It is the “Update report into adtech and real-time bidding,” issued on 20 June 2019 by the ICO, the UK’s data protection authority (DPA). (PDF; ICO blog post summary; good Twitter thread highlights with numerous screenshots.) Brief by DPA standards at a mere 25 pages, the report is a surprisingly easy read — unless you’re an adtech player or investor, in which case you might want to accompany it with several stiff drinks, a therapist . . . and a good lawyer. The ICO concludes that RTB as widely practiced — in particular, they highlight the frameworks and guidelines of the IAB (the oxymoronically named Trust and Consent Framework, or TCF) and Google’s Authorized Buyers program, or AB — is “unlawful” under the GDPR in numerous respects.
“The adtech industry,” says the ICO, “appears immature in its understanding of data protection requirements.” That’s a brilliant bit of British barbed understatement. It conveys, for example, that three years after the final text of the GDPR was adopted and published, the industry has failed to institute, or even propose, an appropriate response. Moreover, it suggests — accurately — that prominent adtech players are continuing to act like petulant children, clinging to their beloved toys and games even after they’ve been declared defective and dangerous.
A cynic’s translation of the ICO pronouncement is that the adtech industry — armed with more lobbyists, lawyers, and spin doctors than the military-industrial complex — understands data protection requirements perfectly well . . . and has systematically adopted a strategy of deny, delay, and defend (i.e., appeal DPA findings, as Google has in France).
The IAB’s behavior confirms this suspicion. A few months ago, the industry group vehemently rejected the data privacy criticisms of RTB and its own TCF, calling them “not only false but . . . intentionally damaging to the online advertising industry.” Now that the ICO has acted upon — and largely verified and endorsed – those complaints, the IAB’s press release “welcomes” the report but immediately emphasizes its “misconceptions,” and offers an irrelevant example of published content “falling into sensitive categories” rather than addressing the core issue of processing sensitive personal data.
Guilt by association for many marketers
If you’re not toiling in adtech, there’s still no reason to breathe easy. As noted in my analysis of Google’s €50 million fine, when a DPA points out a non-compliant practice, it means anyone deploying that practice has been put on notice and is de facto in violation of the GDPR, whether or not they are ever actively investigated. In the case of the adtech report, the nine “systemic” issues with RTB include several that are in widespread use on websites and apps of all kinds, including:
- Putting the lie into L.I. — Legitimate interest (LI) has long been the siren song for marketing’s Odysseus, an alternative to consent that seems to avoid those messy interactions with fickle consumers. The ICO first notes that RTB players often unlawfully use legitimate interest when placing cookies, whereas that requires consent. They then add: “Even if an argument could be made for reliance on legitimate interests, participants within the ecosystem are unable to demonstrate that they have properly carried out the legitimate interests tests and implemented appropriate safeguards.” The tests in question are three fold: 1) the “purpose test” consist of identifying a genuinely legitimate business interest (rather than an end you simply desire to pursue); 2) the “necessity test” involves demonstrating that the proposed data processing is necessary to achieve the purpose; 3) the “balance test” requires you to show that your legitimate interest “outweighs” the interests, rights, and freedoms of the data subjects (e.g., consumers). In addition, you are required to clearly inform consumers that you are using LI, and to present a prominent opt-out option.
- Forcing cookies before consent — Common practice with the ubiquitous (and CX-destroying) “cookie consent notices” is to place site cookies when the visitor arrives at the page, then to delete any collected data if consent is not granted. The ICO stresses that only those cookies that are “strictly necessary” for the provision of a service may be placed before acquiring consent — and that what is strictly necessary must be evaluated “from the point of view of the user, not the service provider.” The report states unequivocally that “cookies used for advertising purposes [of any kind, not only RTB] are not ‘strictly necessary’.” That brief sentence blows away the argument that ad-supported sites can justify tracking cookies as “essential.” In short, your choice of a business model does not lessen your data protection obligations.
- Building and augmenting customer profiles — Building and nurturing the richest possible consumer profiles is at the heart of the current era of customer-centric and personalized CX. The ICO report casts this essential practice into doubt. “The creation of these very detailed profiles, which are repeatedly augmented with information about actions that individuals take on the web, is disproportionate, intrusive and unfair in the context of the processing of personal data for the purposes of delivering targeted advertising” (emphasis added). The implication is that detailed profiles are inherently problematic under the GDPR — or at least that the DPAs will subject them to extreme scrutiny. This is all the more reason for marketers to concentrate on demonstrating trustworthiness and building mutually beneficial relationships with genuinely engaged audiences.
What’s next for RTB? (Or, the Lumascape is burning)
On any fair-minded reading of the report, it is obvious that the practitioners of today’s RTB have no chance of “winning” the battle with the GDPR and the data authorities. A system that involves thousands of organizations engaging in millisecond exchanges of billions of bid requests containing personal data (including “sensitive categories” of data such as race, religion, and sexual orientation) can hardly meet the GDPR requirements for transparency, informed consent, data minimization, and data protection by design. It’s no wonder that Johnny Ryan and others declare that RTB is a “massive and systemic data breach.”
In short, the ICO (which stresses that it is working in concert with other EU DPAs) has neutralized the industry’s “deny” tactics and substantially undermined any future effort to “defend.” They have also prescribed a hard stop on “delay” — namely, the six months between the publication of the report and “a further industry review.” While the ICO will use the time for “targeted engagement with key stakeholders,” it is not intended for ongoing debate and negotiations. “We expect to see change,” says Elizabeth Denham in the commissioner’s forward to the report. “The rules that protect peoples’ personal data must be followed” (emphasis added).
The problem, of course, is that so much of the adtech ecosystem is inherently, essentially incapable of following the rules of the GDPR and similar regulations. It is built for data maximization, not minimization. It is based on principles of privacy violation by design. It is engineered to produce and consume very detailed profiles that the DPAs will deem disproportionate and intrusive. As I noted two years ago in an appeal to venture capitalists and other investors: “Take Scott Brinker’s 2017 MarTech supergraphic, comprised of 5,381 solutions. Without radical restructuring of the solution and/or the business model, the GDPR will make it impossible for hundreds if not thousands of those solutions to be deployed vis a vis EU residents after 25 May 2018.”
TLDR? Just take a look at the last line of the Wikipedia plot summary for Robert Altman’s “Come Back to the Five and Dime, Jimmy Dean, Jimmy Dean”:
The film ends with shots of the decaying, abandoned five-and-dime store, while the song fades and the wind blows.