ICO Issues Opinion on Data Protection and Privacy Expectations for Online Advertising Proposals

Optical fiber

On 25 November 2021, the UK Information Commissioner’s Office (“ICO”) published an Opinion on Data Protection and Privacy Expectations for Online Advertising Proposals (“Opinion”). The Opinion emphasizes several data protection concerns relating to behavioural advertising and sets out overarching expectations that companies must meet to safeguard people’s privacy online when developing new advertising technologies (“adtech”).

  1. Background

The Opinion forms part of the ICO’s broader work on adtech and real-time bidding. In 2019, the ICO listed a number of privacy concerns relating to the behavioural advertising industry in its Update report into adtech and real time bidding (“2019 Report”). Since then, the industry has been developing initiatives to address the compliance issues raised. According to the Opinion, these initiatives are not yet sufficiently mature to assess in detail, which presents an opportunity for the industry to incorporate privacy safeguards into their development. The Opinion aims to provide guidance to companies introducing new methods of adtech, while calling upon them to demonstrate data protection compliance.

  1. New adtech developments

The ICO identifies several key developments taking place in the industry that reflect a general trend towards less intrusive tracking and profiling practices:

  • The phasing out and replacing of third-party cookies. The Opinion focuses on Google’s Privacy Sandbox, which intends to replace the use of third-party cookies and other forms of cross-site tracking for targeted advertising;
  • Increased transparency of online tracking such as Apple’s “App Tracking Transparency” framework;
  • Mechanisms relating to individuals’ privacy settings, like the “Transparency and Consent Framework” introduced by IAB Europe, which enables the communication of an end user’s preferences between participants within the adtech supply chain;
  • Tracking prevention at a browser level, such as Apple’s “Intelligent Tracking Prevention” on the Safari browser, which blocks third party cookies by default.

The ICO acknowledges that several proposals have the potential to reduce the risks and harms raised in the 2019 Report, however, it warns that new solutions, even those that appear “privacy-positive”, still need to fully demonstrate compliance.

  1. Data protection concerns

The ICO clarifies several “misconceptions” existing among adtech market participants.

  • First and third-party cookies. The ICO rejects the view that first party cookies have an inherently lower risk than third party cookies. Whether the cookie is placed by a first party or third party is not relevant for assessing data protection risk. Instead, the focus should be on the nature of the risks involved and their likelihood and severity.
  • Purpose limitation. The ICO emphasizes that organisations must always inform individuals about the specific purpose for which personal data is collected and must avoid “function creep”, i.e. using personal data later on for different and incompatible purposes, without specific consent. Even where a new purpose is compatible with the initial purpose, reuse of the personal data will not always be permitted in the context of online advertising, particularly where consent is required. The ICO highlights the risks arising from invisible processing.
  • Internal disclosure and external data sharing. There is no absolute right to share data internally within a group by relying on legitimate interest to further process personal data after having obtained it. This concern specifically relates to larger organisations or platforms able to track users across different services. The ICO stressed the need to assess whether legitimate interest can be relied on as a legal basis to justify further processing and whether intra-group data sharing is appropriate.
  • Privacy as a ‘shield’. Technology platforms should not use privacy as an excuse to refuse to share data with other organisations. The ICO refers to its data sharing code of practice as a guide for organisations wishing to share data while protecting privacy and upholding individual rights.
  1. The ICO’s expectations

The ICO lists five expectations that proposed adtech solutions should meet, and which industry players should “holistically” consider when making new adtech proposals. Organisations should also be able to demonstrate how their initiatives address these expectations.

  • Data protection by design: Individuals’ interests, rights and freedoms should sit behind any design proposal.
  • User choice: Individuals must be offered the ability to receive non-behavioural ads and where individuals choose to share information, they must have meaningful control and ability to exercise their rights.
  • Accountability: There must be accountability across the full lifecycle of the processing and adtech supply chain, with transparency about how and why personal data is processed and who is responsible for that processing.
  • Purpose: The design of the proposals must clearly articulate the specific purposes for processing personal data and demonstrate how this is fair, lawful and transparent.
  • Reducing harm: Proposals must address existing privacy risks, consider any new risks they introduce, and how they will mitigate them, for example in data processing impact assessments.
  1. The ICO’s recommendations

The Opinion sets out various recommendations that are intended to guide companies in assessing the principles set out above and are to be used as key considerations in data protection impact assessments relating to adtech projects.

. The ICO’s recommendations cover the following elements:

  • Demonstrate and explain the design choices, taking into account the risks to individuals. For example, use the least privacy intrusive approach and consider the aggregate impact of interacting components and technologies on data protection and privacy.
  • Be fair and transparent about the benefits and outcome of the solution, including from the user’s perspective. For example, demonstrate how the design process avoids dark patterns and nudge techniques.
  • Minimize data collection and further processing to what is necessary to achieve the purpose. As a general rule, the ICO notes contextual-based advertising allows most readily for compliance with the data protection principles.
  • Protect users, including by reducing tracking vectors and addressing re-identification risks, and give them meaningful control.
  • Consider necessity and proportionality. For example, the solution should enable deployers to demonstrate that they cannot achieve the purpose using a less intrusive method.
  • Consider lawfulness, risk assessments and information rights. For example, solutions should assist companies in recognising where consent is required and ensure that consents meet all validity requirements.
  • Address the possibility of processing special category data, and mitigate any risks of creating or inferring such data unless strictly necessary for the purposes. Where the solution processes personal data for segmentation into protected or vulnerable groups, the risks for those individuals must be identified and safeguarded against.
  1. Conclusion

The expectations and recommendations set out in the Opinion largely reiterate existing legal obligations and reconfirm the ICO’s broad concerns with privacy and data protection compliance across the adtech industry.  The adtech sector has introduced some initiatives that were welcomed by the ICO, but there has clearly not been enough progress to assuage the ICO’s fundamental privacy concerns with current adtech practices. As the advertising industry navigates technology initiatives and a changing cookie environment driven by Google and Apple, this Opinion serves as an important reminder that privacy must be a central consideration and provides helpful reference points for compliance. As the ICO warns, alternatives to current practices should raise the standards of data protection and privacy, not dilute them. To date, the ICO has taken a cautious approach towards adtech violations, assuring the industry in the 2019 Report that it would “move carefully” considering the economic vulnerability of smaller UK publishers. The recent Opinion could be interpreted as a warning, suggesting a movement towards enforcement if the industry fails to implement more fundamental change.