In July the Information Commissioner's Office releas​ed its re​port into real-time bidding and ad technologies.

The Information Commissioner's Office (ICO) recently released its report into real-time bidding and ad technologies.

The UK data regulator's report indicates a number of concerns with data protection practices within real-time bidding on website advertising, particularly due to the “lack of maturity" of market participants. The report indicates that data controllers should adjust their privacy practices to ensure compliance with the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR)1 or risk enforcement action.

While the report does not address New Zealand data protection regulation, it does demonstrate the global trend towards enhancing data protection and is an issue to watch at a time where the New Zealand's Privacy Bill is undergoing its second reading.

Introduction to real-time bidding technologies

Real-time bidding involves the buying and selling of advertising inventory on webpages that consumers are accessing in “real time". Essentially, in the time it takes a webpage to load in a user's browser, advertising inventory is bought and sold, usually on an open auction basis. Real-time bidding occurs on a global scale, with millions of online advertisements placed on digital platforms daily.

Real-time bidding works by using information generated from cookies and other data harvesting technologies implemented by websites and other online services to identify likely matches between online audiences and product types. The type of information collected usually relates to user IP address, location, time zone, language, user ID, device type, and search history. Collected information is incorporated by a publisher into a bid request, which is transmitted into a bidding eco-system. Buyers then bid on an impression and the winning bid is instantly displayed on the relevant site or other online service. This process occurs in a matter of milliseconds, often without the user being aware that it is taking place.

Real-time bidding usually involves three key players:

  1. Publishers: organisations that operate online services that collect and disclose information used to inform real-time bidding processes in order to sell space for online advertisements.
  2. Advertisers: organisations that seek to display advertisements via online services to target audiences using real-time bidding processes.
  3. Intermediaries: organisations that provide services to advertisers and publishers to enable the purchase and delivery of advertisements via real-time bidding.

As acknowledged by the ICO, the real-time bidding process can be complex, and may involve a variety of technologies used by market participants. For example, publishers may use supply side platforms to help manage and sell their advertising inventories. Advertisers may use demand side platforms, which automate the purchasing of online advertising on behalf of advertisers. Advertising exchanges might be used by both parties as a platform to facilitate the exchange. This can seriously complicate things from a privacy point of view, as it can sometimes be unclear which organisations are operating, and in which areas.

So, what's the problem?

The ICO is concerned that real-time bidding creates key issues in relation to transparency, the lawfulness of collection, and data security.

  • Lawfulness of collection: the ICO is concerned there is a lack of clarity by market participants as to whether they have a lawful basis for processing information during the real-time bidding process. The ICO is particularly concerned by the collection and processing of “special category data"2, which is recognised as requiring more protection than other data types in the GDPR. The ICO considers the current consents provided under real-time bidding protocols are non-compliant and that data use on the basis of a “legitimate interest"3 for marketing activities cannot be met due to the nature of real-time bidding technology.
  • Lack of transparency: the ICO is concerned that organisations cannot always provide the information required to meet the transparency requirements of the GDPR. This is because real-time bidding systems are often complex and opaque, with users not always being aware of who personal data will be shared with (particularly where there are multiple vendors with capabilities to participate in real-time bidding). The ICO also identifies key issues with transparency in relation to the data supply chain, as even where there is documentation underlying real-time bidding technologies and protocols, often this documentation is extensive and technical. Further, some members of real-time bidding technologies are unaware of how they function or how personal data is processed. This means the accountability principle imposed by the GDPR is not being complied with. Finally, the ICO considers the scale of sharing and creation of data profiles is disproportionate, intrusive and unfair (particularly as data subjects are apparently unaware that any data processing is taking place).
  • Data safety: there are also concerns about data leakage, in that once information has been released by a party for the purposes of real-time bidding, that party no longer has control over the data. The ICO acknowledges that industry wide, contractual controls have been used to provide some guarantees about data use and protection. However, it views controls based in contract alone as insufficient to satisfy the requirements of EU data protection legislation.

Enforcement action

Complaints against real-time bidding practices have already been filed with regulators in several jurisdictions, such as the complaints against Google alleging that its real-time bidding practices breach the safety requirements of the EU data protection regime. Ireland's Data Protection Commission is leading the investigation into Google's practices (which is expected to take many months). Fines for similar conduct have also already been issued in the EU, for example earlier this year Google was fined €50 million by French data regulator CNIL for lack of transparency, inadequate information and lack of valid consent regarding ad personalisation. The Polish Personal Data Protection Office also fined a digital marketing company (suspected to be Bisnode) approximately €220,000 for failing to comply with the information obligation in Article 14 of the GDPR following data scraping activities.

Moving forward, the ICO intends to consult with key stakeholders to explore the implications of real-time bidding, and will provide market participants time to adjust their practices to address the concerns set out in the report. It is likely that if the ICO's concerns are not appropriately managed, the ICO will undertake enforcement action. Currently, the ICO considers there to be sufficient guidance on legal compliance, however it has indicated that it may, following further investigation, release additional guidance tailored towards real-time bidding practices.

The New Zealand position

Under the Privacy Act 1993, organisations must ensure that (i) individuals are made aware that their personal information is being collected, and (ii) personal information is only used and disclosed in accordance with the purposes for which the information was obtained (unless an exception applies). Organisations must also ensure that any personal information is reasonably secured against loss, unauthorised access, use, modification or disclosure, and against other misuse.

For the reasons identified by the ICO (summarised above) there is a risk that real-time bidding practices also operate in breach of the key obligations imposed by the Privacy Act. In particular, real-time bidding practices may raise issues in relation to the notification obligations, use and disclosure obligations, and security obligations imposed under the Act (depending on how those practices are carried out, and how informed consumers are about each step of the real-time bidding process).

The trend towards increased protection of personal data in real-time bidding practices is likely to have serious implications for New Zealand businesses operating both locally and in overseas jurisdictions. It remains to be seen what the Office of the New Zealand Privacy Commissioner makes of real-time bidding technologies under New Zealand's Privacy Act and the Privacy Bill, which began its second reading in June.

More from Bell Gully