In September 2020, the European Data Protection Board (EDPB) released new guidelines on the targeting of social media users (Guidelines) for consultation.

Background

The Guidelines address the privacy risks and legal issues that arise when social media services are used to direct specific messages to users based on particular criteria, such as the users’ perceived interests, preferences and socio-demographic characteristics.

 A typical example of this is when a brand (or ‘advertiser’) advertises their products or services on individuals’ social media platforms. Through programmatic advertising (the automated buying and selling of online advertising) and the process of ‘real-time bidding’ (the automated bidding of display advertising inventory in real-time) in particular, advertisers can place personalised adverts on individuals’ social media platforms (e.g. through content feeds or ‘stories’). This process usually involves processing personal data in bid requests, which can include individuals’ web browsing history, age, gender, location and network connections. Advertisers submit bids to have their adverts placed on individuals’ social media pages based on the perceived likelihood that the individual will be interested. Generally, the more detailed the bid request, the higher the bids are likely to be, so there is more incentive for the parties involved to collect as much personal data as possible through the use of tracking technologies or otherwise. Further, parties within the ad tech ecosystem (such as data brokers) may augment the data collected from the bid request with information from other sources (including offline sources), which they might sell to other stakeholders involved in the targeting process.

The Guidelines split the types of actors involved in the targeting process into four different groups, namely: (1) social media providers; (2) social media users; (3)  targeters (e.g. advertisers); and (4) ‘other actors’ which may be involved (e.g. supply side platforms (SSPs), demand side platforms (DSPs), data management platforms (DMPs), data brokers, ad networks and ad exchanges).

The Guidelines identify the potential risks of targeting for social media users, such as loss of control over personal data, potential discrimination and potential manipulation of individuals (as targeting mechanisms seek to influence individuals’ behaviour and choices).

The Guidelines also seek to clarify the roles, responsibilities and relationships between social media providers and targeters and explain the key data protection requirements and documentation that should be in place.Continue Reading EDPB releases draft guidelines on the targeting of social media users

The Data & Marketing Association and the Incorporated Society of British Advertisers have published a “Seven-Step Ad Tech Guide” (the Guide) to help address the privacy challenges of Real Time Bidding (RTB) in programmatic advertising.

RTB is an automated auction process that allows advertising space to be bought and sold on a per-impression basis. When a user visits a publisher’s property (usually a website or app), this triggers a bid request that usually contains personal data (such as the user’s demographic information, browsing history, location and the page being loaded). The bid request goes from the publisher’s property to an ad exchange. It is then submitted to multiple advertisers who can automatically submit bids to place their adverts on the publisher’s property so that it can be viewed by the user in real time, and the ad impression goes to the highest bidder.

As the provision of targeted, personalised advertising through RTB relies on the use of personal data (particularly as more detailed bid requests are deemed to be more attractive to advertisers), various data protection issues and challenges arise in relation to RTB, which have concerned the UK’s Information Commissioner’s Office (ICO).

The Guide was produced in consultation with the ICO and seeks to address concerns that the ICO identified in its investigation into RTB and the ad-tech industry. The ICO announced in early May that this investigation is currently on hold during the COVID-19 pandemic, but it plans to restart work in the coming months as its concerns about ad-tech remain.
Continue Reading The 7-Step Ad Tech Guide – New guidance issued by industry bodies on programmatic advertising

On 6 March 2019, the Information Commissioner’s Office (ICO) will host a fact-finding forum in central London. The aim of this forum is to facilitate a dialogue between ad-tech stakeholders. The ICO wants to understand the complexities of ad-tech practices.

Why ad-tech?

‘Ad-tech’ is the product of technology’s transformation of the advertising industry. It uses personal data to compile a personal profile, which is then used to decide whether or not to target an individual with a particular advert. Publishers sell advertising spaces by a process of real-time bidding. Ad-tech practices heavily rely on the use of personal data and artificial intelligence.

The ICO is interested in learning more about ad-tech practices for a number of reasons. Firstly, ad-tech falls within the ICO’s priority areas of ‘online tracking’ and ‘artificial intelligence’, identified in the ICO’s Tech Strategy. Secondly, the ICO recognises that while there are benefits arising from ad-tech, there is also a cause for concern, in particular in relation to real-time bidding. Thirdly, the ICO has received complaints about ad-tech firms’ non-compliance with the General Data Protection Regulation (GDPR).

The ICO acknowledges that there are many diverging views on the overlap between ad-tech practices and GDPR-compliant personal data processing.Continue Reading UK regulator to focus on ad-tech

On 12 September 2018, complaints were filed with the UK Information Commissioner’s Office and the Irish Data Protection Commissioner regarding the “wide scale and systemic breaches of the data protection regime” by Google and others in the online advertising industry (the Complaints).

The Complaints

The Complaints were submitted by Brave, an ad blocking web browser, together with the Open Rights Group and Michael Veale, a researcher at University College London. They focus on the real time bidding (RTB) systems used by Google and the wider online advertising industry, which operate to provide personalised advertising on websites.

It is claimed that there are ongoing breaches of applicable data protection laws across the industry. As an example, a wide range of personal data is gathered by the RTB system, far more than is necessary to provide targeted advertisements to individuals browsing the web. It is suggested that the information collected is then provided to a host of third parties for a range of uses that go far beyond those purposes which a data subject can understand, consent to, or object to. According to Brave, “every time a person loads a page on a website that uses programmatic advertising, personal data about them are broadcast to tens – or hundreds – of companies”.Continue Reading Spotlight shone on online advertising as complaints are filed with EU supervisory authorities