Online advertising – or “adtech”, as it is often referred to – does not mix well with many privacy laws, beginning with the GDPR. In recent years since GDPR went into effect, privacy advocates have increased their demands on EU regulators to more deeply scrutinize targeting practices and how data is shared within the advertising ecosystem, in particular when it comes to real-time bidding (RTB). Complaints have been filed by many privacy-minded organizations, and all of them allege that, by its very nature, RTB constitutes a “wide-scale and systemic” breach of Europe’s privacy laws. This is because RTB relies on the massive collection, accumulation and dissemination of detailed behavioral data about individuals who use the internet.
By way of background, RTB is a millisecond bidding process between various participants, including advertising tech supply exchanges, websites and advertisers. As Dr. Johnny Ryan, one of the leaders in the fight against behavorial advertising explains it here, “every time a person loads a page on a website that uses [RTB], personal data about them are broadcast to tens – or hundreds – of companies.” So how does it work? When an individual visits a platform that uses tracking technologies (e.g., cookies, SDKs) for behavorial advertising, it triggers a bid request that can include different types of personal information, such as location information, demographic information, browsing history, and of course the page being loaded. During this rather instantaneous process, the participants exchange the personal data through a vast chain of companies in the adtech space: a request is sent through the advertising ecosystem from the publisher – the operator of the site – to an ad exchange, to multiple advertisers who automatically submit bids to serve an ad, and along the way, others also process the information. This all goes on behind the scenes, such that when you open a webpage for instance, a new ad that is specifically targeted to your interests and past behavior appears from the highest bidder. In other words, lots of data is seen – and aggregated – by lots of companies. To some, the types of personal information may seem quite “benign” and yet given the massive underlying profiling, it means that all of these players in the supply chain have access to loads of information on each of us.
It seems that EU regulators are finally waking up, if only after the many complaints lodged with respect to RTB, and this should also serve as a wake-up call for companies that rely on it. The Grindr decision is a significant blow to a U.S. company and to the ad monetization industry, and is certain to have significant consequences.
Below are several high-level takeaways from the Norwegian DPA’s lengthy decision:
- Grindr shared user data with a number of third parties without asserting the proper legal basis.
- For behavioral advertising, Grindr needed consent to share personal data, but Grindr’s consent “mechanisms” were not valid by GDPR standards. Moreover, Grindr shared personal data linked to the app name (i.e., tailored to the LGBTQ community) or the keywords “gay, bi, trans and queer” – and as such revealed sexual orientation of the individuals, which is a special category of data requiring explicit consent under GDPR.
- How personal data was shared by Grindr for advertising was not properly communicated to users, as well as insufficient because users really could not realistically understand how their data would be used by adtech partners and passed on through the supply chain.
- It also raised the issue of controller relationship between Grindr and these adtech partners, and called into question the validity of the IAB framework (which does not come as a surprise).
As the data controller, a publisher is responsible for the lawfulness of the processing and for making proper disclosures, as well as obtaining valid consent – by strict GDPR standards – from users where it is required (e.g., behavioral advertising). Although implementing the proper consent and disclosures is challenging when it comes to behavioral advertising because of its very nature, Controllers that engage in behavioral advertising should consider taking some of the following actions:
- Review all consent flows and specifically add a separate consent box that explains advertising activities and links back to the specific privacy notice section on marketing and advertising.
- Review all partner relationships to confirm what data they collect and make sure it is accounted for in a formal record of processing activities.
- Adjust language in their privacy notices, in order to be clearer about what is being done and refrain from taking the “we are not responsible for what our ad partners do with your personal data” approach.
- Perform a DPIA – we would also stress that location data and sensitive data should be a particular area of focus.
- Reassess the nature of the relationship with adtech partners. This was recently addressed by the EDPB – specifically joint controllership.