23 Jan Advertising technology: a short introduction to the relationship between adtech, privacy and data protection

Want to learn more about adtech? Watch Paolo Balboni’s Advertising technology: legal compliance requirements to fully exploit adtech in your marketing strategies webinar here.

The nearly unlimited opportunities of present-day technologies grouped under the umbrella of adtech – including online behavioural advertising and programmatic advertising (in particular, through real time bidding) – also pose legal compliance challenges for businesses looking to take advantage of the latest advertising trends.

What are the primary legal compliance considerations in order to understand and successfully mitigate legal risks relating to advertising technologies and take full advantage of their potential?

Let’s commence by briefly defining adtech and the relevant main players. Adtech was born from the necessity for companies to target the most relevant advertising spaces for their customer base and the market.  As defined by the United Kingdom’s  Information Commissioner’s Office

(ICO), adtech is the “term used to describe tools that analyse and manage information (including personal data) for online advertising campaigns and automate the processing of advertising transactions. It covers the end-to-end lifecycle of the advertising delivery process, which often involves engaging third parties for one or more aspects of these services, although some advertising is still placed directly between advertisers and publishers.”[1]

In order for advertisers to understand the relevance of different potential ad space purchases, they must first analyse the information they have on their customers and potential customers, potentially by way of Data Management Platforms (DMPs), and play to the conclusions drawn from such analytics. Data Management Platforms categorize, collate and analyse, assisting in targeted advertising and allowing companies to create clusters of customers, and potential customers, based on the information held on them, and target marketing campaigns to clusters where they will be most effective. The information involved may include location data, purchasing history, browsing behaviour, or other relevant data.

It is here where two other major players come into the picture: Demand Side Platforms (DSPs) and Supply Side Platforms (SSPs). DSPs are used by advertisers to establish criteria for the ad space they want to buy (and the price they offer) and publishers use SSPs to announce their space availabilities and set prices. When the two meet and there is a match, ad space will be automatically bid on and purchased/sold.

In short, adtech allows advertisers to find new audiences at an incredibly fast pace while at the same time increasing the measurability of advertising campaigns, all while reducing associated costs.  This allows publishers to increase revenues by reaching more potential buyers of the ad spaces they sell and therefore increasing the value of such spaces, generating value.

Real time bidding and online behavioural advertising

Real time bidding (RTB) is a kind of programmatic advertising. The Interactive Advertising Bureau (IAB) defines programmatic as, “machine based buying and selling of digital media including auction based methods like RTB and private marketplaces as well as the automation of direct sales, sometimes called programmatic direct.”[2]  While surfing the internet, you have most likely noted advertisements that seem to be specifically for you.  This may be the result of a real time bidding system, whereby an advertiser purchased ad space from a publisher to reach individuals sharing your characteristics (or, in some cases, to target you, as an individual user, directly).

Online behavioural advertising is the technique of using information collected about the behaviour of individuals online in order to show advertisements to them believed to be relevant to their preferences and interests. Relevant tools used for these purposes include tracking technologies, such as cookies, web beacons and tracking pixels, which allow companies to gain information on individuals users’ activities, sometimes also without their knowledge and/or without offering users the ability to limit or prevent such occurrence.

Where do privacy and data protection come in?

Programmatic and online behavioural advertising raise a number of ethical issues and legal concerns related to privacy and the protection of personal data. Specifically, we can think of questions related to fair, lawful, and transparent data processing, profiling and automated decision-making, consent, and the need for a legal basis, among others, implicating both the GDPR, the ePrivacy Directive and the forthcoming ePrivacy Regulation.

According to Article 4(4) GDPR, profiling “means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”  Both profiling and automated decision-making (where decisions are made without the involvement of humans and therefore by automated means) are increasingly used  thanks to advances in technology and form an integral part of adtech. While such processing can generate material benefits, it also poses significant risks to the rights and freedoms of individuals.

In the European legislative context, data subjects have the right to be informed as to the existence of automated decision-making or profiling, the logic involved, the significance of the processing, and the foreseeable consequences for them.[3] Individuals are furthermore entitled to ask for human intervention from the data controller regarding any fully automated decisions, express their points of view as to the decisions and challenge them, presenting a significant challenge in the adtech environment where it is both difficult to collect consent and to make individuals aware of the profiles created about them.

With respect to consent, in late 2018, the French Data Protection Authority (CNIL), pronounced an highly relevant decision[4] for our present analysis, in which it determined that Vectaury, a startup company acting as an ad network provider of sorts, had failed to demonstrate that valid consent for the collection and use of data it used for targeted advertising purposes had been obtained, and had not complied with the principle of transparency with respect to the purposes of the data processing. In this case in particular, one of the issues detected was that Vectaury relied on consent collected by third parties (such as publishers of mobile apps) in order to gain access to and further process mobile app user data – while it had entered into agreements with publishers to try to ensure that they collected consent properly, the CNIL did not consider this to be enough to demonstrate that valid consent had been obtained by Vectaury.

Consent is one of the six lawful bases on which personal data may be processed (Article 6 of the GDPR) and its crucial role is highlighted by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Article 4(11) of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The requirements for consent under the GDPR are not considered to be an additional obligation but rather preconditions for lawful processing.  When the processing of personal data is carried out for several purposes, each purpose should be separated, and consent should be obtained for each of them (unless another legal basis applies). The consent needs to be specific, as stated in Article 6(1)(a) of the GDPR, which confirms that the consent of the data subject must be given in relation to “one or more specific purposes”.  Specific consent, however, can only be obtained when data subjects are specifically informed about the intended purposes of the data used concerning them, which in adtech proves rather difficult.

Lack of transparency is in fact a principle concern in this area, but remedies to bring adtech into compliance with the GDPR and ePrivacy are being developed by the industry. An example of this is the IAB’s Transparency and Consent Framework 2.0 intended “for publishers, technology vendors, agencies and advertisers to clearly and consistently communicate with end users about how their data is being used, while also providing an opportunity for users to object.”[5]  Until a more effective solution is found,  the integration of privacy by design into advertising technologies may allow for more effective ways to achieve compliance with the fundamental data protection principles as they are established in Article 5 of the GDPR.  Privacy by design could, for example, prove beneficial specifically with respect to consent, as well as regards data minimization and retention – considering, in particular, that to the extent possible, sensitive data should not be processed and data should not be kept for longer than necessary.

To receive a copy of the ICTLC Guidelines on how to improve compliance in the adtech environment, write to Paolo Balboni – ICT Legal Consulting Founding Partner. 

[1] See the ICO’s Update report into adtech and real time bidding, available here: https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf

[2] See the IAB Programmatic Revenue Report, p. 7, available here: https://www.iab.com/wp-content/uploads/2015/07/PwC_IAB_Programmatic_Study.pdf

[3] Note that the Article 29 Working Party, in its Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (available here: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612053), states that targeted advertising based on profiling can be considered as having a “legal or similarly significant effect” on individuals, in certain cases. This depends, for example, on the intrusiveness of the profiling process (particularly where users are tracked across different websites, devices and services) and on the way that adverts are delivered, among other factors.

[4] CNIL’s Vectuary decision, 20 October 2018, available at: https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037594451&fastReqId=974682228&fastPos=2

[5] See IAB Europe & IAB Tech Lab release updated Transparency & Consent Framework of 20 August 2019, available at: https://iabeurope.eu/press-releases/iab-europe-iab-tech-lab-release-updated-transparency-consent-framework/