The ICO Triple Hit: RTB Ultimatum, Cookie Usage and Record GDPR Fines

Over the last month, the Information Commissioner’s Office (ICO) has announced a trio of measures set to raise the hackles of ad tech.

Firstly, the authority released its ‘Update Report Into Ad Tech and Real Time Bidding’, which raised questions on the legality of RTB, the fundamental bidding process underpinning the programmatic industry. Subsequently the body published updated guidelines on the use of cookies, clarifying previously subjective aspects of GDPR, whilst bringing the use of cookie walls into further doubt. Finally, the ICO intends to impose record fines totalling £282.63m on just two companies, British Airways and Marriott International, indicating that DPAs across Europe are set to ramp up the severity of fines imposed for GDPR breaches.

ExchangeWire delves into each of these developments in turn, as well as getting opinion from industry and legal professionals, to determine what effect the ICO’s new-found momentum will have on the ad tech industry.

RTB ultimatum: six months to change

In June, the ICO released its Update Report Into Ad Tech and Real Time Bidding, calling into question the very protocol which underpins the programmatic industry. In the report’s summary, the body states that ICO has “systemic concerns around the level of compliance of RTB”, with the main focus centring on the use of special-category data, the lawful basis of consent, and the lack of transparency across the programmatic ecosystem.

The report also strongly suggests that all participants on the programmatic chain are subjected to data protection impact assessments (DPIAs) as RTB involves the profiling of individuals on a large scale, use of new technologies, and the tracking of user behaviour. It highlights that several organisations are not currently fulfilling this legal obligation, thus calling into question whether the ad tech industry is fully aware of the data management risks associated with RTB.

Supporting consumer trust and minimising risks of spending through RTB whilst continuing to allow personalisation, is deemed a difficult, yet necessary, balance. Niki Stoker, COO, A Million Ads comments: "Providing a personalised experience for consumers is vital to a brand's success in this ever-growing competitive market. However, ensuring that brands do this in a way which adheres to the privacy rules is also equally important. Consumers are often confused about how their data is processed online, so improving the supply chain process to make this clearer for each party involved will be a major benefit for the ad tech world. There is a huge element of trust that is required from consumers to consent to their data being shared, therefore more clarity on how this data is processed and where it will be used is extremely beneficial."

While the report does not specify any legally-binding action at this stage, it does propose a follow-up report in six months to assess if the ad tech industry has taken sufficient steps to mitigate these concerns. Nor are any guarantees set over how heavy-handed the ICO will be in its potential actions, given that the report states: “The scope and nature of such an exercise will depend on our findings over the forthcoming months… In the meantime, we expect data controllers in the adtech industry to re-evaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the RTB ecosystem.”

There is debate as to how the use of non-personally identifiable information in simple tags, as in RTB, should fall under the same level of scrutiny as breaches, whereby personal and sensitive details are stolen by hackers intending to use the data for nefarious purposes. However, the strength of the language used by the ICO in the report suggests that the use of data without full consent, according to their interpretation of GDPR, is set to be punished with a similar degree of heavy-handedness. Mark Bembridge, CEO of Smartology, supports this theory: “Given the use of data in Real Time Buying (RTB) and the fact that the ICO has reacted with such large fines for data breaches by BA and Marriott, RTB and programmatic players who are still using personal data without consent should be worried.

“If we don’t confront the issues of data, trust and privacy head on and ensure we have a model that is fit for purpose, then the future viability of our industry will be at stake.”

PECR x GDPR: updated guidelines on cookie usage

One could be forgiven for thinking that the ad tech industry of today is simply a collection of passionate biscuit enthusiasts, or the spawn of a certain bright blue Sesame Street character, given the amount of emphasis in the last few months that has been placed on cookies. Though on the cards for years, GDPR, along with restrictions on the use of third-party cookies from the vast majority of the major internet browsers, has already inspired ad tech providers to examine alternative solutions.

However GDPR is a subjective piece of legislation, plus the use of cookies is technically governed by the Privacy and Electronic Communications Regulation (PECR), meaning that several grey areas have emerged in terms of consent management. To address this, the ICO has released an updated set of guidelines clarifying which aspects of cookie management are governed by GDPR, and what steps firms need to take to ensure that they are gaining clear and positive consent from users.

Ad tech providers who have erred on the side of caution are likely to already be compliant with the updated guidelines, including the need to offer users complete control over the use of non-essential cookies, with no opportunity for imposing bias through pre-ticked boxes or sliders. However the updated guidelines cast serious aspersions on the use of blanket approaches such as cookie walls, which deny users access to the site unless they agree to the use of analytics cookies on the page.

In a critical response to the updated guidelines, Fiona Salman, MD UK, 1PlusX told ExchangeWire: “The new cookie guidance seems to require upfront consumer consent for ad targeting or personalisation. This will reduce already limited publisher digital ad revenues, hinder innovation and negatively impact the user experience. Consumers want and expect a user experienced personalised to them. Businesses need to combine their understanding of users’ interests with context to deliver that personalisation.

“Requiring an upfront opt-in on personalisation is far too heavy-handed. Consumers should be offered the opportunity to try a personalised experience on their first visit to every website, and then at some point after the trial, be required to ask for consent. This way consumers can remain in full control of their data, and businesses can innovate on delivering excellent personalised services.”

Record GDPR fines: concerns raised on consistency

Highlighting the potential penalties facing ad tech firms in breach of GDPR compliance, on 8th July the ICO announced that it plans to fine British Airways a record £183.39m, for a 2018 data breach which affected an estimated 500,000 customers. The fine eclipses the €50m (£45m) fine imposed on Google by the French DPA (CNIL) in January this year, and is also the largest fine relative to the maximum permitted penalty, at roughly 37% of the maximum allowed under GDPR rules.

Less than 24 hours after this fine was announced, the ICO made it two massive fines in two days with the announcement that it intends to fine Marriott International £99.2m, relating to a 2014 breach at Starwood hotels group, which it acquired in 2016, which affected approximately 30 million guests in Europe, and 339 million worldwide. In both cases it was noted that the companies informed the ICO of the breach, as stipulated by law in GDPR, as well as making “improvements to security arrangements since these events came to light”. However this seemingly did little to mitigate the penalty imposed upon the company.

GDPR Table
Fines applied to Knuddels, Google, Taxa4x35, and Bisnode, plus proposed penalties for British Airways and Marriott International, for GDPR violations. Revenue figures calculated using publicly-available investor reports and estimates from Owler.com. Maximum possible fine is defined as either €20m (£17.6m) or 4% of annual revenue, depending on which is greater, as stipulated in GDPR.

Donning one’s tin-foil hat of cynicism once more, it could be interpreted that the ICO is ‘making hay while the sun is shining’ in the sense that it will not be able to allocate such hefty fines once Brexit has taken place, as a result of a reduced jurisdiction and limitations to their investigatory powers. If this were the case, UK government pressure may be responsible, as any funds raised from GDPR fines are given directly to the Treasury, although the ICO has previously examined ring-fencing a certain proportion of the funds to cover legal costs. Reports that the ICO is examining at least 12 other firms for similar breaches will not help quell this opinion. It will therefore be interesting to note whether the DPAs of other member states will impose similarly large fines on other companies, and within a similar timescale.

Regardless of any ulterior motive, these fines should not be viewed from simply a UK or European perspective, given the global nature of the industry and increasing scrutiny on privacy developing in other regions. Divya Gupta, partner at Dorsey & Whitney LLP, says: “With several states in the United States jumping on the privacy bandwagon set into motion by GDPR, especially in California with the passage of the California Consumer Privacy Act, global companies should bolster their compliance teams now in an effort to mitigate future penalties or even lawsuits.

“While personal data, especially de-identified, is helpful for advertisers and marketers in the ad tech space, the enforcement of laws like GDPR will mean that some companies may need to strategically alter their current approach to using and collecting this data. The benefit to these companies will not only be to ensure they are protecting this private information from loss, damage or theft, but also be to avoid steep penalties and further legal risk”

The high severity of the fines also raises concerns regarding the consistency of penalties applied under the ‘one-stop-shop’ system employed by European DPAs in investigating breaches of GDPR. In November last year, chat app Knuddels was fined just €20,000 (£17,960) for a breach which affected 330,000 customers, allowing hackers to read user’s private messages. ExchangeWire previously determined that fine equates to 0.1% of the maximum allowed penalty, compared to approximately 37% in the British Airways case. At the time LfDI, the DPA involved in setting the fine, praised Knuddels, and more importantly reduced the fine it imposed, for informing the body about the breach and for making improvements to its security architecture. Neither of which seems to have been accounted for in the ICO’s actions against BA or Marriott.

It is unquestionable that the implementation of GDPR was necessary, and that changes needed to be made from the perspective of both small companies and major enterprises to ensure people’s rights and their personal data are protected. Likewise it is right that companies which violate the regulations are punished to the full extent, and the breaches affecting both BA and Marriott certainly warrant this. However inconsistent interpretation of the laws, in turn leading to punishments which differ wildly in their severity, risks undermining the entire process.