Although many companies are currently focusing their privacy efforts on the CCPA, ignoring continued obligations under EU privacy rules such as the General Data Protection Regulation (GDPR)—and the increasing number of enforcement actions demonstrating data protection authorities’ priorities—could prove to be a costly mistake.

The United Kingdom’s data protection authority, the Information Commissioner’s Office (ICO), issued an Update report into adtech and real time bidding (20 June 2019) last June. The ICO’s report summarizes its fact-finding efforts related to the advertising technology (adtech) sector, which the ICO identifies as a priority for the office.

In particular, the ICO is interested in real time bidding (RTB), in which a website publisher auctions off space on a website page in real time in order to target advertisements to the particular viewer visiting the site at that moment. Most bid requests contain personal data. In some cases, requests may extend to special categories of personal data under the GDPR, such as information regarding what health conditions an individual has searched for online.

ICU Report State Reliance on Legitimate Interests Is Not Appropriate for Online Ads

As a quick refresher, the GDPR prohibits processing of personal data by default unless the data controller can identify one of six “legal bases” for the processing activity. Many companies initially perceived “legitimate interests”—which require a controller to balance their own interests against the rights and freedoms of the data subjects—as the most flexible option, particularly for advertising.

The ICO’s report, however, strongly states that reliance on legitimate interests is not appropriate for online advertising. The ICO warns that the nature of personal data processing in RTB—which often includes a unique identifier, the user’s IP address, cookie identifiers, user identifiers, a user-agent string identifying the user’s browser and device type, the user’s location, the user’s time zone, the detected language of the user’s system, the user’s device type, and other information relating to the user or to the “audience segmentation” of the user—“makes it impossible to meet the legitimate interests lawful basis requirements” and that the industry did not have a “full understanding of what legitimate interests requires.”

The ICO concluded that many companies involved in online advertising have ignored the requirements of the Privacy and Electronic Communications Regulation (PECR), which is part of the EU’s ePrivacy Directive. Looking to the PECR, which requires data subjects to give prior consent to the use of non-essential cookies, the ICO concluded that consent would generally also be the most (or only) appropriate basis for the processing of personal data via RTB or online advertising under the GDPR.

Separately, the ICO concluded that online advertising participants generally did not fulfill the separate GDPR requirement of transparency. For instance, online advertising participants often do not provide to data subjects the notice required by the GDPR.

Explicit Consent Is Additional Condition for Special Categories

As noted above, the ICO further determined that industry participants are processing information that the GDPR deems to be “special categories” of personal data, including information related to politics, religion, ethnic groups, and both mental and physical health. Under the GDPR, processing special categories of personal data requires both a legal basis for processing and an additional condition.

The ICO has determined that explicit consent is the additional condition required for processing special categories of personal data in these situations. Therefore, the ICO warns, market participants should modify their existing consent mechanisms in order to collect data subjects’ explicit consent. The GDPR does not define “explicit consent,” but regulators view this standard as more stringent than mere consent, which itself requires a clear affirmative act signaling the data subject’s assent to processing special categories of his or her personal data.

Therefore, “explicit consent” is likely to require a clear and express statement of an individual’s wishes. Otherwise, market participants should refrain from processing this data entirely. Moreover, the ICO found that most data processing activities related to RTB required data processing impact assessments (DPIAs).

What is next for the ICO? The report set a grace period of six months for adtech companies to come into compliance with the GDPR. But the report came out in June—and the clock is ticking. The ICO recently issued a second warning. According to Digiday, ICO Head of Technology Policy Ali Shah stated at an industry event in early September that any adtech businesses that believe they have a case for using legitimate interests as a legal basis for RTB should approach the ICO within the next four months. Otherwise, he stated, the ICO would “leverage our full powers of enforcement.” When time runs out, companies could find themselves facing potentially steep financial penalties.

Is Targeted Advertising Even Worth It?

Meanwhile, while the ICO examines the legal bases that adtech companies rely on to process personal data for online advertising, a recent academic study questions whether such data even offers significant additional value for publishers.

As reported by TechCrunch in May (prior to the ICO’s first warning), a study titled Online Tracking and Publishers Revenues: An Empirical Analysis found that targeted advertising provided little value added for publishers. The study’s authors concluded from a dataset of millions of display ad transactions that behavioral (or targeted) advertising resulted in only a four percent increase in revenue, or an average of $0.00008 per advertisement, when compared to advertisements that were not targeted.

According to this study, most revenue in the online advertising space does not reach publishers but instead benefits the large advertising companies. Meanwhile, the Guardian reported this summer on forecasts by Zenith that Internet advertising will grow at its slowest rate since 2001.