IAB UK’s initial response to ICO Report and call to industry to take action

The ICO’s ‘Update report into adtech and real time bidding’ is clear that there are issues that both individual companies and the UK industry collectively need to address in order to meet the standards of the GDPR and ePrivacy legislation.

The report identifies two broad areas of concern in relation to RTB and people’s information rights: processing of ‘special category’ data without the appropriate consent, and data security (i.e. how personal data is controlled and protected when it is shared as part of the RTB process). It also raises concerns about industry knowledge and understanding of the relevant legislative requirements that govern processing of personal data set out in the GDPR and the Privacy and Electronic Communications Regulations (PECR), which regulate the use of cookies and similar technologies for sorting or accessing information on a user’s device.

How IAB UK is responding

IAB UK is working with the ICO, together with IAB Europe, to review how the Transparency and Consent Framework (TCF) can best support companies to comply with the law in the UK. We are also putting in place plans to respond to the other issues identified in the report and will be confirming our plans very shortly about how we intend to work with and support our members to address those.

What you need to do

In the meantime, there are clear messages in the ICO’s report to any company engaged in RTB and we recommend that you take action now to read and understand the ICO’s recommendations and existing guidance, and how they relate to your data processing activities. Specifically this includes:

• Reviewing the legal bases you rely on for data processing, particularly any data that is subject to PECR, and ensure you understand their associated requirements. The ICO’s view is that ‘the only lawful basis for ‘business as usual’ RTB processing of personal data is consent (i.e. processing relating to the placing and reading of the cookie and the onward transfer of the bid request).’ There are limited scenarios where legitimate interest may be available but even in these cases, there are specific tests an organisation must meet in order to use it: ‘Reliance on legitimate interests for marketing activities is possible only if organisations don’t need consent under PECR and are also able to show that their use of personal data is proportionate, has a minimal privacy impact, and individuals would not be surprised or likely to object.’

• Read the ICO’s updated cookie guidance and ensure that your practices are in line with it. They have reiterated some key points about the use of cookies and other similar technologies and how GDPR applies to these. This includes that implied consent is no longer acceptable, and that prior consent is required – given by a user’s ‘clear and positive action’ – for setting and using cookies is required. The exemptions that apply to cookies that are ‘strictly necessary’ do not apply to cookies used for analytics

• Ensure you’ve carried out a Data Protection Impact Assessment (DPIA). Under the GDPR provisions relating to DPIAs, the ICO has published a list of types of data processing for which a DPIA is mandatory. This includes the types of processing involved in RTB, such as profiling on a large scale and tracking geolocation or behaviour.

The ICO has a comprehensive range of guidance on its website and the IAB’s GDPR hub contains industry guidance and resources.

The ICO has given the industry the opportunity to make changes to the way in which it operates in order to address its concerns, and to take action to correct any non-compliance that is a result of a lack of understanding or knowledge about GDPR and ePrivacy. They are, however, also very clear that they will not hesitate to take enforcement action if they do not see companies and the wider industry responding appropriately.

It is in all our interests and essential to building a sustainable future for our industry that we take seriously the conclusions of the ICO’s report and demonstrate that we want to be – and are – operating in line with the law that is designed to protect people’s personal data.

Read the press release here.