Insights ICO faces legal action, brought by a privacy organisation, over alleged AdTech failings

Privacy campaigners from the Open Rights Group (ORG) announced on Thursday 5 November 2020 that they have filed a legal challenge against UK privacy regulator, the Information Commissioner’s Office (ICO), over its handling of an investigation into how the AdTech industry uses personal data.

Jim Killock of the ORG explained that the challenge was filed after the ICO informed him that the complaint he and Dr Michael Veale lodged in September 2018, which concerned the AdTech industry’s alleged systemic breaches of the GDPR (Complaint), was closed in September 2020 without any substantive action being taken.

The ICO’s work within the AdTech space

During its consideration of the Complaint, in June 2019, the ICO published an interim report of its review of the AdTech Industry and Real Time Bidding.

The interim report detailed the ICO’s concerns around the AdTech industry’s fundamental understanding of privacy related requirements and compliance; highlighted the systemic shortfalls; and sent a message to the AdTech industry expecting market engagement and a change in practices. Seven months later, in January 2020, the ICO then published a blogpost summarising its views on the market’s response and expressed its disappointment in respect of its call for market engagement to reform the problematic practice in which data is used. The ICO also hinted at enforcement action which seemingly didn’t impress the privacy campaigners, who were becoming increasingly frustrated at the ICO’s lack of enforcement action over suspected systematic breaches of data protection legislation in the AdTech space.

However, despite the concerns highlighted in the interim report and blogpost, the ICO closed the Complaint without any enforcement action. The ICO has also paused any wider enforcement action around Real Time Bidding and cited its intentions of reducing undue pressure on industries affected by the coronavirus pandemic. A possible review of priorities or a simple acknowledgement of the challenges organisations face in responding to the pandemic?

AdTech in the regulatory spotlight

The Complaint isn’t the only AdTech related challenge coming from privacy campaigners. Web browser, Brave filed a complaint with the Irish Data Protection Commissioner against Google alleging that its reuse of personal data breaches the “purpose limitation” principle of the GDPR.

In addition, concerns regarding AdTech are not limited to the UK. Across Europe regulators are increasingly focusing on the use of cookies and similar technologies for AdTech:

  • The Belgian Data Protection Authority (DPA) is currently investigating the legality of the IAB Europe’s Trust and Consent Framework (TCF). The IAB has responsibility for overseeing Real Time Bidding in the online advertising space and published the TCF, which was adopted by Google (the largest player in the AdTech market) in August 2020 and provides an industry standard tool for gathering users’ consent for online ad targeting. The DPA’s initial findings are that the TCF is not GDPR compliant and particular concerns were raised around transparency, fairness, accountability and lawful processing of sensitive data. The IAB disputes the preliminary findings and warns that the DPA’s interpretation could have “a chilling effect on the development of open-source compliance standards that serve to support industry players and protect consumers”.
  • In France, the CNIL announced that cookie compliance is one of its top enforcement priorities for 2020. It also recently updated its guidance on cookies and similar technologies to include recommendations on how to compliantly get users’ consent in respect of cookies. CNIL is currently investigating Criteo (an ad-tech intermediary) in respect of alleged violations of principles of the GDPR including transparency, lawful processing and purpose limitation as well as additional claims around third-party providers setting cookies on publishers’ websites and the national transposition of the ePrivacy Directive and CNIL’s interpretation of it.
  • The German supervisory authorities issued an “orientation guide for telemedia providers” in March 2019 and interestingly accepted that some analytics cookie-related processing may be justified without user consent based on the publisher’s legitimate interests (a view that may not be wholly consistent with the ICO’s approach). Whilst the guidance didn’t specify which tracking tools may be justified on the basis of legitimate interests it seems likely that it wouldn’t extend to tools that exchange data with third parties or allow third parties to use the data for their own purposes.

Whilst the statements and guidelines produced by the national regulators tend only to differ in nuances (e.g. validity period of consent, bundled consent and refusal), they work towards creating a concentrated European/UK approach that is then expected to be reflected by the upcoming ePrivacy Regulation.

What should providers do next?

For online service providers in the UK the advice is to review and consider how you are using data in selling, buying and bidding for advertising space any document any decisions to demonstrate your accountability. What this means in practical terms is that you should:

  1. Check you are obtaining valid consent(and not relying on legitimate interests) for use of all non-essential cookies (i.e. clear, informed, specific, opt-in) – the ICO’s guidance is that legitimate interests will not be a valid lawful basis for processing personal data in a Real Time Bidding context;
  2. Consider whether you are processing any special category dataand whether you have identified the lawful basis on which to do this (note that sending sensitive data may be in breach of some sites/publishers terms, see point 4 below);
  3. Update your privacy noticeto inform users what you are doing with their data and the lawful grounds for doing so;
  4. Review your contracts– big tech company contracts are often notoriously difficult to negotiate but even so, you must be aware of any regulatory and contractual obligations as well as any data sharing arrangements that you may have agreed to within such contracts. We have experience in advising publishers, platforms and websites on how Facebook, Google and LinkedIn all impose very specific contractual requirements which link to regulatory requirements (e.g. consent captures, particular wording within privacy notices, etc) and would be more than happy to help with any review;
  5. Conduct Data Protection Impact Assessmentsin respect of high-risk processing. Understanding how to conduct a DPIA is becoming more and more important, not only is it mandatory for analytics tracking and AdTech activities but will be relevant as the ICO focuses on Privacy by Design (which essentially means considering privacy at the heart of all processing) and for navigating the Children’s Code. In connection, we have also seen the Advertising Standards Agency use child avatars (a profile simulating a child’s browsing activity) to identify, consider and in some instances take action against ads that children see online, as such DPIAs are crucial to ensuring compliant practice; and
  6. Document, document, document!The ICO want to see engagement so document all decisions to create a defendable position.