needed to process this type of data. Organisations need to show how they have captured this higher standard of consent (over and above the usual consent required for non-essential cookies), and the explicit consent must cover all data processing involved – from data capture through to profiling in order to create customer segments. Organisations should carefully consider whether special category data is genuinely needed for RTB, and, if so, a DPIA must be carried out to assess and mitigate the risks.

Step 3 – Understanding the data journey

 This section explains how organisations in this space should create a Record of Processing Activity (required under the GDPR) that documents their data processing activities. It also explains the difference between first-party data (information collected directly from an audience or customers) and third-party data (information collected by a third-party organisation that does not have a direct relationship with the individual). Third-party data is typically processed through data management platforms or other data aggregators that can use the data sets to create audience profiles, which can then be categorised into audience segments for targeting purposes.

It also provides details on the IAB’s Transparency and Consent Framework, which aims to help organisations in the ad-tech industry ensure that they comply with the GDPR and ePrivacy Directive when processing personal data and using cookies or similar technologies.

Step 4 – Conduct a DPIA

 The ICO considers that the processing activities involved in RTB are likely to result in a high risk to individuals’ rights and freedoms, and therefore DPIAs should be undertaken before any processing of personal data occurs. It is concerned that many organisations within the RTB ecosystem have not undertaken DPIAs in practice to date.

 The Guide states that “it is hard to imagine any marketing activity in the ad-tech space that does not reach the threshold for completion of a Data Protection Impact Assessment” and provides guidance on how to complete DPIAs.

Step 5 – Audit the supply chain

The ICO has stated that there is too much reliance on contractual arrangements in the data supply chain to protect how bid request data is shared, secured and deleted, and considers that this does not seem appropriate given the type of personal data sharing and the number of intermediaries involved. Further,it is concerned that much of the personal data used within RTB is not audited or investigated in any meaningful manner.

This section of the Guide provides audit checklists and sets out questions that should be asked when negotiating contracts with and when auditing ad-tech suppliers.

It advises that, in the absence of an approved certification scheme from the ICO, alignment with the ISO 27701 (the privacy extension of the ISO 27001) represents good practice for those operating in the ad-tech space.

Step 6 – Assess advertising effectiveness

 The ICO has queried whether the large scale data processing activities involved in RTB are necessary to achieve the advertising outcome. This section of the Guide discusses the variety of tools available to help measure advertising/marketing effectiveness, which can in turn help organisations determine how much personal data is required in practice to buy, sell and target advertising effectively.

Step 7 – Alternatives to behavioural advertising

This section provides some suggestions on alternative methods of targeting. In particular, it discusses contextual targeting (whereby adverts on a website are targeted to be relevant to the page’s content), which avoids the use of personal data when creating targeting segments. It also discusses some individual industry initiatives (such as from IAB and Google) that are exploring different ways of targeting in a less intrusive manner.

You can read the Guide here.