Good morning. It is a pleasure to be here and to resume the discussion of Adtech and GDPR following a pause during the pandemic. Back in 2019 the ICO identified specific challenges within behavioural advertising, and in particular with Real Time Bidding.
Back in February 2020 the DMA and Isba jointly published our 7 Step Ad Tech Guide to address the privacy challenges of Real Time Bididng identified by the ICO. The guide focussed on demystifying the ecosystem and ensuring brands understood their role and responsibilities. Ultimately it is the brand conducting the advertising who is responsible for balancing their commercial Legitimate Interests in finding new customers with the customer’s right to privacy. This is not a responsibility that can or should be delegated to the supply chain.
GDPR is a principles based regulation so our 7 steps are designed for brands to be accountable for their decisions by knowing what happens in the bidding data chain and helping to identify the risks to privacy and security that clearly exist within the ecosystem. Armed with knowledge a brand can then take informed decisions about mitigating risks, including potentially the decision to find new customers by different means that pose less risk.
Ultimately the objective of the brand is to create relevance for potential customers by only identifying prospects who would genuinely be interested in the products or services on offer. Relevance is welcomed by customers, creates efficiencies for brands, and reduces unwanted communication.
The seven steps are:
Step 1: Education and understanding. It is not possible for brands to accept their responsibilities under GDPR if they do not understand how Adtech works. In many instances the number of layers within the ecosystem has created obscurity in the supply chain. This in itself poses high risk and may cause brands to consider other options: quality companies normally do not accept supply chains that lack transparency.
Step 2: How to Use Special Category Data: The ICO highlighted the importance of treating special category data with care and this section steps you through its definition and usage
Step 3: Understanding the data journey: a key challenge is being able to track how data is captured and who processes it. This section explains how to complete a Record of Processing Activities as well as introducing the IAB’s Transparency and Consent Framework
Step 4: Conduct a Data Protection Impact Assessment: the ICO noted the limited use of DPIAs in Ad Tech. This section sets out to explain what it is, when to use it as well as some pointers to what questions to ask.
Step 5: Audit the Supply Chain: the ICO highlighted that you cannot rely on contracts to provide assurance around the use of personal data. This section provides audit check lists and questions you need answered when auditing suppliers:
Step 6: Assess Advertising Effectiveness: This section provides links to reference materials for improving insights into advertising effectiveness to allow for a proportionate approach to using personal data.
Step 7: Alternatives to behavioural advertising:
If a brand goes through the steps comprehensively, especially conducting a robust Data Protection Impact Assessment, they will certainly identify clear risks under GDPR within Ad Tech and will then need to balance those risks against their legitimate interests, and whenever possible to put in place mitigation that protects the individual. If after mitigation the risks are still present then the brand should consider alternatives to behavioural targeting.
For example, in the last few years Contextual Advertising has developed at pace, powered by technological innovation in AI that enables robust classification of content and words. Contextual targeting is a form of advertising that chooses to serve an ad based on the content and environment that the ad will appear in, as opposed to data on the person the ad is being served to. With modern contextual solutions, it might certainly be possible to achieve relevance WITHOUT using personal data.
As a very basic example, if you are selling products for fly fishing you might find potential customers visiting websites such as Angling Direct or Troutcatchers.co.uk and might even do so at an improved Return on Investment, thus mitigating risk while still achieving the legitimate interests of the brand. A growing number of sophisticated adtech companies enable this process to take place at scale, reaching large audiences efficiently, accurately and safely. There is a very excellent guide to Harnessing the Power of Contextual Advertising published by Jon’s team at IAB UK.
And of course there are other options too, such as unaddressed mail, newspapers, magazines, TV, Radio and outdoor which have historically proven effective at finding new customers without using personal data.
You’ll have noted that I mentioned Legitimate Interests more than once. I’d like to make a few comments on Legitimate Interest, not specifically in relation to Ad Tech but more generally.
GDPR was the first major update to Data Protection Legislation since 1995/1998 and had two clear purposes: to modernise data protection legislation in view of digital transformation, especially the explosion of data. And also to harmonise the approach across Europe by shifting from a Directive to a Regulation. Harmonisation should still be the aim, despite Brexit, to enable companies to trade coherently across Europe.
Since 2018 the aim of harmonisation has been put at severe risk by Data Protection Authorities across Europe who are applying the legislation in radically different ways in each country. In regards to the Data and Marketing sector this manifests itself in two fundamental aspects that threaten customer trust, economic growth and job creation: firstly the legitimate interest grounds for processing and secondly the processing necessary to know customers better in order to serve them better with relevant products and services.
Interpretations of the applicability of LI to normal processing activities vary from the Dutch who have argued that no commercial activity is a legitimate interest to Austria and Italy who have approved Codes of Conduct under GDPR that reflect Legitimate Interest as a valid grounds for some activities, especially those that benefit customers. DPAs should apply the law as it is written which was reinforced in November when a Dutch court ruled comprehensively that commercial interests, including data and marketing, were indeed legitimate interests:
“The fact that the legitimate interest must be viewed through a negative test is also in line with recital 47 of the GDPR, which mentions ‘direct marketing’ as an example of a possible legitimate interest…….. As the court has already considered in paragraph 17, it is up to the processor of the personal data to establish a legitimate interest…………The Data Protection Authority has therefore not interpreted the legitimate interest in an open and flexible manner…….In summary, the court comes to the conclusion that the DPA’s assessment in this case is based on a misinterpretation of the concept of ‘legitimate interest’ and is therefore contrary to Article 6 of the GDPR….”
As part of this important opinion the judge quotes from prior CJEU precedents, including Advocate General Bobek’s in the CJEU judgement on Fashion ID. In this case Bobek concludes that the collection and transmission of personal data in order to be able to advertise in the best possible way could also be a legitimate interest”
This is why the text of GDPR, when explaining the Legitimate Interest basis in Recital 47 concludes that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” This has been the precedent established historically by European Court of Justice which has now been reaffirmed by the Dutch court in relation to GDPR. We hope therefore that DPA’s across Europe will take note and apply GDPR as written to establish consistency across the 27 nations as well as in the UK.