In May 2020, UK data protection authority, the Information Commissioner’s Office (ICO),  announced that as a result of resource constraints posed by COVID-19, it was suspending its investigations into the adtech ecosystem.

But why was the investigation necessary in the first place?

Online advertising technology (“adtech”) forms an integral part of the monetisation strategy for a large proportion of websites.[1] Contextual advertising uses adtech to target users with ads that are more likely to result in the purchase of products or services.[2] This requires the collection of data about the user, some of it directly personal, but more commonly personal characteristics are inferred through non-directly identifiable data.[3] By analysing an individual’s browsing history, an individual’s age, gender or even sexual orientation can be inferred.

Following the legislative clarity provided by the General Data Protection Regulation (GDPR), regulators have begun to take note of the online advertising industry’s extensive use of personal data.

The start of 2019 saw the French Data Protection Authority, CNIL, issue a fine against Google for the use of adtech on its Android platform. In April 2019, the European Data Protection board issued guidance related to cookies and behavioural advertising.

In June 2019, the ICO published its first preliminary report into adtech. The ICO’s work on adtech focuses on real time bidding (RTB). This method of delivering online advertising is particularly challenging to regulate, given its technical complexity.[4]

Echoing the video above, RTB works by delivering an online virtual auction.[5] When a user visits a publisher’s website, a request for an ad is served. The publisher delivers the information they know about the user to an ad server, the ad server will determine if it has seen the user before and attach any additional information it has collected about the individual. It then forwards this onto a Supply Side Platform (SSP) which cleans up the data into a standard format before forwarding it on to an Ad Exchange, this is where the bidding process happens.

The Ad Exchange will alert Demand Side Platforms (DSPs) that it has a “pair of eyes” belonging to an individual. It includes all the information known about the individual and, if applicable, a minimum bid value. DSPs are configured by advertisers to bid based on a set of target individual requirements. The closer the advertised “pair of eyes” to this criterion, the higher the bid. The winning bidder then transmits the ad information back down the chain for display on the publisher’s site, hoping that the money spent on the bid will translate into the purchase of a product or service. The whole process usually takes between 10 to 100 milliseconds.[6]

RTB allows for adverts to be dynamically displayed to individuals.[7] This involves the collection and processing of vast amounts of personal data. In its 2019 report, the ICO draws particular attention to the collection and processing of special category data, which includes information relating to ethnicity, gender, and sexual orientation, among others.[8]

In response to regulatory scrutiny, the Interactive Advertising Bureau (IAB) Europe, the online advertising industry body, released the second iteration of its Transparency Consent Framework (TCF) in August 2019. The TCF is an industry-supported set of technical specifications and policy documents designed to help manage advertiser and publisher obligations under the European data protection regime.[9]

As well as the GDPR, this regime also includes the 2002 ePrivacy directive. Recital 25 of the directive regulates the placement of cookies on a user’s web browser. The recital requires that individuals have the ability to refuse cookies.

A cookie banner pop with a explanation paragraph and buttons to select cookie options
Figure 1: A cookie banner from Cookiebot

Cookies are snippets of information that a webpage can place in a user’s local browser storage, they are commonly used to store session information, as well as to track users across multiple websites.

It is no surprise that the RTB system is reliant on cookies in order to create a contextual image of a user.[10] For example, advertisers may have information on an individual’s interests, political affiliation and shopping habits. Part of the ICO’s criticism targets the lack of consent for the placement of such cookies.[11]

The advertising preference screen for a google user, includes a brief title and then followed by preference categories
Figure 2: Google's contextual image of me as an individual

Regulating adtech

Article 6 of the GDPR outlines the requirements for the lawful processing of personal data. For commercial entities, a user must either consent to the processing of data or there must be a legitimate purpose undertaken by the controller.[12]

In many cases consent is the only lawful basis for the processing of data.[13] GDPR Article 4(11) defines consent as being, “freely given, specific, informed and unambiguous”. To put it simply, the subject must be presented with the opportunity to make a real choice.[14]

GDPR Article 7 requires that, in order to rely on consent as a basis for processing, the controller must be able to demonstrate that the subject has provided their consent. One of the significant challenges with relying on the consent mechanism is ensuring that the consent given is informed.[15]

The Article 29 Working Party suggests that in order to provide informed consent, a data subject should be given information (at a minimum) about the following:

I. The controller’s identity,

II. The purpose of each of the processing operations for which consent is sought,

III. What (type of) data will be collected and used,

IV. The existence of the right to withdraw consent,

V. Information about the use of the data for automated decision-making, and

VI. Appropriate safeguards as described in Article 46.[16]

Given the dynamic nature of the adtech stack, it may not always be possible to inform users of all the possible data controllers involved in an RTB transaction. From time to time, these controllers change, from a privacy perspective a user should be provided clear guidance about this reality in order to ensure compliance.[17]

In order to meet the requirements of unambiguity, consent for targeted advertising must be separate from the general terms and conditions of the service provided by a website.[18] Article 7(4) states that consent shall not be feely given if data collected is not necessary for the performance of the contract the user is consenting to. This suggests that unless targeted advertising is strictly necessary to deliver an online service, separate distinct consent needs to be obtained from the data subject. Based on the findings of the ICO’s report, it is unlikely that this is being respected in practice by those involved in the RTB ecosystem.

A further issue, when relying on the consent mechanism, is that it may be incredibly unclear to a data subject when they provide the consent that a data controller may later rely upon it. Controllers are unable to rely on opt-out consent,[19] and therefore must demonstrate that a data subject has explicitly consented to targeted advertising.[20] Currently, the ICO’s position is that in a majority of cases consent is not being obtained for the processing of personal data for the purposes of targeted advertising.[21]

The Article 29 Working Party goes further to state that a user’s service should not be unreasonably restricted should they not provide consent.[22] However, it may be difficult to reconcile this opinion with the commercial reality of funding “free services” through profitable advertising.[23] In order to affect compliance in these situations of friction, it is clear that co-operation is required between regulators and the online advertising industry. This is further compounded by the issue that many users lack the technical knowledge in order to provide informed consent.[24]

Under the provisions of GDPR Article 7(1), in order to rely on the consent basis a controller must be able to demonstrate that have obtained valid consent.[25] Given the vast number of potential controllers in the RTB stack, there may be some instances where a controller is unable to provide a record of consent, which raises questions as to the legality of processing.

Finally, Article 7(3) outlines the requirement for a data subject to be able to withdraw their consent at any time. This provision acts a reinforcement of a data subject’s Article 21 right to object to the processing of their data. For many users, it is not entirely clear through what mechanism they are able to exercise this right, if such a mechanism even exists.[26]

Legitimate Interest

As of August 2018, the legitimate interest basis was relied on by a majority of IAB members surveyed by the ICO.[27] GDPR Recital 47 describes a legitimate interest arising in situations where the data subject is a client of the controller. In situations where users have registered to become users of websites, this seems perfectly reasonable. Indeed, advertising allows many websites to offer their services free of charge at the expense of highly targeted advertising. It is unlikely that a data subject’s right to object to processing could be utilised if they have agreed to receive targeted advertising as part of the terms and conditions governing account registration.

This leaves the problem of targeted advertising in instances where a contractual agreement (e.g. creating an account on a website) does not exist between the data subject and any of the data controllers. Clearly, in these situations, reliance on the legitimate interest basis may be problematic.

Finally, it is possible that data stored by a controller may include special category data.[28] Article 9(2)(a) only permits the processing of this aforementioned category with explicit consent from the data subject.[29] This may render the legitimate interest basis invalid when delivering advertisements based on any of the categories outlined in Article 9 (race, ethnic origin, sexual orientation, political affiliation etc.).

Looking ahead

It is clear that the adtech industry needs to change its approach to the processing of individual personal data. Initiatives such as the second version of the Transparency Consent Framework (TCF) are steps in the right direction, but will take time to implement. The IAB has recently extended support for TCF 1.0 until August 2020, with many of the large market players, including Google, delaying implementation of TCF 2.0 until this new date.

However, with data protection regulators preoccupied with the COVID-19 epidemic, it is likely that, for now, the adtech debate has been put on pause.


[1]Nevena Vratonjic and others, ‘Ad-Blocking Games: Monetizing Online Content under the Threat of Ad Avoidance’,  The Economics of Information Security and Privacy(2013) 49.

[2]Kaifu Zhang and Zsolt Katona, ‘Contextual Advertising’ [2012] Marketing Science 986.

[3]Marc Langheinrich and others, ‘Unintrusive Customization Techniques for Web Advertising’ [1999] Computer Networks 1261.

[4]‘Update Report into Adtech and Real Time Bidding’ (2019) 19.

[5]Shuai Yuan, Jun Wang and Xiaoxue Zhao, ‘Real-Time Bidding for Online Advertising: Measurement and Analysis’,  Proceedings of the 7th International Workshop on Data Mining for Online Advertising, ADKDD 2013 - Held in Conjunction with SIGKDD 2013(Association for Computing Machinery 2013) 3.

[6]Yong Yuan and others, ‘A Survey on Real Time Bidding Advertising’, Proceedings of 2014 IEEE International Conference on Service Operations and Logistics, and Informatics, SOLI 2014(2014) 1.

[7]Jun Wang, Weinan Zhang and Shuai Yuan, ‘Display Advertising with Real-Time Bidding (RTB) and Behavioural Targeting’ (2017) 11 Foundations and Trends in Information Retrieval 297, 1077.

[8]‘Update Report into Adtech and Real Time Bidding’ (n 8) 16.

[9]‘IAB Europe & IAB Tech Lab Release Updated Transparency & Consent Framework - IAB Tech Lab’ (n 12).

[10]Wang, Zhang and Yuan (n 9) 1079.

[11]‘Update Report into Adtech and Real Time Bidding’ (n 8) 16.

[12]Recital 40 General Data Protection Regulation.

[13]Kaniz Fatema and others, ‘Compliance through Informed Consent: Semantic Based Consent Permission and Data Management Model’ 1.

[14]Article 29 Working Party (n 31) 5.

[15]Rectial 42 General Data Protection Regulation Appears to suggest that the GDPR requires informed consent.

[16]Article 29 Working Party (n 31) 13.

[17]For example, it makes commercial sense to open up an ad exchange to as many DSPs as possible.

[18]Article 29 Working Party (n 31) 8.

[19]‘Consent | ICO’ https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/ accessed 18 January 2020.

[20]Consent must be an affirmative act Article 29 Working Party (n 31) 15.

[21]‘“We Will Use Our Powers”: ICO Prepares to Go to Battle with Ad Tech Industry’ https://www.marketingweek.com/ico-real-time-bidding-brands-data-misuse/ accessed 18 January 2020.

[22]Article 29 Working Party (n 31) 29.

[23]Spyros E Polykalas and George N Prezerakos, ‘When the Mobile App Is Free, the Product Is Your Personal Data’ [2019] Digital Policy, Regulation and Governance 94.

[24]Yvonne O’Connor and others, ‘Privacy by Design: Informed Consent and Internet of Things for Smart Health’,  Procedia Computer Science(2017) 655.

[25]The burden is always on the data controller, not the data subject Article 29 Working Party (n 31) 20.

[26]DMA (n 37) 19.

[27]‘Update Report into Adtech and Real Time Bidding’ (n 8) 12.

[28]Requiring further protection under the provisions of Article 9 GDPR

[29]Article 29 Working Party (n 31) 18.