- This analysis is provided by Anonos and may not reflect the opinions of other 5th Cookie working group members -
|ICO Update on AdTech and RTB - Critical Items Highlighted in June 2019||Issue Raised
by the ICO
|How Google and IAB Proposals Fall Short||What 5th Cookie Initiative Provides|
|ACCOUNTABILITY||Under GDPR, a data processor must be able to demonstrate, among other things: how their processing operations work; what they do; who they share any personal data with; and how they can enable individuals to exercise their rights.||Neither the Google nor the IAB proposal provides suggestions for technical controls that demonstrate how operations work, or prove what they do/how they share personal data. This makes it hard to hold data controllers and processors accountable.||With 5th Cookie, technical controls are embedded in the process. With "demonstrable accountability," compliance can be shown to auditors, enforcement agencies, and oversight organisations.
A technical record of processing, sharing, and the data flow can be supported with the 5th Cookie proposal.
|CONSENT||Protocols used in RTB include data fields that constitute special category data, which requires explicit consent.
Even without the unique requirements applicable to special category data, methods of obtaining consent under alternative approaches are often insufficient to meet GDPR requirements to rely solely on consent as the legal basis for processing.
|Google and IAB do not specifically address consent issues in their proposals, and do not propose technical controls to support “Legitimate Interest” processing as a complement to consent-based processing.||5th Cookie enables users to consent via opt-in to processing: of (1) Provided; (2) Inferred; and Observed data. All personal data can be sorted into dynamically generated advertising micro-segments (m-segs) using Pseudonymisation to support Legitimate Interest processing as a complement to consent for authorised secondary processing.|
|TRANSPARENCY||Transparency and consent are closely linked in RTB. Requirements exist under GDPR, including Articles 5(1), 12, 13 and 14, to be transparent about what personal data are being collected and processed, etc.
Organisations must be able to understand, document and be able to demonstrate: how their processing operations work; what they do; who they share any personal data with; and how they can enable individuals to exercise their rights.
|Neither the Google nor the IAB proposal provides suggestions for technical controls that demonstrates how operations work, or objectively prove what they do/how they share personal data. This makes it hard to meet the criteria of transparency under the GDPR.||With 5th Cookie, technical controls are embedded into the process (Data Protection by Design and Default) to enable "demonstrable accountability" to auditors, enforcement agencies, and oversight organisations.
A technical record of processing, sharing, and data flows can be provided using 5th Cookie to support the goal of transparency.
|LEGITIMATE INTEREST||The ICO concluded that “we believe that the nature of the processing within RTB makes it impossible to meet the legitimate interests lawful basis requirements.”
ICO notes that it could only be met if data processors “don’t need consent under PECR and are also able to show that their use of personal data is proportionate, has a minimal privacy impact, and individuals would not be surprised or likely to object.”
|The Google and IAB proposals do not include suggestions for technical controls that could support lawful Legitimate Interest processing.||5th Cookie enforces technical controls to enable use of personal data proportionately, with a minimal impact on individual privacy, to help tip the Legitimate Interest “balancing test” in favour of the data controller in line with ICO Guidance and GDPR requirements.
See note above under Consent for issues regarding Special Category Data.
Consent is still required for lawful RTB processing; you cannot rely entirely on Legitimate Interest. 5th Cookie recognizes and re-enforces the importance of Consent. 5th Cookie leverages Legitimate Interest processing for lawful secondary processing of personal data following receipt of Consent from data subjects to do so when they opt-in to participate in the 5th Cookie enabled program.
|SCALE & CREATION & SHARING OF DATA||The ICO noted that the "creation and sharing of personal data profiles about people, to the scale we’ve seen, feels disproportionate, intrusive and unfair, particularly when people are often unaware it is happening."||IAB relies on mere contract, which cannot actually prevent issues of scale. Likewise the Google proposal does not include suggestions for scalable technical controls.||5th Cookie dramatically reduces those parties who have access to identifying personal data by (1) limiting the number of parties involved and (2) Pseudonymising the personal data being processed. Pseudonymisation-enabled technical controls can support large-scale, privacy-respectful processing and sharing of personal data.|
|DATA MINIMIZATION/PURPOSE LIMITATION||The current RTB system does not take these objectives into account, and data is being shared in many ways (not limited in scale or by purpose).
Under the GDPR, Data Protection by Design and by Default (Article 25) supports and suggests “appropriate technical and organisational measures, such as Pseudonymisation … designed to implement data-protection principles, such as data minimisation” ...so... “that by default personal data are not made accessible.”
|The Google and IAB proposals do not include suggestions for technical controls to support Data Protection by Design and by Default.||5th Cookie leverages Pseudonymisation-enabled technical controls to support data minimization and data purpose limitation and implement Data Protection by Design and by Default.
Pseudonymisation is explicitly recognized as a recommended safeguard by the GDPR.
|ADVERTISING FRAUD||Advertising fraud is a non-data protection issue. For example a fraudster may create a fake website, and sell the “ad space” on that website (which then goes into the RTB marketplace). When the ad space is purchased, the fraudster then uses bots to create traffic to the ads. But the traffic is not real, and the company placing the ads gets no value from the fake impressions.
To fix problems with advertising fraud, certain aspects of the existing advertising infrastructure needs to be re-wired.
|Google and IAB proposals do not include any specific proposals to deal with advertising fraud issues.||5th Cookie can help to reduce advertising fraud by regularly “refreshing” the micro-segments. This (1) enables the micro-segments used for advertising to remain more timely and accurate and (2) the trusted party(s) managing the 5th Cookie democratic cooperative can include validation codes (v-codes) within the micro-segments. Brands need only pay for valid micro-segment/v-code combinations thereby providing more certainty that payments are for valid advertising.|
|MARKET DOMINANCE||The ICO expressed concern that the RTB and AdTech space is dominated by large tech firms.||Google and IAB proposals do not include any information about solving market dominance issues.||The 5th Cookie “democratic cooperative” can help smaller market players to have access to information on the same terms as the big tech firms.|
|VULNERABILITY OF SMALLER PUBLISHERS||Smaller publishers may not be as “in demand” on the RTB platform, and less able to sell their ad space.||The Google and IAB proposals do not include any accommodation to ensure ongoing access for smaller publishers.||5th Cookie would be an open-market system available to anyone, which can help smaller publishers to compete in the market.|
|PROFILING & AUTO DECISION MAKING||Under GDPR Article 21 and 22, a controller must show that they have satisfied the requirements for Legitimate Interest processing by means of “suitable measures” that protect the rights of data subjects.||Google and IAB proposals do not mention any safeguards for profiling or auto- decision making.||While the 5th Cookie does not solve these issues by itself, it provides additional support for data controllers via Pseudonymisation-enabled technical controls to help satisfy Legitimate Interest processing requirements.|
|TRACKING OF DATA SUBJECTS||An issue with RTB is that data subjects can be tracked by geolocation or behaviour. “Invisible processing, tracking, combination and matching of personal data, and the use of innovative technologies” are all considered to be “high risk” activities requiring a Data Protection Impact Assessment under the GDPR.||The Google and IAB proposals do not include address concerns over the tracking of individual data subjects.||With the 5th Cookie, individuals are not tracked. Only Pseudonymisation-enabled advertising micro-segments are tracked. 5th Cookie also includes the ability to opt-out, which helps to maintain data subject privacy. 5th Cookie reduces the surface area for data misuse and attack.|
|COMBINING AND MATCHING OF DATA||Combining and matching of personal data from multiple sources is viewed as a risk of RTB.||The Google and IAB proposals do not include proposals for addressing concerns about matching personal data from multiple sources.||With 5th Cookie, combining and matching of personal data is only done with Pseudonymous data on a cohort or micro-segment level.
Combining and matching of personally-identifiable data is not done at the individual level.
|USE OF INNOVATIVE TECHNOLOGY||Use of innovative technology is viewed as a risk of RTB by the ICO. This is because innovative technologies may be fast-moving, and may expose privacy risks that have not been carefully considered. Innovative technologies may be useful, but may exceed the boundaries of what should be done with personal data.||The Google and IAB proposals do not include information about reducing risks from innovative technologies.||5th Cookie allows data controllers to counterbalance the risks of using new technology with corresponding protections that embrace Data Protection by Design and by Default to protect the rights of data subjects. This encourages the use of new innovative technologies in a positive ethical and legal way.
Data being shared would be in Pseudonymised micro-segment format which is less intrusive, and creates a buffer between new technologies that collect data and the protection of fundamental rights of data subjects.
|TARGETING & EXCLUSION||The ICO believes Issues need to be resolved at a policy level before technology can solve the problem.||The Google and IAB proposals do not include proposals for resolving issues related to targeting and exclusion.||The 5th Cookie can have a significantly greater positive impact on reducing unintentional targeting and exclusion of data subjects than other current proposals. Data subjects can opt-out of 5th Cookie more easily when they don’t want to be targeted.
Extra protections need to be applied to Special Categories of Data. Member states still need to pass laws on this.
5th Cookie is part of a broader solution.