A recent report from the UK’s privacy regulator, the Information Commissioner’s Office (ICO), warned that organizations participating in the real-time bidding (RTB) system, a major business mode adopted by the online targeted advertising industry, should not rely on “legitimate interests” under the GDPR Article 6 to justify their data processing.
RTB is a complex automated ad exchange ecosystem, facilitating targeted advertising bidding and buying in real time. Millions of websites and thousands of organizational players participate in, including advertisers, publishers and ad service agencies. Its operation relies on the collection and processing of a large amount of users’ data, including IP address, the webpage being loaded, cookie ID, internet browsing history, device information, etc., collected via cookies and other similar online tracking tools. Sometimes, data from multiple sources like data brokers are integrated to form a more accurate user profile. According to the ICO’s report, the system may also include sensitive personal data relating to politics, religion, ethnic groups, and mental and physical health.
The ICO was concerned with privacy risks implicated by the system, which could be quite serious and may violate the GDPR and another UK domestic law the Privacy and Electronic Communications Regulation. I am particularly interested in the analysis applying GDPR’s “legitimate interests” standard.
The GDPR requires lawful basis to process data, and “legitimate interests” is one of the permitted situations and popular among businesses because it sounds broad and flexible. But the report discourages the participating organizations in the RTB system from solely relying on this to legitimize their data practices.
GDPR Article 6(1): Processing shall be lawful only if and to the extent that at least one of the following applies: … (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
At first glance, as the ICO warned, “legitimate interests” may seem to be a tempting “easy option” for those who seek to avoid the needs to get consent. But Article 6(1)(f) actually sets up a high bar including a three-part test, which can be more challenging than the consent requirement. Firstly, a valid legitimate interest needs to be identified, which relates to the processing purposes and whether such purposes are justified. Secondly, the data processing must be necessary to achieve that interest, which implicates questions like whether there is an alternative solution without processing the personal data, and if there is, whether the alternative one is less privacy intrusive. Then comes to the third step that requires a balancing test weighed against data subjects’ interests, fundamental rights and freedom, which to my understanding can trigger the most complicated analysis compared to the other two steps. Factors suggested to consider include the likelihood of undermining the data subjects’ interests and rights, whether there are reasonable expectations in the context of their relationship with the organizations, are there any measures to mitigate the potentially negative effect, etc. Many of these questions can become particularly tough for the RTB industry because of the intrinsic nature of the industry relying on extensively monitoring people’s behaviors on a large scale. In the report, the ICO concluded that legitimate interests could only be used when organizations can prove that their data use “is proportionate, has a minimal privacy impact, and individuals would not be surprised or likely to object,” and this is impossible to achieve for RTB business.
I heard arguments citing Recital 47 of the GDPR that explicitly mentions direct marketing in its interpretation of legitimate interests. The text says that personal data processing for direct marketing purposes “may be regarded as carried out for a legitimate interest.” Pay attention to the word “may,” which makes the sentence literally mean that it is possible to use legitimate interests to justify data processing for direct marketing purposes. Possibility does not mean an all-time free pass. Actually, this sentence sounds more like a message disfavoring applying legitimate interests in the context of direct marketing but cautiously leaving space for possible exceptions. This can be further corroborated by a 2014 opinion of Article 29 Working Party, which suggested that consent, rather than legitimate interests, should be considered in scenarios “involving extensive profiling, data-sharing, online direct marketing or behavioral advertisement” where users are undergoing unduly monitoring on their online and offline activities without their knowledge and a workable mechanism to object/opt-out.
These are the exact problems bothering the ICO in the report – on one hand, the RTB system collects, processes and shares with a lot of market participators tons of personal data, some of which can be sensitive and intimate; on the other hand, the complexity and opaqueness of the system makes the data practices there largely unsecured, unsupervised and uncontrolled. Many people simply don’t know the existence of RTB, not to mention understanding how their data is processed. Even many participating organizations themselves cannot fully understand how the data flow there and what exact role they are playing on that data supply chain, as the report finds out.
Currently, the RTB industry is primarily under a self-regulatory regime, but it has been attracting growing government attention. In addition to the ICO’s report, since last fall, seven EU member states – the UK, Ireland, Poland, Spain, the Netherlands, Belgium, and Luxembourg – have received GDPR complaints urging their privacy regulators to investigate the industry. And just a few days ago, the French privacy regulator CNIL announced an action plan to address cookies and other problems relating to online targeting advertising, followed by an updated ICO guidance on the use of cookies reaffirming that legitimate interests should not be relied upon to set cookies.
In light of these recent developments, even though it is still unclear yet how the law enforcement will roll out, organizations participating in the RTB system are recommended to take early actions, such as to get a better understanding of the data practices and the whole industrial context, and based on that, to adapt to a more privacy-centric business mode. For individuals who are reading this and concerned about online tracking threatening privacy, I recommend this Privacy Badger tool offered by EFF for free to block those invisible trackers.
I also once wrote a relevant post about another online ads case decided by the ICO, where I argued that whether an internet ecosystem with less targeted ads will holistically be better for users is complicated and unclear. You can click here to find the post.
