The ICO Cookies Guidance: can it be adtech practical?

September 5, 2019

Data was once thought to be the new digital oil, but the recent fines proposed by the ICO on BA and Marriott may be turning that promise of riches into a toxic liability. While those fines arose out of financial data hacks, other recent activity by the ICO may have a similar effect on the Adtech industry. In June and July, the ICO published two new papers that have given those in the industry much pause for thought.

These publications are:

[1] ICO’s Update Report into AdTech and Real Time Bidding  (“AdTech Report“);  and

[2] ICO’s Guidance Note on the Use of Cookies and Other Similar Technologies (“Cookies GN“). 

The ICO has made a good attempt to tackle a complex area in a concise manner and provide a set of guiding do’s and dont’s for website and app publishers. However, as is often the case in law, the complex practicalities bite when one attempts to apply these to the mechanics of the operational platforms running the industry and which may well leave industry participants second-guessing what is required. Adtech participants have argued that the guidance is a heavy-handed approach which will disadvantage and disincentivise many online publishers who provide free content. It may also (unnecessarily?) prompt industry consolidation and a re-defining of online services to meet these compliance concerns.

Although the ICO indicates ongoing dialogue with the industry, further industry debate is necessary to inform the ICO’s future position. To this end, I have identified four key concerns with the ICO’s position, and some questions arising from those concerns, focusing on the commercial impacts and adtech operational compliance limitations. I also make some suggestions to help move the debate forward.

This debate is not restricted to adtech: it has ramifications for the wider digital industry, including the “Internet of Things” market, (such as smart TVs and  wearable technology) and will help shape the proposed new E-Privacy Regulation by the EU . Alongside the ICO activity, the CMA has raised compliance concerns with the adtech market  with their recent launch of an investigation into online advertising (July 2019) which includes the possibility of imposing a block on technology giants from sharing user data between apps. This follows movements by the US regulator for similar action.

THE DOs and DON’Ts

[1] Don’t rely on implied consent or legitimate interest. Do get GDPR consent.

In its Cookies GN, the ICO prohibits two practices that may be used in the adtech industry for the basis of processing data:

[i] post GDPR, reliance on a user’s implied consent via a cookie banner is no longer viable. Any consent from a user needs to be a “freely given, specific, informed and unambiguous indication” that is communicated by a “statement or a by a clear affirmative action;”  and

[ii] legitimate interest is not a lawful basis to process information obtained directly from a cookie under the relevant Privacy and Electronic Communications Regulations (PECR).

The Cookies GN also highlights some current practices that do not satisfy consent under GDPR in the context of adtech. These include the following:

  • using pre-ticked boxes, which in turn means default settings for non-essential cookies (in the CMP) cannot be switched on,
  • relying on a user’s continuation of the use of a website as a form of affirmative action consent,
  • denying access to a website (via a cookie wall) if affirmative action is not given, that is if a user does not engage with your CMP,
  • using a single “I accept” dial for all cookies is unlikely to be acceptable where this cannot practically provide sufficient details of the third parties this relates to (see also below), and
  • emphasising “agree” or “allow” over “reject” or “block” in your consent mechanism is not a-compliant approach

Many industry participants would argue that this is an onerous approach. The banning of non-essential cookies on the landing page (unless the user has affirmed their consent) would, on its own, be a substantial blow to the revenue-generation for many publishers if inventory is sold on the basis of contextual advertising only without allowance for frequency capping. In my experience, most users would not spare the time to positively affirm their initial consent for their data collection, particularly given the heightened anxiety caused by recent data scandals affecting big online participants.

If this isn’t enough, the ICO highlights the following additional restraints on practice:

  • “the processing of personal data that follows (or depends on) the setting of cookies is highly likely to require consent as its lawful basis;”
  • “in most circumstances, legitimate interests is not considered to be an appropriate lawful basis for the processing of personal data in connection with profiling and targeted advertising;” and
  • analytical cookies (as well as advertising cookies) do not (generally) fall within the “strictly necessary” exemption under PECR.

Many industry participants may understandably see the above as a straight-jacket that would make it difficult to sustainably generate revenue. It must be remembered that revenue generation in adtech is a high volumes turnover model where CPM rates are continually under competitive pressure and the vast data profile sharing that takes place behind the scene is vital for sustainable revenue generation. It is noteworthy here that Vectuary (a small French mobile adtech player), that was recently disciplined by the CNIL (the French data regulator) in November 2018 for GDPR breach involving its CMP, had a turnover of only Euro 3.5m on the back of data collected on 67.6 million users from more than 32,000 apps.

It is also noteworthy that a similar approach is being adopted by data regulators in non-adtech industries. In July 2019, the Dutch Data Protection Authority sent a letter to the Dutch Banking Association which requires banks to reconsider any plans they may have to use personal data obtained in transactional data for direct marketing purposes without the user’s consent.

Q: can performance of contractual service provide a legitimate basis?

If obtaining consent via the CMP proves too onerous, could contract performance can be an alternative legal basis for subsequent cookie data processing? Let’s imagine a device user entered into a contract for the receipt of points (say, points that can be accumulated and used towards spending in a games app or to access premium content) in consideration for the collection and processing of that user’s data. Could this arguably satisfy the requirement of being “strictly necessary for the provision of an information society service” as required under PECR, akin to the online buying of a good? In this context, the processing of data gleaned from advertising and analytical cookies (although not strictly necessary to the generation of revenue by the publisher) is arguably necessary to give the subscriber the service option of collecting points to purchase services/goods online without the use of cash, with the added benefit of minimising the processing of the user’s financial details.

Perhaps this is Facebook’s motive driving its recent Libra currency proposal and its support for stricter data privacy regulation. Such a model would conveniently provide the FAGAs a stronger barrier to entry against less established market players.

Q: is legitimate Interest completely a “no-go” zone? What about a soft opt-in?

The ICO does mention a limited “back door” to the use of the legitimate interest basis if a publisher implements conditional access via a cookie wall; however, this back door does not apply to third parties such as online advertisers. It would be helpful if the ICO could clarify to what extent legitimate interest could ever be used as a basis for processing data in adtech, particularly given that the IAB contemplates legitimate interest as a basis for processing data in its latest draft update of the Transparency and Consent Framework Policies. 

Would the ICO accommodate the notion of a soft opt-in (similar to that provided for in PECR Regulation 22 in the context of electronic mail marketing)? Could a publisher argue that the average user is sufficiently tech savvy to expect that their information – after it has been transferred from the cookie or pixel and further processed in an off-device setting – will be used for advertising purposes to provide free content? Of course, this would assume that the requisite “clear and comprehensive information” and an option to opt-out is provided. Would an interactive ad icon that provides an opt-out mechanism for each ad, such as the IAB’s OBA icon, fulfill this purpose?

This argument makes further sense if we appreciate that certain data identifiers have, like cookies, a degradeable life value, are not static and require ongoing syncing via look-up tables across various ad network platforms.

[2] Don’t just use long lists of partners. Do give “clear and comprehensive information” including references to social media presence

The ICO makes clear that the requirement to give “clear and comprehensive information” also applies to third party cookies and similar technologies incorporated in a publisher’s service, such as pixels and web beacons from social media platforms. The ICO goes further to state that a publisher’s privacy notice must also include references to any of its social media presences and how users are able to control the setting of non-essential cookies once they navigate away from the publisher’s site. For large scale publishers with a wide online presence or complex ecosystem, this may well be an onerous task.

Although a device user would understandably agree with the ICO’s view that the complexity of adtech should not exempt controllers from GDPR disclosure obligations, such a blunt requirement does raise practical questions for both the user and publisher.

Q: what if this causes click-through fatigue? To what extent can proportionality be adopted?

ICO guidance as to the type and level of information required would be useful here. Specifically, to what extent can the “disproportionate effort” relief in the GDPR disclosure requirements apply in the context of online advertising. Given that AI algorithms are used in adtech, it would also be helpful for the ICO to clarify its view on whether GDPR Article 22 (concerning automated decision-making including profiling) applies to adtech, which in turn would trigger further related disclosure.  

This is pertinent because explaining the complexity of adtech would arguably overwhelm most device users and have the counter-intuitive consequence of encouraging “click-through fatigue”, where the user doesn’t bother to engage with the CMP/privacy notice banner. The ICO needs to be cognisant of the web user’s growing “notice fatigue”:  the average user visiting several sites a day would  not have the time nor patience  to engage with each site’s CMP, read its often lengthy privacy notice and take in the notices of all related third parties. Where these hurdles result in click-through fatigue, the result counter-intuitively undermines the purpose of the transparency protection. If that is the case, does it matter what controls or information are provided by the CMP to the user?

Q: What about a guiding template or a certification scheme?

The ICO’s reference to the use of categorical information as being acceptable is helpful. More helpful would be example templates similar to the examples provided by the ICO in its previous cookies guidance note dated 2012 or, alternatively, endorsement of the IAB’s Transparency & Consent Framework Policies (subject to any further modifications that the ICO sees necessary).

Perhaps a more effective and user-friendly approach would be the adoption of a certification scheme as contemplated by GDPR Articles 42 to 43. (As at the date of this paper, these do not formally exist although the ICO does indicate on its site that it intends to progress work in this area over the summer and autumn of 2019.)

[3] Do be clear if the third party is a controller and about what it does with user data

According to the ICO in its Adtech Report, many RTB participants define themselves as data controllers. Also, the Cookies GN states the ICO’s view that when a publisher site cross-links to a presence on a social media platform that sets additional cookies, in order to generate user data to send back to the publisher, then  the publisher and social medial platform are joint data-controllers for this activity. On the other hand, the major player in the sector, Google, has already established itself as an independent controller of the publisher’s data in the context of its ad manager product but as a data processor for other products.

Q: Is the third party always a controller? What about the new data-matching frontier?

The complexity of the adtech ecosystem understandably creates many shades of grey when it comes to who is the controller and who the processor: it is an issue that continues to vex the industry. Indeed the ICO  Adtech Report  finds that “it is unclear whether organisations that participate in the RTB frameworks fully understand how they function in general or how the processing of personal data works.”

It would be helpful for the ICO to provide its views as to the specific application of the “purpose and means” litmus test in the adtech ecosystem to assist in the determination of how platforms with varying processing functionality would be a  processor and/or controller in different  situations. This is particularly pertinent in the context  of off-line data matching projects which are the new frontier in targeted advertising.

[4] Don’t rely on contractual enforcement only. Do assessments and monitoring

The ICO’s concern with the industry’s reliance on contractual protection is a growing theme in data protection and echoes recent concerns raised in both the French CNIL’s enforcement in the Vectaury case (mentioned above), and the ICO’s recent fine against Smart Home Protection for its lack of due diligence on the subscriber data provided by a third party (June 2019).

This concern is understandable and one can envisage how a requirement would apply to a static operational set up. However, it does not easily apply to an ever-changing dynamic operation, where ad pixels fire back and forth, on a real-time basis (literally in milliseconds), to and from various servers that change each time an ad is loaded on a site/app and when that site/app is called up on a user’s device. The current technology to monitor and audit the paths of all such pixels (which carry user information) is still in its infancy and  the costs of implementation (if such technology sufficiently exists) would further impact the revenue model. As the IAB notes, it is not feasible for millions of websites and apps to be individually vetted by thousands of technology partners. Further, think about the non-contractual measures that would suffice or would be practical in the context of a dominant market adtech player (like Google), which has millions of customers, or in a complex ecosystem where data is shared by a publisher with hundreds of participants at any one time.

Q: What about a third party compliance report or a certification scheme?

Would third party audit reports (such as those certifying compliance with ISO standards and  widely used in the IT industry now for security assurances) suffice? This reiterates the call for certification schemes that could helpfully simplify compliance requirements without compromising user protection. The IAB takes “reasonable steps to vet and approve” applications by potential vendors and CMPs who apply for participation in its Framework: could this approach serve as a starting point here?

BUT the ICO will be proportionate in their response … the Dos a publisher can do now

Thankfully, the ICO indicates it will take a proportionate response in any formal action and acknowledges that not all cookie tracking is necessarily intrusive or high risk: the right to the protection of personal data has to be balanced against other rights, such as the freedom to conduct a business. Hamstringing the adtech industry would dry up the funds for many online services that are provided free today. Users are always making trade-offs and there is little evidence that they are flocking in droves to the paid-for, ad-free version where they exist.

The Cookies GN provides some helpful measures that publisher-controllers can adopt in the interim to be less data intrusive. These include:

[i] where possible or practical, use session cookies and first party cookies. Further, ensure that the life of a persistent cookie is proportionate to its intended use;

[ii] before incorporating a third-party cookie, give consideration to whether the CMP allows the user to control the setting of the cookie. If not, the ICO makes it clear that this would not be compliant with PECR;

[iii] undertake a data protection impact assessment and use this to inform how to simplify and reduce the number of participants in the ecosystem to reduce the disproportionate and intrusive sharing of data;

[iv]  use platforms that maximise the control of data fields and confine the data fields processed to those that are reasonably necessary to achieve the intended outcome; and

[v] as to special category data, if the controller cannot collect explicit consent for this (which is very difficult to do in adtech), then do not process this data as it would be in breach of GDPR.

————————–

Lori Semaan is a lawyer specialising in TMT and related privacy law.

* The commentary in this paper are my independent views and do not reflect the views of any client/employer I may have worked with. The contents of this article do not constitute, and should not be relied upon for, legal advice and are provided for the purposes of industry discussion.

Copyright © 2019, Lori Semaan. All rights reserved.

——————————

Notes & references

  1. https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf
  2. https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf
  3. The new Regulation (expected to be finalised and enacted in late 2020/2021)  will replace the existing the ePrivacy and Electronic Communications Directive 2002
  4. As per GDPR Art 4(11)
  5. This draft is for version 2 of the Transparency and Consent Framework Policies. see www.iabeurope.eu/tcf