In the midst of the COVID-19 crisis last spring, the adtech industry enjoyed a period of relief when regulators shifted resources away from investigating consumer privacy practices and towards focusing on pandemic response efforts. A spokesperson from the United Kingdom’s privacy watchdog — the Information Commissioner’s Office (ICO) — issued the following statement in May 2020: The ICO recently set out its regulatory approach during the COVID-19 pandemic, where we spoke about reassessing our priorities and resources. Taking this into account, we have made the decision to pause our investigation into real-time bidding and the Adtech industry. It is not our intention to put undue pressure on any industry at this time, but our concerns about Adtech remain, and we aim to restart our work in the coming months, when the time is right.

It now appears that the time is right. Citing concerns surround­ing the use of personal data to serve online advertisements through real-time bidding (RTB) and whether this practice meets the threshold required by the GDPR and related UK data protection and e-marketing laws, on January 22, the ICO announced that it is resuming investigations into the adtech in­dustry and RTB.

What is Real-Time Bidding?

Real-time bidding is a programmatic method of purchasing digital advertising that gives marketers the ability to buy ad space across the internet with increased flexibility. The auction-based method enables marketers to “bid” on ad space in real time — as quickly as in the milliseconds that it takes for a webpage to load and display to users — and whomever has the highest bid has the rights to serve their ad within the given space. Over the past several years, RTB has evolved to make up a significant portion of online advertising and has expanded beyond display and video advertisements to other formats, including audio ads and connected TV. With RTB’s ubiquity in adtech largely reliant on marketers’ ability to target specific categories of consumers, which, in turn, is supported by the flow of personal data from controllers to online publishers and other downstream entities (and the key driver of these participants’ revenue), the complex supply chain leads to an increased risk of data misuse.

Adtech Issues Under European Privacy Law

Since the arrival of the GDPR in 2018, the adtech industry and RTB have been the subject of numerous complaints to the ICO, as well as to regulators across the European Union, including in Ireland, Belgium, Luxembourg, the Netherlands and Spain, which have opened inquiries into the behavioral advertising function of RTB. Among the issues that have faced particular scrutiny are whether the data processing mechanisms underlying RTB, which may broadcast personal data — including potential sensitive categories of data — to third parties in order to generate bids for ad space, are capable of obtaining data subject consent and whether they include the appropriate security safeguards.

In response to complaints filed in the United Kingdom, a June 2019 report issued by the ICO expressed doubt over the lawfulness of certain programmatic advertising practices, including RTB. Among its concerns, the ICO noted that participants inappropriately rely on “legitimate interests” as a lawful basis for processing personal data and serving cookies to obtain such data, rather than on the basis of consent. On the topic of consent, the ICO has claimed that RTB participants process sensitive categories of data, such as health data, religious or political affiliation, and sexual orientation, without the explicit consent that is required under Article 9 of the GDPR. Given the rapid development of RTB technologies, including the introduction of new capabilities to make automated decisions or serve ads based on biometrics (e.g. facial recognition), there is also concern that participants have neglected to conduct data protection impact assessments (DPIAs) to fully assess and mitigate the privacy risks.

Although some of the complaints are over two-and-a-half years old at this point, the ICO warned that it will be issuing assessment notices to specific companies in the upcoming months and conducting audits of these companies’ practices for using and sharing personal data. This subsequent investigatory phase is also set to scrutinize another key stakeholder in the adtech ecosystem: data brokers.

The ICO Investigates Data Brokers

The ICO’s announcement comes on the heels of a major investigation into how the three credit reporting agencies (Experian, Equifax and Transunion) use personal data within their data brokerage departments for direct marketing purposes. The multi-year investigation led to an enforcement action against Experian that requires the company to inform consumers of the personal data it holds about them and how it uses that data for marketing purposes. The ICO also directed Experian to end its use of personal data derived from its credit reporting arm for direct marketing by January 2021. If Experian fails to implement the changes compelled by the enforcement notice, it could face a fine of 20 million pounds or four percent of its total annual revenue.

Data brokers, by their nature, do not have a direct relationships with the consumers whose personal data they process. This makes it difficult, if not impossible, to obtain consent to process individuals' personal data. For data brokers to be in compliance with the GDPR and UK data protection law, this creates unique challenges: while the company may use the information it obtains, it must do so within a specifically defined scope; for example, the data broker’s legitimate interest, which may differ from that of the organization that engaged it.

This absence of privity between data brokers and data subjects also limits the transparency individuals have surrounding how data brokers process information, which, as the ICO noted, is often beyond the public’s reasonable expectations. In conjunction with the Experian enforcement action, the ICO released a market research report detailing the public’s perception of how data brokers use and share their personal information. For an online audience, nearly nine out of ten respondents expect to be notified by a company with which they do not have a direct relationship about the data that company holds and how it uses that data.

Vermont and California Regulate Data Brokers

Beyond the ICO’s investigation of the credit reporting agencies (which, importantly, focused on their offline marketing services), at the core of data brokers’ business model, and what makes them attractive to organizations — ranging from commercial to political to charitable — is their practice of collecting consumers’ personal data from a variety of sources and running that data through machine-learning algorithms in order to build segmented profiles of similar groups of people. This processing of voluminous amounts of data and use of automated decision-making has also led to increased scrutiny by US regulators.

In 2019, Vermont became the first state to pass a law aimed at regulating businesses that buy and sell data about consumers without offering services to those consumers. Vermont’s data broker law requires any business that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship,” to (1) annually register with the Vermont Secretary of State, including certain disclosures about consumer opt-out options, purchaser credentialing processes, previous data breaches, and information about minors, and (2) maintain minimum data security standards, such as implementing a written information security program with appropriate administrative, technical, and physical safeguards.¹

Vermont’s law also prohibits any business or individual — not just data brokers — from acquiring brokered personal information through fraudulent means or for the purpose of stalking, harassment, discrimination or fraud.

The second (and currently the only other) state to enact a data broker registration law was — you guessed it — California. Bundled with the CCPA amendments in September 2019, California’s data broker law requires, among other things, that data brokers register in a published directory maintained by the California Attorney General by January 31, following each year when it meets the requirements of the “data broker” definition.² Data brokers must provide their contact information, which is published online by the California Attorney General, but do not have disclosure obligations to the same extent that are required by Vermont’s law. Furthermore, as data brokers, by definition under the CCPA, sell personal data, they are required to provide an opt-out mechanism by which consumers can instruct the broker to cease such sales, and, in accordance with the CCPA regulations, “treat user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicates or signal[s] the consumer’s choice to opt-out of the sale” of personal data as an opt-out request.

California’s law differs from Vermont’s insofar as it does not define what a “direct relationship” is, simply stating that one may be formed in a variety of different ways, such as by visiting a business’s premises or internet website, or by affirmatively and intentionally interacting with a business’s online advertisements. In contrast, Vermont Attorney General T.J. Donovan has issued guidance on what it means to have a “direct relationship,” stating that a business would be considered to have a direct relationship with past or present customers, clients, subscribers, users, registered users, employees, contractors, agents, investors and donors.

Last year, Hawaii, New York, Rhode Island, and Washington all considered similar bills that would require data brokers to register and provide information to consumers on how to opt-out of the collection of information. As state legislatures return to work in 2021 with consumer privacy regulation top of mind, businesses should prepare for further regulatory requirements.

1. _{9 V.S.A. § 2430..}
2. _{Cal. Civ. Code §§ 1798.99.80-1798.99.82}