UK regulator says real-time bidding violates GDPR
A recent report (.pdf) from the UK Information Commissioner’s Office (ICO) addresses the question of whether real-time bidding (RTB) is compatible with Europe’s General Data Protection Regulation (GDPR). As currently constituted and operated, the regulator’s answer seems to be “no.”
Report puts the industry on notice. ICO says that it published the report “to provide a progress update on one of our regulatory priorities. It isn’t guidance, and it isn’t a formal outcome representing a legally-binding decision. The report represents our views and findings at this point in time, and may contribute to future guidance…”
On the whole, the ICO report echos many of the previously stated criticisms of RTB leveled by Johnny Ryan, chief policy and industry relations officer at Brave. He has argued that RTB “broadcasts personal data without security in hundreds of billions of bid requests every day” and violates GDPR in the way it captures and circulates personal data without appropriate consent and other required controls.
Problems with consent and transparency. ICO concludes, among other things, that there are “systemic problems, including insufficient consent, transparency and overbroad collection of data within the RTB supply chain.” Here are a few representative observations and conclusions from the report:
- The current processing of special category (highly sensitive) and non-special category data “is taking place unlawfully at the point of collection.” (i.e., insufficient consent)
- There’s a general lack of understanding and proper use of data protection impact assessments (DPIAs) — a sort of environmental impact report about data required under GDPR when there is large scale processing of certain data types.
- Privacy and related data disclosures to individuals “lack clarity” and are “overly complex”
- Data profiles created for RTB “are extremely detailed and are repeatedly shared [with multiple parties] without the individuals’ knowledge.”
- Individuals have no guarantees about the security of their personal data within the ecosystem
In the report, ICO acknowledges “various ongoing [industry and other] initiatives to change the way the RTB ecosystem operates . . . However, we have not seen compelling evidence that any of these initiatives are fully mature, would sufficiently address our concerns in their current state, or that the current market would adopt such measures voluntarily.”
Why we should care. This is an official regulatory body saying, for the first time, that the way RTB currently operates violates GDPR. That’s pretty damning. However, ICO also appears to be taking a self-conscious, go-slow approach. The regulator says that it’s mindful of the economic “vulnerability of many smaller UK publishers, which make it advisable for us to move carefully and observe the consequences of our actions.” In other words, it doesn’t want to declare the system illegal and pull the economic rug out from under numerous small online publishers that depend on it.
The ICO’s opinions have no legal weight in the U.S. market. However, the regulator’s position will influence others in Europe (there’s also an Irish RTB-GDPR investigation as well). That, in turn, could influence American regulators and legislators. Indeed, many of GDPR’s concepts and provisions were an influence on CCPA and have made their way into other legislative discussions and policy debates around data privacy.