Behavioural advertising is out of control, warns UK watchdog

The online behavioural advertising industry is illegally profiling Internet users.
Thats the damning assessment of the UKs data protection regulator in an update report published today, in which it sets out major concerns about the programmatic advertising process known as real-time bidding (RTB) which makes up a large chunk of online advertising.
In what sounds like a knock-out blow for highly invasive data-driven ads, the Information Commissioners Office (ICO) concludes that systematic profiling of web users via invasive tracking technologies such as cookies is in breach of UK and pan-EU privacy laws.
The adtech industry appears immature in its understanding of data protection requirements, it writes. Whilst the automated delivery of ad impressions is here to stay, we have general, systemic concerns around the level of compliance of RTB.
As weve previously reported, multiple complaints have been filed with European regulators arguing that RTB is in breach of the pan-EU General Data Protection Regulation (GDPR), including the ICO.
The UK watchdog has not yet issued a formal legal decision against RTB. But with this report its giving the industry a clear signal that practices must change.
Its full list of conclusions is well worth reading so weve pasted it below, along with our own plainer English paraphrasing of whats actually being said (formatted in italics):
1. Processing of non-special category data is taking place unlawfully at the point of collection due to the perception that legitimate interests can be used for placing and/or reading a cookie or other technology (rather than obtaining the consent PECR [Privacy and Electronic Communications Regulations] requires).
The ICO has found that consents for dropping trackers like cookies are not being legally obtained. The law requires obtaining consent before dropping and/or reading from a tracker. This means Internet users must be asked for consent before tracking starts happening, and also at the point they are asked provided with clear and comprehensive information about whats intended in order that they can make a free and informed choice about whether they want to consent or not. Whereas whats happening now is web users are being tracked without being asked if thats okay and also without the extent and implications of all this mass surveillance being made plain to them
2. Any processing of special category data is taking place unlawfully as explicit consent is not being collected (and no other condition applies). In general, processing such data requires more protection as it brings an increased potential for harm to individuals.
Sensitive personal data (such as political views, health information, sexual orientation) is being processed by the behavioural advertising industry but not legally because, under UK and EU law, handling this sort of information requires a higher standard of explicit consent, given there are much greater risks of harms were it to be misused or go astray. The problem is the adtech industry is not asking Internet users for explicit consent to make and share these sensitive inferences likely because if a pop-up asked you to agree to, for example, your political or sexual preferences being broadcast to hundreds of advertisers youd be sure to click hell no. Trying to get around the law by just not asking also isnt legal
3. Even if an argument could be made for reliance on legitimate interests, participants within the ecosystem are unable to demonstrate that they have properly carried out the legitimate interests tests and implemented appropriate safeguards.
Here the ICO is doubly crushing the industrys bogus reliance on claiming whats known as legitimate interest as the legal basis for violating Internet users personal space and intimacy by spying on them. Even if it were possible to use this basis for this data purpose, the watchdog points out they havent even fulfilled the standard for LI which requires carrying out various assessments and taking steps to secure peoples data. Whats actually happening is RTB does the equivalent of blasting everything it knows about you through a giant global megaphone. So, er, not at all safe then
4. There appears to be a lack of understanding of, and potentially compliance with, the DPIA requirements of data protection law more broadly (and specifically as regards the ICOs Article 35(4) list). We therefore have little confidence that the risks associated with RTB have been fully assessed and mitigated.
The ICO says it believes the adtech industry has also failed to do due diligence on RTB because its found companies havent even bothered to carry out data protection impact assessments (DPIAs). That in turn suggests they havent even tried to get a handle on privacy risks, and therefore are demonstrably not making any effort to try to reduce those risks. Epic fail
5. Privacy information provided to individuals lacks clarity whilst also being overly complex. The TCF and Authorized Buyers frameworks are insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent, with attendant implications for PECR compliance.
Whats being said here is that privacy polices and consent pop ups are horribly confusing which means Internet users have little hope of understanding what on earth theyre being asked to agree to. Yet for consent to be legal people need to understand that. The ICO also specifically calls out industry mechanisms created by the Internet Advertising Bureau and Google for publishers and advertisers to gather consents as falling short of the legal standard. So, again, another major, major fail
6. The profiles created about individuals are extremely detailed and are repeatedly shared among hundreds of organisations for any one bid request, all without the individuals knowledge.
If you thought Internet ads were creepy heres the proof: The ICO is saying the behavioural advertising industrys mass surveillance of web users results in all of us being profiled in crazy detail and those spy files then being routinely handed off to (at least) hundreds of companies who are involved in the adtech chain every time theres a programmatic ad transaction. These Stasi-esque dossiers are also being handed over, no strings attached, billions of times per day so goodness knows where they end up. Still browsing comfortably?
7. Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.
Here the watchdog makes it clear that it agrees with the substance of the RTB complaints i.e. that peoples information is not being lawfully handled because its not being properly protected. It also essentially makes the point that these illegal spy files could end up in Timbuktu and youd be none the wiser
8. There are similar inconsistencies about the application of data minimisation and retention controls.
If all that wasnt enough, the ICO is saying the adtech industry is failing on other core legal requirements to collect as little data as possible and to place strict limits on how long it keeps data for. Insert your own *unsurprised face*
9. Individuals have no guarantees about the security of their personal data within the ecosystem.
If it wasnt already really obvious, the watchdog rams the point home: Basically behavioural advertising is out of control
The processing operations involved in RTB are of a nature likely to result in a high risk to the rights and freedoms of individuals, it further warns.
The complexity and opacity involved in data-driven advertising also means Internet users are hopelessly outgunned as their rights are systematically steamrollered. (Or as the ICO puts it: The complex nature of the ecosystem means that in our view participants are engaging with it without fully understanding the privacy and ethical issues involved.)
While you might think such a long laundry list of staggeringly massive rights violations should be more than enough for any watchdog to bring down the hammer and order the illegal practices to cease, the ICO is taking a different tack.
Its creeping ahead cautiously saying it wants to gather more data from the industry, perhaps issue another report next year, while also signalling to adtech companies that practices must change.
This is frustratingly contradictory because the ICO also writes that it doesnt believe the industry will change without a regulatory smack down.
Our work has highlighted the lack of maturity of some market participants, and the ongoing commercial incentives to associate personal data with bid requests. We do not think these issues will be addressed without intervention. We are therefore planning a measured and iterative approach, so that we act decisively and transparently, but also in ways in which we can observe the markets reaction and adapt our approach accordingly, it says in the report.
We intend to provide market participants with an appropriate period of time to adjust their practices. After this period, we expect data controllers and market participants to have addressed our concerns.
The contrast between the view that its now putting out there that massive violations of laws and rights are occurring and yet more regulatory inaction means it is coming in for some major flak from data protection and privacy experts, who make the salient point that rules dont exist unless theyre enforced. Nor indeed do rights unless theyre defended and upheld

However, we need action. The next steps in this report need to be much more firm. AdTech is illegal in its current form: letting it continue undermines the GDPR in all sectors.
Michael Veale (@mikarv) June 20, 2019
See also:
Leave a comment
  • Latest
  • Read
  • Commented
Calendar Content
«     2020    »