The online behavioural advertising industry is illegally profiling internet users.
That’s the damning assessment of the U.K.’s data protection regulator in an update report published today, in which it sets out major concerns about the programmatic advertising process known as real-time bidding (RTB), which makes up a large chunk of online advertising.
In what sounds like a knock-out blow for highly invasive data-driven ads, the Information Commissioner’s Office (ICO) concludes that systematic profiling of web users via invasive tracking technologies such as cookies is in breach of U.K. and pan-EU privacy laws.
“The adtech industry appears immature in its understanding of data protection requirements,” it writes. “Whilst the automated delivery of ad impressions is here to stay, we have general, systemic concerns around the level of compliance of RTB.”
As we’ve previously reported, multiple complaints have been filed with European regulators arguing that RTB is in breach of the pan-EU General Data Protection Regulation (GDPR), including the ICO.
The U.K. watchdog has not yet issued a formal legal decision against RTB. But with this report it’s giving the industry a clear signal that practices must change.
Its full list of conclusions is well worth reading — so we’ve pasted it below, along with our own “plainer English” paraphrasing of what’s actually being said (formatted in italics):
1. Processing of non-special category data is taking place unlawfully at the point of collection due to the perception that legitimate interests can be used for placing and/or reading a cookie or other technology (rather than obtaining the consent PECR [Privacy and Electronic Communications Regulations] requires).
The ICO has found that consents for dropping trackers like cookies are not being legally obtained. The law requires obtaining consent before dropping and/or reading from a tracker. This means internet users must be asked for consent before tracking starts happening, and also — at the point they are asked — provided with ”clear and comprehensive information” about what’s intended in order that they can make a free and informed choice about whether they want to consent or not. Whereas what’s happening now is web users are being tracked without being asked if that’s okay and also without the extent and implications of all this mass surveillance being made plain to them.
2. Any processing of special category data is taking place unlawfully as explicit consent is not being collected (and no other condition applies). In general, processing such data requires more protection as it brings an increased potential for harm to individuals.
Sensitive personal data (such as political views, health information, sexual orientation) is being processed by the behavioural advertising industry — but not legally because, under U.K. and EU law, handling this sort of information requires a higher standard of explicit consent, given there are much greater risks of harms were it to be misused or go astray. The problem is the adtech industry is not asking internet users for explicit consent to make and share these sensitive inferences — likely because if a pop-up asked you to agree to, for example, your political or sexual preferences being broadcast to hundreds of advertisers you’d be sure to click ‘hell no.’ Trying to get around the law by just not asking also isn’t legal.
3. Even if an argument could be made for reliance on legitimate interests, participants within the ecosystem are unable to demonstrate that they have properly carried out the legitimate interests tests and implemented appropriate safeguards.
Here the ICO is doubly crushing the industry’s bogus reliance on claiming what’s known as ‘legitimate interest’ as the legal basis for violating internet users’ personal space and intimacy by spying on them. Even if it were possible to use this basis for this data purpose, the watchdog points out they haven’t even fulfilled the standard for LI — which requires carrying out various assessments and taking steps to secure people’s data. What’s actually happening is RTB does the equivalent of blasting everything it knows about you through a giant global megaphone. So, er, not at all safe then.
4. There appears to be a lack of understanding of, and potentially compliance with, the DPIA requirements of data protection law more broadly (and specifically as regards the ICO’s Article 35(4) list). We therefore have little confidence that the risks associated with RTB have been fully assessed and mitigated.
The ICO says it believes the adtech industry has also failed to do due diligence on RTB — because it’s found companies haven’t even bothered to carry out data protection impact assessments (DPIAs). That, in turn, suggests they haven’t even tried to get a handle on privacy risks, and therefore are demonstrably not making any effort to try to reduce those risks. Epic fail.
5. Privacy information provided to individuals lacks clarity whilst also being overly complex. The TCF and Authorized Buyers frameworks are insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent, with attendant implications for PECR compliance.
What’s being said here is that privacy polices and consent pop-ups are horribly confusing — which means internet users have little hope of understanding what on earth they’re being asked to agree to. Yet for consent to be legal, people need to understand that. The ICO also specifically calls out industry mechanisms created by the Internet Advertising Bureau and Google for publishers and advertisers to gather consents as falling short of the legal standard. So, again, another major, major fail.
6. The profiles created about individuals are extremely detailed and are repeatedly shared among hundreds of organisations for any one bid request, all without the individuals’ knowledge.
If you thought internet ads were creepy, here’s the proof: The ICO is saying the behavioural advertising industry’s mass surveillance of web users results in all of us being profiled in crazy detail — and those spy files then being routinely handed off to (at least) hundreds of companies who are involved in the adtech chain every time there’s a programmatic ad transaction. These Stasi-esque dossiers are also being handed over, no strings attached, billions of times per day — so goodness knows where they end up. Still browsing comfortably?
7. Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.
Here the watchdog makes it clear that it agrees with the substance of the RTB complaints — i.e. that people’s information is not being lawfully handled because it’s not being properly protected. It also essentially makes the point that these illegal spy files could end up in Timbuktu and you’d be none the wiser.
8. There are similar inconsistencies about the application of data minimisation and retention controls.
If all that wasn’t enough, the ICO is saying the adtech industry is failing on other core legal requirements to collect as little data as possible and to place strict limits on how long it keeps data. Insert your own *unsurprised face.*
9. Individuals have no guarantees about the security of their personal data within the ecosystem.
If it wasn’t already really obvious, the watchdog rams the point home: Basically, behavioural advertising is out of control.
“The processing operations involved in RTB are of a nature likely to result in a high risk to the rights and freedoms of individuals,” it further warns.
The complexity and opacity involved in data-driven advertising also means internet users are hopelessly outgunned as their rights are systematically steamrollered. (Or as the ICO puts it: “The complex nature of the ecosystem means that in our view participants are engaging with it without fully understanding the privacy and ethical issues involved.”)
While you might think such a long laundry list of staggeringly massive rights violations should be more than enough for any watchdog to bring down the hammer and order the illegal practices to cease, the ICO is taking a different tack.
It’s creeping ahead cautiously — saying it wants to gather more data from the industry, perhaps issue another report next year, while also signaling to adtech companies that practices must change.
This is frustratingly contradictory — because the ICO also writes that it doesn’t believe the industry will change without a regulatory smackdown.
“Our work has highlighted the lack of maturity of some market participants, and the ongoing commercial incentives to associate personal data with bid requests. We do not think these issues will be addressed without intervention. We are therefore planning a measured and iterative approach, so that we act decisively and transparently, but also in ways in which we can observe the markets reaction and adapt our approach accordingly,” it says in the report.
“We intend to provide market participants with an appropriate period of time to adjust their practices. After this period, we expect data controllers and market participants to have addressed our concerns.”
The contrast between the view that it’s now putting out there — that massive violations of laws and rights are occurring — and yet more regulatory inaction means it is coming in for some major flak from data protection and privacy experts, who make the salient point that rules don’t exist unless they’re enforced. Nor indeed do rights unless they’re defended and upheld…