The Fragmentation of Adtech: Guidance from Europe

Adtech is quickly becoming the most effective way to advertise, however, it is also becoming dominated by internet giants such as Facebook and Google, which are able to collect personal data and target ads much more effectively than traditional open websites.

This competition is creating fragmentation and the battle to succeed can lead to Adtech companies falling short of their obligations under the General Data Protection Regualtion (EU 2016/679) (GDPR).

This article looks at recent guidance issued by national data protection authorities on how to utilise Adtech technologies whilst following the rules.

The Rise of Adtech

In 2017, a study found that the United Kingdom and France offered the largest online advertising markets in the world, offering 10.38 billion, 6.53 billion and 4.54 billion Euros worth of digital ad revenues respectively. Online advertising has been growing at a rate of 13.2% in Europe, with new methods, such as paid search results and display advertising. 

The Adtech industry is fast becoming fragmented and this can make it difficult for innovators to grow and succeed. Google and Facebook have been massive innovators in the industry and advertisers have been convinced to shift their budgets to advertise with these giants, meaning that other smaller industries are struggling to keep up. 

For websites like Facebook and Google, improving processes in innovative ways might be slightly easier compared to actions undertaken by smaller start-ups, as they can launch new ad formats or optimisation features without much difficulty. Facebook has launched new technology whereby ads can be delivered, which therefore offers new formats and targeting options. 

The open web on the other hand does not have the same access to this user data, which can be used by advertisers to learn from their targets, which is of course something that Facebook is able to do. Without knowing the identity of the audiences they are bidding for on the open web, advertisers understandably prefer to go to large internet giants (such as Facebook or LinkedIn) which can collect more personal data as part of their original functions, and therefore in reliance on this personal data, it is possible to deliver more targeted ads to specific and segmented audiences. 

It is therefore unsurprising that Google and Facebook have been amongst the biggest offenders who have not respected data processing laws while they march ahead in pursuit of dominating the Adtech industry.

Privacy Issues in Adtech

Personal data processing is only lawful if it is carried out under a permitted lawful basis (Article 6 and Article 9 of the GDPR), which for Adtech will generally only ever be when the data subject has consented to it. Less frequently the data controller might argue that their legitimate interests in processing the data outweighs the rights and freedoms of data subjects, however, this is a rare occurrence.

Adtech can create problems with the Article 5 principles contained in the GDPR, which set out that processing must be transparent, data must be collected for explicit purposes, must be secure, and must be necessary. When relying on Adtech, it can be complicated to explain to an individual exactly what will happen to their data, how it will be used and shared with, in a way that is clear and simple for them to understand, and then decide whether or not they wish for their personal data to be used in this way. This in turn raises issues with consent, which should be freely given, specific, informed and unambiguous. 

The user interface of Adtech also brings up issues, since users prefer a clean, uncluttered experience online and on apps, often on tablets and smart phones, which are not always compatible with long notices explaining the purposes of personal data processing. 

Clear and Understandable Information

In February 2019, the UK’s data protection authority, the Information Commissioner’s Office (ICO), issued guidance stating that it was particularly interested in investigating how and what people are told about the use of their data when it comes to Adtech. It acknowledged that a huge amount of personal data is required for systems to function effectively, which can make it difficult to give individuals enough information for them to understand the processing activities. That being said, the ICO is not letting companies off with failing to provide clear and understandable information in respect of Adtech; it is currently auditing a number of Adtech companies with reports due at the end of this year.

We have already seen that in France, the Commission Nationale de l’Informatique et des Libertés (CNIL) recently issued Facebook with a massive 50 million euro fine after finding that it had failed to provide clear and understandable information in its privacy policy for Android.

Part of the 50 million euro fine to Google from the CNIL was based on the fact that users did not have clear and understandable information and so they could not be considered as having freely consented to the processing of their data. The CNIL advised that when processing personal data for Adtech, consent must be an affirmative action- in this case, meaning that pre-ticked boxes did not meet high enough standards.

Geo-tracking

The CNIL has also taken an interest in data subjects’ consent when it comes to geolocalisation for targeted advertising. It has issued a number of formal notices against platform providers which it considers have failed to obtain valid consent for the processing of geolocation data for profiling and targeted advertising

In a recent case, the CNIL stated that pop-ups which are used for profiling and advertising purposes and shared with third parties would not be valid under the GDPR, unless the advertisers obtained informed consent from the users. In this recent case, the pop-ups appeared after apps had been downloaded by the users, and consent was not freely given since users had no choice but to agree to the advertising pop-ups when downloading the app. Furthermore, the consent was not specific since the specific purposes of processing were not set out and communicated to the users.

The Autoriteit Persoonsgegevens, the national data protection authority in the Netherlands, has also recently issued guidance relating to cookie walls, which warn of geo-tracking, advising that if a user is required to consent to cookies in order to access a website, that consent cannot be considered to be valid under the GDPR.

 Can Adtech be lawful?

The Datenschutzkonferenz, the German data protection watchdog, also issued guidance in May 2019 on geo-tracking. It said that it is possible to carry out personal data processing validly under the GDPR so long as valid consent is obtained, or the legitimate interests of trackers outweigh the personal rights and freedoms of data subjects. This is for the data controller to carefully evaluate and only in the limited circumstances of security and analytics would legitimate interests outweigh freedoms. 

Our advice is that users and providers of Adtech should always be aware of the risks involved with the technology and continually review and update procedures. Data subjects must understand the purpose of their data being processed in order to give free and fully informed consent to it. Notices should be written in plain language which is easy to understand, and it should be remembered that data subjects are not required to understand how personal data will be processed: rather, the purposes of processing this data. While it might seem difficult to explain the technology behind Adtech, it should be possible to explain the purposes in a way that is comprehensible and unambiguous. 

If you have any questions relating to your obligations as an Adtech user or supplier, or any other legal matters you would like advice on, please don’t hesitate to get in touch!

Article by Lily Morrison, Legal Consultant @ Gerrish Legal, July 2019