Clamp down on the adtech and real time bidding industry: UK’s data protection regulator issues clear warning


Our team: Michelle Waknine


What is real time bidding?

In a nutshell – when a user visits a website, that user will often be presented with advertisements that have been specifically selected for that person. During the milliseconds taken for the website to load, the website publisher would have auctioned a space for the webpage that the user was attempting to access, and an advertiser would have purchased such space in order to specifically target that user. Billions of online advertisements are placed on webpages and apps in this way each day, and the process is known as “real time bidding”.

The June 2019 investigation

The mechanics behind how this industry works is incredibly complex and involves many different organisations working behind the scenes. This prompted the UK’s Information Commissioner’s Office (ICO) to issue a report in June 2019 on the use of personal data in the adtech and real time bidding industry. The report raised a number of serious concerns, perhaps the most notable of which being:

“…the creation and sharing of personal data profiles about people, to the scale we’ve seen, feels disproportionate, intrusive and unfair, particularly when people are often unaware it is happening. We outline that one visit to a website, prompting one auction among advertisers, can result in a person’s personal data being seen by hundreds of organisations, in ways that suggest data protection rules have not been sufficiently considered.”

The report found that processing of personal data is often taking place unlawfully at the point of collection due to the perception that the “legitimate interests” ground can be used as the legal basis for placing and/or reading a cookie or other technology (rather than obtaining the consent required under the GDPR and Privacy and Electronic Communications Regulations). Concerns were also raised in respect of the use of “special category data” (e.g. health, racial or ethnic origin and religious beliefs) without consent for targeting and exclusion of individuals, in clear breach of data protection legislation.

The ICO stated that the position would be reviewed in 6 months’ time, and urged data controllers in the adtech industry to re-evaluate their approach to privacy notices and personal data use within the real time bidding ecosystem.

ICO’s warning to the ad tech industry

This timeframe has now passed, and the ICO’s Executive Director for Technology and Innovation, Simon McDougall, recently issued a statement recognising that the industry has a long way to go. Mr McDougall did praise those in the industry who have actively started to make changes to address the ICO’s concerns. The Interactive Advertising Bureau UK has engaged with the ICO and agreed to develop guidance for organisations on security, data minimisation, and data retention and to educate the industry on special category data and cookie requirements.

Google has also jumped on board and has said it will no longer include contextual content categories in real-time bidding requests for buyers participating in its advertising auction, in an effort to protect user privacy. It has also vowed to improve its process for auditing counterparties.

However, Mr McDougall expressed disappointment at the many organisations that have ignored the message and appear to have their heads firmly in the sand. The statement made clear that the ICO will continue to investigate real time bidding and issued a clear warning to the non-compliers:

“Those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilise its wider powers.”

The ICO indeed have their work cut out for them – the emergence of new ad tech companies and the rise of real time bidding has been ubiquitous in recent years – it was reported by Technology, Media and Telecommunications research organisation Enders Analysis that online advertising contributed more than half (and almost £13bn) of the UK’s total advertising spend in 2018, and it is expected that this figure has since risen and will only continue to rise.

Ad tech companies should ensure that, if not already, GDPR compliance is firmly on their radar – the ICO has powers to issue fines of up to 4% of turnover or 20,000,000EUR (whichever is higher) for breaches of data protection legislation, and it seems clear that they are not afraid to use such powers.

View by date:


View by author:


Would you like to hear more?