Adtech Sector: ICo report 20 june 2019

High-level conclusions from the ICO Adtech Sector report (dated 20 June 2019) on the use of personal data in the Real-time Bidding scenario.


The adtech sector has come under recent scrutiny for the way in which it processes personal data. There have also been numerous complaints[1] filed in different countries concerning the use of the RTB process. The Key problem the ICO has identified is there are substantially different levels of engagement and understanding of how data protection law applies, and the issues that arise.

The ICO has assured market participants that it will, “take a measured and iterative approach, before undertaking a further industry review in six months’ time”.

This gives us at least 6 months to understand the overlap between GDPR and PECR as it relates to Adtech Business models to effectively manage and / or mitigate residual risks.

[1] Fix Adtech Blog ; Bits of Freedom (in Dutch) ; Brave Browser


The ICO itself recognises certain assumptions that are relevant:

  • Under the GDPR, processing personal data can only be lawful where the company has a lawful basis. However, identifying a lawful basis for the processing of personal data in RTB remains challenging, as the scenarios where legitimate interests could apply are limited, and methods of obtaining consent are often insufficient in respect of data protection law requirements.
  • Regarding the Data Supply Chain there appears to be an overreliance on contractual agreements to protect how bid request data is used, shared and deleted. However, this might not be suitable given the amount of intermediaries involved and the type of personal data (often regarded as ‘sensitive’ for GDPR purposes). 


The GDPR under Art 35 (3) requires organisations to conduct DPIAs (Data Protection Impact Assessments) in circumstances where there is a systematic and extensive evaluation of personal aspects relating to natural persons, including profiling, and on which decisions are based that produce legal or similarly significant effects; and where there is large-scale processing of special categories of data.

DPIAs would appear highly relevant to a number of Adtech Platforms for business operations and the adtech space more generally. This is because new platforms have the ability to offer:

  • use of innovative technologies[1];
  • ability to combine and match data from multiple sources;
  • tracking of geolocation and / or behaviour

The type of processing undertaken by Adtech Platforms utilising Personal Data has the potential to fall within those activities that the ICO considers likely to result in a high risk. As such there is a definite need to utilise a DPIA regularly and to conduct continuous reassessment to ensure it is fit for purpose. 

It is also important to note that: in circumstances where bid requests by publishers are detailed, this makes them more attractive to advertisers, either because they bring in higher revenue and/or because they are intended to enable more accurate targeting of adverts to individuals; and parties within the RTB ecosystem may also ‘augment’ the data collected with information from other sources, a process known as ‘data matching’ or ‘enrichment’[2] .

The types of information involved in a bid request varies but even in circumstances surrounding Google’s Authorised Buyers / TCF Frameworks etc. that allow for information relating to audience segmentation and information collected from other sources such as data management platforms (which may also be incorporated via the bid request) it makes the requirements under GDPR a pre-requisite to doing business. 

[1] Art 35(1) GDPR


  • The current consent requests provided under both the TCF and AB frameworks are non-compliant. Consent mechanisms must be appropriate for the processing of special category data. Market participants must therefore modify existing consent mechanisms to collect explicit consent, or they should not process this data at all.
  • ICO consider the only lawful basis for ‘business as usual’ RTB processing of personal data is consent (ie processing relating to the placing and reading of the cookie and the onward transfer of the bid request). Firstly, PECR requires consent at initial point for use of any non-essential cookies.
  • Information requirements under Articles 13 and 14 GDPR require privacy notices to specify ‘recipients or categories of recipients’. However, in cases where the processing of personal data by third parties is intended to rely on a consent obtained by a first party, those third parties would need to be named as recipients of the data, and the nature of RTB means that the first party has no means of determining which third parties the data will be shared with. This leads to extensive lists of organisations who the data ‘might’ be shared with, depending on the specifics of the auction process.
  • Industry has looked to use contractual controls to provide a level of guarantees about data protection-compliant processing of personal data. However, this contract-only approach does not satisfy the requirements of data protection legislation. Organisations cannot rely on standard terms and conditions by themselves, without undertaking appropriate monitoring and ensuring technical and organisational controls back up those terms (which is something we at tlam have insisted on from the start).
  • In line with the contracts required under Art 28(3) there is a need to ensure all processor’s in the supply chain are complying with your instructions and obligations under GDPR thereby demonstrating accountability and appropriate due diligence – which may include you (with our assistance)  conducting audits and inspections of your suppliers.

final thoughts 

At tlam we believe it is important to be honest with our clients - the GDPR is a terrible piece of legislation that has noble aims but offers too much ambiguity when clarity is needed and too much prescription where open interpretation is required. Privacy Regulation is a frontier regulation; whether it is from the EU, California, Singapore, Australia or Brazil, you will have to constantly adapt and maybe even anticipate new regulation.


Simple answer is you don't react, you plan and take action from your business plans and risk management to establish the ethical and technological impacts of privacy regulation on your business and, crucially, assess and audit the privacy impacts that are likely to affect your clients and the steps you intend to take where risk is manifest.

In short you optimise the performance of your company subject to privacy constraints.



If you have any questions or need further guidance then do not hesitate to get in contact with the tlam Data Privacy team.


if you have any further, queries or need help understanding your privacy and network architecture, look out for more content or email