In response to the Information Commissioner’s Office’s (ICO’s) ‘Update report into adtech and real time bidding’, published in June 2019, IAB UK has set out a series of actions designed to help companies engaged in real-time bidding to understand and meet their data protection and privacy compliance obligations in practice.

The ICO’s report summarised the findings of its review of the use of personal data in the real-time bidding process in terms of the relevant provisions of the GDPR and ePrivacy legislation. Following its publication, the regulator announced a six-month period for further industry engagement and for the industry to respond to its findings.

This process has been led by IAB UK and its members, along with IAB Europe and IAB Tech Lab where appropriate. As a result, IAB UK has committed to a series of actions on six key issues raised in the ‘Update report’, to help improve standards of compliance. These are:

Data security
IAB UK will develop good practice guidance covering security, data minimisation and data retention, and work with IAB Europe to explore how the requirements in the Transparency and Consent Framework (TCF) policies could be enhanced to support such good practice.

Special category data
A range of actions will be taken here including developing UK-focused guidance on the Content Taxonomy; education for the industry on special category data restrictions and requirements (developed with other relevant trade bodies, particularly on the buy-side); and work to identify potential controls to minimise risks arising from the content of referred URLs in bid requests.

Reliance on legitimate interests for cookies
IAB UK is committed to educating its members on the consent requirements of UK ePrivacy regulations, with reference to the ICO’s current cookie guidance, and promoting the use of the Transparency & Consent Framework (TCF) where appropriate, for obtaining this consent in a compliant way.

Legitimate interests assessments (LIAs)
IAB UK will educate its members on LIA requirements, taking into account the outcomes of a joint (ICO/IAB Europe/IAB UK) review of anonymised example LIAs, and work with IAB Europe to develop resources to support companies to meet these requirements in practice.

Data Protection Impact Assessment (DPIAs)
IAB UK will educate members on DPIA requirements and encourage them to review their processing operations in light of the ICO’s existing guidance. It will also identify whether additional guidance is needed for the industry, and work with other relevant trade bodies as they develop their own DPIA approaches and guidance.

Transparency and fairness of information provided to consumers
IAB UK will engage with IAB Europe on the outcomes of ongoing discussions about potential changes to TCF policies with respect to Consent Management Provider user interfaces, and then decide on any further action.
In addition to the actions outlined above, IAB UK has also identified areas where further discussion is needed before a clearer position and consensus can be reached. The ICO, meanwhile, is expected to provide a further update on its position in the coming weeks, once it has reviewed all relevant responses.

Simon McDougall, the ICO’s executive director for technology and innovation, said: “Our ‘Update report’ documented our concerns with how personal data is processed using RTB, and our subsequent engagement work with the adtech industry has largely validated these concerns. We’re very pleased with the engagement we’ve had so far and, while we still have a long way to go, we’re optimistic that an industry-led solution is possible. We look forward to continuing our constructive discussions with the IAB and the industry as it implements the proposals made.”

Christie Dennehy-Neil, IAB UK’s head of policy and regulatory affairs, added: “It’s now critical that we work together with our members to implement change. This needs everyone – advertisers, intermediaries and media owners – to work with us, and to be willing to take action and invest in making changes where necessary.”