Lucas Atkin

+44 (0)20 3691 2074

View full profile →


Corporate and Commercial / 04 February 2020

Information about an individual’s online behaviour has value. A record of products or services purchased or considered allows organisations to target that person with online advertising tailored to their apparent interests or requirements.

This process is underpinned by adtech called “real-time bidding” (“RTB”). Over the course of a few milliseconds while a website loads, a publisher auctions advertising space on that website. Advertisers, who have been directed to that website as likely to be viewed by individuals interested in their products/services, bid for the space. The appeal is obvious: advertisers can reach more people quicker and more often, while the process is cheaper (and its results easier to measure) than offline advertising.

But the opportunity comes at a cost. The information contained in individuals’ profiles usually contains personal information (for example, IP addresses, geographical locations and person-specific website use patterns), meaning that organisations must comply with data privacy law when carrying out online targeted advertising. Looking at some key data privacy law obligations, compliance will not be straightforward:

Organisations must tell individuals how and why the organisation uses their personal information, including advertising purposes, in the organisation’s privacy notices. Specific problems arise in the RTB context, for example:

– Explaining the concept in privacy notices such that individuals are sufficiently informed, but without going into excessive technical detail.
– Identifying the recipients, or categories of recipients, of personal information. The RTB ecosystem is vast: just one request can result in a user profile being viewed by hundreds of organisations.

Lawful basis
Whenever organisations use personal data, they must be able to rely on one from an exhaustive list of six lawful bases under the GDPR. As targeted online advertising involves using cookies and is a form of unsolicited electronic direct marketing, the only appropriate lawful basis is consent. This can be challenging: for example, how do advertisers obtain consent from new audiences identified by the RTB process whose personal information can be accessed and used without their involvement?

Special category personal information
Special categories of personal information (types which regulators consider more sensitive) are often particularly valuable for advertisers, such as:
– information about health conditions or healthcare products purchased for pharmaceutical advertisers;
– information about religious denomination for charities looking to raise funds; or
– information about political opinions for political parties looking for donations or other support.

To use special category personal information, organisations must satisfy one from an exhaustive list of ten additional conditions. The only condition available is explicit consent. This means that advertisers and publishers may be obliged to implement three separate consent collection mechanisms before lawfully providing targeted advertising: to serve cookies, to serve targeted advertising and to use special category personal information.

Data sharing
RTB is a complex and numerous ecosystem. The process of building and analysing profiles, linking them to available space and selling that space for sale involves many different organisations using and sharing personal information (often outside the EU). Organisations involved will be expected to put in place appropriate contractual terms, which will differ depending on the role played by each organisation.

Data protection impact assessment
A data protection impact assistance is obligatory for many common aspects of the RTB process: profiling individuals based on their online behaviour, using personal information on a large scale, using innovative technology and combining/matching personal information from various sources.

What do we need to do?
The ICO has begun a further review ahead of producing tailored guidance, but has made clear that it already expects organisations to take compliance action (such as amending privacy notices, obtaining and recording consent and identifying lawful bases) and that it will focus on online advertising for enforcement.(1)

Given the relative infancy of the technology, the ICO is likely to allow some leeway: it will want to see that organisations have made a good attempt to understand how they use personal information for targeted online advertising, have analysed the risks and implement countermeasures accordingly, but it will not expect organisations to solve or address particularly challenging data privacy issues.

Please contact Lucas Atkin if you have any questions.



Back to Our Thinking →

Get in touch with us

Interested in finding out more? Use this form to let us know how to contact you and what you’d like to know, and we’ll get back to you.

Alternatively, contact anyone listed on our website direct, they will be happy to hear from you.

  • This field is for validation purposes and should be left unchanged.