GDPR and smart phone showing UK ICO's probe into adtech and RTB

UK ICO Resumes Investigation Into Adtech Industry, Use of Sensitive Personal Data in RTB Systems Probed

The United Kingdom’s Information Commissioner’s Office (ICO) halted its investigation into the practices of the adtech industry in May due to pandemic complications, but is now taking the matter back up. The central focus is on “real time bidding” (RTB) systems, one of the cornerstones of the targeted advertising industry. ICO is looking into how much sensitive personal data is collected and used by these systems without the consent or awareness of the subject, and the outcome could deal another heavy blow to a data broking industry already reeling from Apple’s new privacy moves and tightening global regulation.

RTB systems scrutinized

RTB is one of the fundamental adtech systems that makes personalized advertising possible. As data subjects browse the web and make use of various apps, data brokers accumulate profiles (often surreptitiously) of their interests and assumed demographic categories. RTB systems let advertisers bid for “just in time” advertising delivered only to those that exhibit the desired demographics and interests.

For the RTB system to work, advertisers must place a standing bid for a particular type of shopper. When an adtech network detects one coming across one of the web pages or mobile apps it is embedded in, it displays the ad and charges the advertiser accordingly. The fundamental problem is that the data subject often has not properly consented to much (if any) of this process, yet protected categories of personal information are being used to make these determinations.

The ICO’s focus is on the requirement of explicit consent to use certain categories of personal data, which initiated under the General Data Protection Regulation (GDPR) but continues under the largely similar Data Protection Act (DPA) post-Brexit. This includes not only the data collection process, but with whom it is shared; adtech companies sometimes make this personal information available to hundreds of advertising partners in a rather indiscriminate way.

The investigation consists of a series of audits of digital market platforms that will roll out over the coming months. ICO has also promised to investigate data broking platforms in a similar manner to its investigations of the three major credit reporting agencies in 2020. There appears to be no fixed schedule and the specific subjects of investigation have not yet been named, but in the interim ICO is referring the adtech companies in this space to guidance it has previously issued on data protection, consent and legitimate interests.

RTB systems are concerning as they often make use of the browsing history and site or app activity of data subjects to determine highly sensitive personal elements that normally require explicit consent to obtain: sexuality, political alignment, religious beliefs and specific GPS location among them. People often unwittingly encounter adtech’s RTB systems during normal browsing of the web or use of free apps; Google’s DoubleClick is embedded on over eight million websites, and AT&T’s AppNexus is used by over 34,000 publishers.

One does not have to have an account with one of these adtech companies to be tracked by them. The primary tracking mechanism is cookies that are passed by any website that is in that particular advertising network, logging details about what visitors view on the site and what they interact with. Sites may also embed snippets of code that perform the same function, the most famous of these being the “Facebook Pixel” present on over 4.7 million websites. RTB systems are supposed to be anonymized; the data subject is identified only by a number that is tied to their browsing habits for the purposes of delivering a relevant ad. However, the data they collect is often so voluminous that unethical data brokers can readily tie real identities to these numbers; an example of this was the tracking of Black Lives Matter protesters last year to include recording their home addresses, information that was presumably shared with government agencies. These monster profiles are also a constant risk for illicit access in a data breach.

Adtech industry under fire in Europe, But ICO slow to act

The adtech industry has been besieged with complaints throughout Europe since the GDPR went into effect, with RTB a special target of consumer ire since 2019. A coordinated group of complaints in various countries that year alleged a “wide-scale and systemic” breach of sensitive personal data under the terms of the GDPR.

Fundamental problem is that the data subject often has not properly consented to much (if any) of the #adtech RTB process. #GDPR #respectdataClick to Post

ICO has not been in a particular hurry to take action against the adtech industry, however. Though the complaints have been flowing since 2018, ICO stalled out a prior investigation late that year (which the complainants, the Open Rights Group among them, intend to take to court due to ICO’s inactivity). It is impossible to determine exactly how serious ICO is about enforcement actions on this go-round, and the general public will likely not know until the final report is issued at some undetermined point in the future.


Senior Correspondent at CPO Magazine