ICO issues Opinion on data protection for online advertising proposals

The Opinion acts as a guidance to market participants in relation to their demonstration of compliance with data protection by default and design.

On 25 November 2021, the UK Information Commissioner’s Office (“ICO”) published an Opinion on Data Protection and Privacy Expectations for Online Advertising Proposals. This marks the resumption of the ICO’s investigation in this area since its 2019 report on adtech and real-time bidding.

While addressing new adtech developments since 2019, the Opinion highlights a few data protection misconceptions and outlines the ICO’s expectations that proposed adtech solutions should meet.

Adtech developments

The ICO notes that several adtech developments demonstrate a move away from the use of cookies and similar technologies to track individuals online. Whilst the developments are currently not sufficiently mature to assess in detail, the ICO reiterates that ‘any proposal must offer meaningful choice to users and allow them to decide not to be tracked or profiled.’

In particular, the ICO refers to the Google Privacy Sandbox (“GPS”), which aims to replace the use of third-party cookies with alternative technologies. The ICO comments that the overall ambition of the GPS could bring a positive impact to the privacy scene in online advertising, but reserves any specific judgement before receiving further information on it. However, through the GPS example, the ICO warns that simply removing any cookies from an advertising solution does not bypass privacy concerns. Instead, organisations must take a further step to ensure that the new solution does not ‘introduce additional privacy threat vectors or lead to increased use of fingerprinting or both.’

Data protection misconceptions

The ICO identifies several data protection misconceptions surrounding adtech:

• First party and third party cookies. The ICO rejects the view that first party cookies are inherently at lower risk of contravening data protection laws. Rather, the focus should be on the circumstances of the data processing, including the nature, likelihood and severity of the risks involved.
• Purpose limitation. The ICO reiterates that organisations must inform individuals clearly about the purpose of data processing and that if they plan to process the same data for a new purpose, such purpose must be fair, lawful and transparent.
• Internal disclosure and external data sharing. Data protection law does not automatically enable large corporate entities to have an ‘unfettered ability’ to process personal data throughout their organisation. Organisations may only undertake intra-group sharing of personal data if the disclosure is fair and is compatible with the original purpose.
• ‘Privacy as a shield’. The ICO warns that large technology platforms must not use privacy as a ‘shield’ to refuse sharing data with other organisations as doing so would be inconsistent with data protection legislation.

ICO’s expectations and recommendations

The ICO sets out the expectation that any adtech solution, proposal or initiative must follow the following principles:

- Data protection by design. The new proposal or design must be designed on the basis that individuals’ interests, rights and freedoms are protected.

• User choice. Individuals must have the ability to choose whether to receive advertisements without tracking, profiling or targeting based on personal data.
• Accountability. There must be accountability throughout the lifecycle of personal data processing and this must be transparent to the users.
• Purpose. The new proposal or design must state clearly the purpose for processing personal data and how such purpose is fair, lawful and transparent.
• Reducing harm. The new proposal or design must aim to reduce existing privacy risks and mitigate any new ones that may arise.

In terms of recommendation, the ICO suggests that organisations:

• Demonstrate and explain the design choices;
• Be fair and transparent about the benefits;
• Minimise data collection and further processing;
• Protect users and give them meaningful control;
• Demonstrate necessity and proportionality;
• Consider the lawfulness of processing, risk assessments and information rights; and
• Address special category data.

Next steps

The Opinion acts as a reminder that data protection by default and design is at the core of any new technological initiatives. Proposals that aim to replace the use of cookies and similar technologies must uphold this notion and apply appropriate standards of data protection.

There will undoubtedly be further developments in this field as the ICO Opinion has the feel of an interim view formed whilst the adtech industry is in a period of change. Moreover, the incoming Information Commissioner taking his place in 2022 is likely to have a focus on areas such as adtech and further guidance or opinions may result that have an impact in this area.