Facebook and Instagram display personalized advertisements based on your actions and preferences, similar to other websites you visit. This has become an integral part of our lives. However, have you ever considered the power of the technologies that enable ad targeting and the legal requirements behind them?
If you are planning to start your own AdTech business, even if it is just a small component on your website with one integration with an ad network, it is crucial to ensure that you do not violate the privacy legislation when processing user data.
Today, we will discuss the top 5 privacy issues in the AdTech industry that, if ignored, can lead to significant fines. But first, let’s provide some context.
In the past decade, advertisers have shifted their focus to mobile marketing strategies, as mobile devices have become the primary platform for content consumption. This shift has led to the popularization of features specific to mobile devices, such as location-based targeting and in-app and in-game advertising. Advertising based on user data has become the new normal, allowing for personalized campaigns that match consumers’ interests and preferences. As a result, despite numerous discussions about privacy violations, consumers now expect personalized advertising content.
Advertisers have responded to these expectations by developing technologies to deliver personalized advertising. They use machine learning and artificial intelligence algorithms to analyze large amounts of data and optimize ad placement. Dynamic advertising content, real-time bidding (RTB), a complex mechanism of simultaneous interaction between different players (Publishers, SSPs, DSPs, DMPs, CMPs, etc.), and programmatic advertising allow them to reach the best target audience and increase brand awareness.
However, the personalized advertising ecosystem relies heavily on the personal data of users, raising questions about data protection and privacy requirements. So, what should businesses take into account to comply with data protection requirements?
Legal basis for processing personal data
In order for users to see personalized ads on mobile applications or websites, real-time bidding (RTB) advertising auctions are conducted. Special platforms process bid requests on behalf of websites or mobile applications that place ads, which contain personal data about the user to whom the ad will be shown.
The information collected for this purpose is extensive and includes: mobile device data such as brand, model, operating system version, and device language; IP address; user ID based on cookies; mobile device, user agent, etc.; information about the website being visited and its subject matter; geographic location and time zone; other user data, including mouse movement style and other behavior on the website, time spent viewing individual pages, etc.
In simple terms, when you request to take part in advertising auctions, the information you provide contains enough details to identify you as an individual. As a result, this falls under the General Data Protection Regulation (GDPR) and the ePrivacy Directive. Therefore, users must give their consent to allow their personal data to be used for advertising purposes, and this consent needs to be explicit, especially when dealing with sensitive data.
That’s right – certain types of sensitive data, like someone’s political beliefs, health status, or racial background, are highly sought after in the advertising industry. For instance, the IAB’s content classification within the TCF framework, which is used by various players in the advertising world to share information, includes hundreds of categories related to sensitive topics. These encompass things like “Hormonal diseases,” “Reproductive health,” “Birth control,” “Food allergies,” and so forth, which can be utilized for creating user profiles.
And recently, the US Federal Trade Commission (FTC) has taken legal action against data broker Kochava Inc. They’re being sued for selling geolocation data obtained from “hundreds of millions of mobile devices.” This data could be used to track people’s movements, including their visits to sensitive places like reproductive health clinics, shelters for domestic violence victims, homeless shelters, and drug rehabilitation centers.
This is the main point being discussed and emphasized in the report from the British supervisory authority ICO: “The protocols used in RTB include data fields that constitute special category data, which requires the explicit consent of the data subject. Furthermore, current practices remain problematic for the processing of personal data in general, even if the special category data were removed. […] One visit to a website, prompting one auction among advertisers, can result in a person’s personal data being seen by hundreds of organisations, in ways that suggest data protection rules have not been sufficiently considered.”
A recent example comes from France, where the CNIL imposed a €3 million fine on mobile game developer VOODOO for breaching Article 82 of the French data protection law. During their investigation, the CNIL found that even when a user opted out of being tracked for advertising purposes, the company still accessed the user’s technical identifier (IDFV) and processed their behavioural information for advertising purposes without their consent. Furthermore, the company provided misleading information regarding user behaviour tracking.
However, it’s important to note that consent is not the only valid basis for processing data. In certain situations, as long as the user’s interests are properly balanced, a legitimate interest can serve as a basis for data processing. In such cases, have you conducted a legitimate interest assessment? And have you documented the results?
Conclusion # 1: if you’re in the business of allowing advertisers to display ads on your platform, you must ensure you have a legitimate legal basis for collecting and processing users’ personal data. This ensures that their data can be processed legally by other parties participating in RTB auctions. To achieve this, you might need to utilize the mechanisms provided by the specialized TCF framework.
Conducting a data protection impact assessment (DPIA)
The Data Protection Impact Assessment (DPIA) procedure, which we’ve previously explained, is outlined in Article 35 of the GDPR. It comes into play when certain characteristics are involved in processing personal data, such as the use of new technologies, specific details, the extent and context of data processing, and the potential for a significant risk to the rights and freedoms of individuals.
From a GDPR perspective, the technology used in RTB auctions encompasses user profiling, handling substantial data volumes (including sensitive information), and the adoption of innovative technologies. Consequently, data processing linked to RTB auctions can, in certain situations, pose the risks highlighted by the European supervisory authority, EDPB, potentially leading to a significant risk to individuals’ rights and freedoms. In line with Article 35(3) of the GDPR, this necessitates the completion of a Data Protection Impact Assessment (DPIA).
Conclusion # 2: before delving into digital advertising trade, it’s essential to determine whether your operations fall within the scope of Article 35 of the GDPR, taking into consideration the recommendations of supervisory authorities. It’s worth noting that registering with IAB TCF might also trigger the need for a DPIA.
Data security and minimization
It is essential to ensure that personal data is kept secure when it comes to advertising integrations. The transfer of personal data without any control over what happens to it could potentially violate Article 5(1)f of the GDPR, which requires that personal data be kept secure and protected from unauthorized access or dissemination.
The UK ISO reminds us that “as bid requests are often not sent to single entities or defined groups of entities, the potential is for these requests to be processed by any organisation using the available protocols, whether or not they are on any vendor list and whether or not they are processing personal data in accordance with the requirements of data protection law. […] Multiple parties receive information about a user, but only one will ‘win’ the auction to serve that user an advert. There are no guarantees or technical controls about the processing of personal data by other parties, e.g. retention, security etc. In essence, once data is out of the hands of one party, essentially that party has no way to guarantee that the data will remain subject to appropriate protection and controls.”
You could argue that the current situation in the RTB auction technology landscape is influenced by the technology itself. But it’s not a simple yes or no answer. Each company holds the responsibility for managing its own risks, which contributes to creating a secure ecosystem. Here, various GDPR principles, including data minimization, come into play. In other words, the overall security of the AdTech industry relies on the actions of each participant. As previously mentioned, the Belgian regulator, in its case against IAB Europe, pointed out that data processing operations using the OpenRTB protocol fail to meet the fundamental principles of limiting the purpose and minimizing data due to the lack of GDPR-compliant safeguards.
Data minimization stands as a cornerstone of data protection. It’s also an integral part of the privacy by design and by default concept, which encourages organizations to incorporate privacy considerations into their products and services right from the start, rather than treating them as an afterthought. Minimization aligns perfectly with this concept, as collecting less data means encountering fewer risks.
Conclusion # 3: when you’re just entering the market, it’s crucial to pay attention to your service architecture, assess the types of data your company will be handling and their alignment with legal grounds for processing, and establish security measures – both technical and organizational. This proactive approach will help you steer clear of the regulatory authority’s scrutiny.
Roles and proper formalization of contractual relations
As we mentioned earlier, RTB auctions are a complex system involving various players, such as Publishers, SSPs, DSPs, DMPs, CMPs, and others. The roles represented by these acronyms correspond to specific statuses under the GDPR, like controller, joint controller, or processor. Identifying the correct status is essential before commencing operations because it has a significant impact on the company’s responsibilities and restrictions.
In practical terms, the most common roles are those of processors and joint data controllers.
In the case of joint control, Article 26(1) of the GDPR mandates that controllers must establish a clear agreement detailing their respective obligations for GDPR compliance. This includes how they handle the rights of data subjects and their responsibilities for providing information as outlined in Articles 13 and 14 of the GDPR.
By the way, the French regulatory body, CNIL, recently slapped a $40 million fine on the adtech giant Criteo for various GDPR violations. The company employed tracking and data processing methods to create profiles of web users for targeted behavioral advertising. Advertisers paid for these “individual-level customer predictions.” Some of the breaches noted by the regulatory authority included placing targeting cookies without user consent (Article 7(1) of the GDPR), failing to maintain transparency (Articles 12 and 13 of the GDPR), neglecting user rights to access information (Article 15(1) of the GDPR), the right to withdraw consent and delete data (Articles 7(3) and 17(1) of the GDPR), and not adhering to the formalization requirements for relations between joint data controllers (Article 26 of the GDPR).
Conclusion # 4: it’s vital to determine your legal status in the market from the GDPR prospective and ensure that you establish well-defined contractual agreements with your business partners.
Functional realization of user rights
Ensuring that users’ rights, guaranted by the GDPR, are respected in technological mechanisms such as online advertising is crucial. This is primarily manifested in the provision of simple and accessible functional mechanisms for their implementation, such as the right to access their data, the right to rectification, the right to delete data (right to be forgotten), and restrict processing. Consent Management Platforms (CMPs) may be used for this purpose.
It is important to note that all companies that process personal data of EU users must be prepared for the fact that a user may request access to the data held by the company, and it must be fulfilled within the appropriate time frame. Alternatively, the data subject may object to the processing of their personal data for direct marketing purposes, or if the processing is based on legitimate interest. In such cases, the company must ensure that it has the functionality to stop processing the data subject’s data.
Recently, Sephora, one of the top online cosmetics retailers, was fined $1.2 million under the California Consumer Protection Act (CCPA) for failing to notify consumers about the sale of their personal data to third parties for the purpose of creating targeted advertising profiles (to display personalized ads), as well as for failing to process user requests to refuse to consent to the sale of their data.
Conclusion # 5: Ensuring the practical realization of users’ rights is the company’s primary task and responsibility.
If you are not sure that you meet all the requirements of the GDPR, we can help with this ????