GNP Guia Naghi & Partners The Legal 500 – The Clients Guide to Law Firms
23555
post-template-default,single,single-post,postid-23555,single-format-standard,theme-stockholm,qode-social-login-1.1.3,qode-restaurant-1.1.1,stockholm-core-1.1,woocommerce-no-js,select-theme-ver-5.1.8,ajax_fade,page_not_loaded,side_area_over_content,wpb-js-composer js-comp-ver-6.0.5,vc_responsive

Ioana Stoica – RTB in GDPR

In today’s digital age, the intersection of advertising technology and privacy regulations has become a focal point. At the heart of this convergence is programmatic advertising, a sophisticated realm of digital marketing that relies heavily on user data. This article delves into the intricacies of programmatic advertising and its implications under the General Data Protection Regulation (“GDPR”) and the Directive on privacy and electronic communications (“e-Privacy Directive”).

What is Programmatic Advertising?

Programmatic advertising refers to the automated buying and selling of online ad space. Unlike traditional methods that involve manual negotiations and purchase orders, programmatic advertising uses algorithms and real-time data to decide which ads to show to which users, and at what price. The most common method within this is Real-Time Bidding, a live auction that takes place in milliseconds as a webpage loads.

Real-Time Bidding (“RTB”) Unveiled

Imagine an auction house, but instead of antiques, it’s ad spaces being auctioned. And rather than lasting hours, it’s over in the blink of an eye. That’s RTB.

Programmatic advertising operates within a dual-sided ecosystem: the supply side and the demand side.

Supply Side: This side is represented by media outlets, publishers, ad networks, and individual creators such as bloggers and vloggers. They offer the digital real estate where ads can be displayed. To manage and optimize this space, they use Supply Side Platforms (“SSPs”). SSPs are platforms that allow these suppliers to automate the selling of their ad space, ensuring they get the best price in the RTB auction.

Demand Side: On the flip side, the demand side consists of advertisers and the agencies that buy on behalf of those advertisers. They’re looking for the best spaces to display their ads to the right audience. To streamline and optimize this buying process, they use Demand Side Platforms (“DSPs”). DSPs allow advertisers and agencies to purchase ad impressions across a range of publisher sites, targeting specific user criteria.

Central to both these sides is the use of Data Management Platforms (“DMPs”). DMPs are sophisticated tools that collect, analyze, and manage data from various sources. They help both the supply and demand sides understand user behaviour, ensuring that the right ads are shown to the right users.

When you click on a website, information about you and the content you’re about to view is sent to an ad exchange. Advertisers, through their DSPs, then bid for the right to show you an ad based on data from DMPs. The highest bidder wins, and their ad is displayed on the webpage, facilitated by the SSP on the publisher’s side. All of this happens in real-time, making it a marvel of modern technology but also a potential minefield for privacy concerns.

The GDPR, e-Privacy, and the Complexities of Automated Decision Making in RTB

Programmatic advertising, particularly RTB, is a marvel of the digital age, but it’s also a potential minefield for privacy concerns. One of the most significant challenges arises when considering RTB in the context of Automated Decision Making (“ADM”) under the GDPR.

Is RTB an Example of ADM?

At its core, RTB involves instantaneous decisions about which ads to display to which users, based on a myriad of data points. This rapid, automated decision-making process can indeed be classified as ADM and might trigger the application of art. 22 GDPR when these decisions can have significant effects on individuals. Several such effects might be:

  • price discrimination: different users might see different prices for the same product based on their profile – for more details about this behaviour and the consumer protection implications please access this article, which tackles the price personalization, paying with data for digital content and digital services and the intersection between GDPR and the Omnibus Directive.
  • content discrimination: users might be shown or denied specific content based on their online behaviour or demographics.
  • access to credit: financial advertisements, like those for credit cards or loans, might display different conditions based on a user’s inferred financial status or creditworthiness.

Privacy Intricacies of RTB Technology:

RTB is not just about displaying ads; it’s a complex system that implies, from a processing perspective:

Profiling – algorithms create user profiles based on online behaviour and use these profiles to make instantaneous ad placement decisions.

Large-scale processing – this includes processing special categories of data, such as political affiliations, sexual orientation or health conditions.

Use of innovative technologies and data combining from multiple sources: the system is based on advanced tracking and profiling technologies and data brokers and other third parties usually combine data from various sources to create more detailed user profiles.

Invisible data processing including geolocation and behaviour tracking: much of the data processing happens in the background, unperceived and sometimes concealed from the user and almost always implies tracking users across devices and locations.

Besides processing, it is important to note that RTB operates on hundreds of data points, including:

  • the website and content the user is currently browsing;
  • identification codes corresponding to different trackers installed over time on the devices, which allow the creation of profiles with data from very different sources;
  • demographics like gender and exact birth year;
  • IP addresses and exact GPS coordinates;
  • data broker segment IDs, which might infer income levels, social media influence, spending habits, and more;
  • encoded data points which contain user-specific jammed data within a numeric code, representing aspects like: eating disorders, left-wing politics, male impotence, Buddhism, AIDS and HIV;
  • data referring to the so-called “data broker segment ID” which denotes different interfered data such as income level and spending inclination.

Legal basis: Explicit Consent vs. Legitimate Interest vs. Contractual Necessity?

In cases of ADM with significant effects, given the depth and breadth of data processing in RTB, according to the GDPR, explicit consent is mandatory. In other instances, the applicable legal basis is disputed and not equally implemented across the industry.

The e-Privacy Directive, often dubbed the “Cookie Law”, has specific implications for programmatic advertising, since the industry heavily relies on cookies to track users and refine ad targeting, requiring clear and informed consent for such cookies, i.e. unnecessary & 3rd party.

An important question is: could valid consent actually be obtained in the world of RTB? Is it possible to have users fully informed about the data being collected, how it’s being used, and the potential implications of that use? With multiple parties involved in every ad auction, each with its data processing protocols, is it possible to obtain an “all-in” genuine consent, in milliseconds, by a clear, affirmative action?

In relation to legitimate interest, the evaluation requires a careful weighing of the participating organizations’ pursuits against the protection of data subjects’ fundamental rights and freedoms, the balancing test having to account for the reasonable expectations of data subjects. In this respect, the same questions asked in relation to valid consent arise. Given the multitude of participants potentially gaining access to personal data, can the data subjects feasibly anticipate the extent of processing? The conclusion has to be that within the RTB ecosystem, characterized by intricate interactions among numerous entities, it is at least challenging if not impossible for individuals to reasonably foresee the cascading implications of their data’s exposure, particularly with respect to the nature of the personal and its potentially sensitive character.

Such conclusion is further sustained by EDPB (available here) and ICO (available here) – legitimate interest is an insufficient legal basis within the realm of direct marketing entailing behavioural advertising.

Considering the above, while theoretically, legitimate interest might hold potential as a plausible legal foundation, it falters in the face of the contemporary configuration of the RTB industry. The intricate interplay of multifaceted interests, complex data flows, and intricate technologies places an undeniable strain on the applicability and adequacy of legitimate interest as a definitive legal ground for RTB.

Notably, the existing RTB systems lack mechanisms that ensure the collected and disseminated personal data are confined to information that is strictly indispensable for the designated purposes. The absence of such safeguards raises concerns about the production and dissemination of inferred data, including sensitive categories of data.

In relation to contractual necessity, in accordance with the EDPB guidelines (available here), we conclude that (pre)contractual necessity cannot be an applicable legal basis for behavioural advertising.

Current State: The IAB, TCF, and the Ongoing Legal Battle with GDPR

The International Advertising Bureau (“IAB”), specifically its European arm, IAB Europe, stands as a pivotal entity in the digital marketing and advertising ecosystem. Representing the interests of national IABs, media, technology, and marketing companies, its primary mission is to foster industry collaboration and set relevant standards.

One of IAB Europe’s significant initiatives is the Transparency and Consent Framework (“TCF”). Designed as an accountability tool and a voluntary standard, the TCF aims to standardize practices to ensure compliance with the ePrivacy Directive and the GDPR. By tailoring the principles and requirements to the online industry’s specific context, the TCF seeks to provide a clear roadmap for compliance in the realm of online advertising. However, as the issues underlined above have not yet found clear answers, in February of 2022, the Belgian Data Protection Authority declared that TCF 2.0, an iteration of the framework, partially incompatible with the GDPR.

Following the decision, the IAB faced an administrative fine and was directed to present an action plan detailing corrective measures. In response, the IAB appealed the fine before the Belgian Market Court. In a significant move, the proceedings were stayed in autumn 2022, and several pivotal questions were referred to the Court of Justice of the European Union (“CJEU”) for a preliminary ruling, accessible here.

A decision from the CJEU is eagerly anticipated and is expected to be delivered between late 2023 to early 2024.

Final Thoughts

Programmatic advertising represents the cutting edge of digital marketing. However, its intricate reliance on user data makes it a focal area for privacy concerns, given its deep-rooted reliance on user data. Having that several important questions – such as the possibility of obtaining valid consent, or the necessary measures to be implemented for the legitimate interest – still haven’t been tackled by relevant authorities, the question remains for legal professionals: what is the kosher way to implement RTB?

***for further references and research material please do not hesitate to contact the author at ioana.stoica@gnp.ro ***

No Comments

Post a Comment