Careers

Diversity, Equity & Inclusion

Experience

Innovation

Interactive Maps

Locations

About

Pages

Meet our team of innovators
Ask us how we do it

Professionals

Insights

Services

Thompson Hine LLP, a full-service business law firm with approximately 400 lawyers in 8 offices, was ranked number 1 in the category “Most innovative North American law firms: New working models” by The Financial Times and was 1 of 7 firms shortlisted for The American Lawyer’s inaugural Legal Services Innovation Award. The firm has been recognized by the National Law Journal as a Legal Technology Trailblazer and featured by Bloomberg for its innovative service delivery models, which drive accuracy and predictability. The firm’s commitment to innovation is embodied in Thompson Hine SmartPaTHTM – a smarter way to work – predictable, efficient and aligned with client goals. For more information, please visit ThompsonHine.com and ThompsonHine.com/SmartPaTH.

Home | Thompson Hine LLP

Atlanta

Chicago

Cincinnati

Cleveland

Columbus

Dayton

New York

Washington, D.C.

core/separator

core/heading

core/list

Organizations may rely upon real-time bidding (RTB) for several reasons: to advertise their goods and services to new audiences at a lower cost than traditional advertising campaigns, to more precisely target potential customers who are most relevant to their area of business, or to more adequately measure the success of their products and sales techniques. In fact, according to some estimates, U.S. organizations spent almost $24 billion on advertisements using RTB in 2018, which is more than three times the amount spent just four years earlier.

contentpilot/introduction

However, the use of RTB raises data privacy and security concerns, and its practice has been the subject of formal complaints lodged with and ongoing investigations by several EU data protection authorities. The UK’s Information Commissioner’s Office (ICO) recently stated that current RTB practices are “disproportionate, intrusive, and unfair.” The statement was made in a recent <a href="https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf" target="_blank" rel="noopener">report</a> the ICO issued regarding RTB’s impact in terms of compliance with the EU General Data Protection Regulation (GDPR).

core/paragraph

However, the ICO’s findings have broader applicability to U.S. organizations seeking to comply with a range of foreign and domestic data protection laws, including the California Consumer Privacy Act (CCPA). Most importantly, the ICO’s findings address consent and lawful data processing, transparency and data privacy notices, and vendor management and third-party contracting.

RTB often refers to the automated process triggered when an individual accesses a website or an online application and a range of user data, including personally identifying information, is broadcasted to (possibly) thousands of organizations as part of an auction process. More specifically, an organization operating a website or an online application (i.e., the “publisher”) can use cookies and similar technologies to collect information about a user accessing its website/platform and consolidate this data into a “bid request” that is transmitted into the RTB ecosystem. Once in the RTB ecosystem, advertisers can engage in a real-time auction enabling the auction winner to insert an ad on the publisher’s website or online application. This entire process takes place in just milliseconds, usually within the time it takes a website page to load for the user.

According to the ICO, most bid requests include (but are not limited to) the following types of data:

The ICO noted that some bid requests contain information on the user’s website history, use of the current website or application, search queries, session time and demographic data. It also found that the underlying RTB protocols relate to categories of data that are deemed “special” under the GDPR because of their sensitivity (e.g., mental and sexual health, politics, ethnicity). Generally, an advertiser will pay a publisher more for a bid request with greater specificity and detail because it will enable the advertiser to more accurately target an advertisement, especially if it supplements such a bid request with information from other sources.

According to the ICO, some of the information collected and disclosed as part of the RTB process may constitute “personal data,” as defined by the GDPR, and the use of cookies and similar technology is regulated by the UK’s Privacy and Electronic Communications Regulations (PECR) 2003, which implements European Directive 2002/58/EC (also known as the “e-privacy Directive”). As noted above, there are three aspects of the ICO’s report that are relevant to any organization seeking to comply with data protection laws and industry standards: consent and lawful data processing, transparency and data privacy notices, and vendor management and third-party contracting.

A cornerstone of the GDPR is that organizations are required to identify a lawful basis for their data processing activities, and it sets forth six such bases for processing personal data. When processing “special categories” of personal data, organizations have to account for additional requirements set forth under the law. The ICO reported a “lack of clarity” regarding the appropriate lawful basis an organization should rely on to undertake its data processing when it pertains to RTB. In short, the ICO concluded that in order to account for both (i) the processing of general and special categories of personal data under the GDPR, and (ii) cookie and similar data under the PECR, the “only lawful basis for ‘business as usual’ RTB processing of personal data is consent.” This conclusion is significant because it rebuts the argument that organizations can rely on the GDPR’s “legitimate interest” legal basis for data processing, which arguably has a lower threshold than obtaining an individual’s consent.

In addition to its impact on organizations under the GDPR, the ICO report highlights the importance that consent may have on organizations’ compliance with other data protection laws. For instance, in the United States, the Children’s Online Privacy Protection Act (COPPA) requires organizations to obtain parental consent before collecting some types of information from children under the age of 13, and the CCPA (as currently written) requires covered businesses to obtain similar consent prior to selling children’s personal information and prohibits such businesses from entering “consumers” into their financial incentive programs unless the “consumer gives the business prior opt-in consent … which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.” The Illinois Biometric Information Privacy Act (BIPA) requires organizations to obtain consent when collecting or disclosing individuals’ biometric information. In addition, the Federal Trade Commission has issued recommendations that organizations provide consumers with notice and obtain their affirmative consent before using data in a way that is materially different than claimed when collected.

The ICO report raises concerns about how the principle of transparency is addressed in the RTB context. The GDPR mandates organizations to process personal data in a “transparent manner,” which, accordingly, requires organizations to provide individuals with notice of their data processing activities. More specifically, Article 13 of the GDPR requires that at the time personal data is obtained, an organization must provide the individual whose personal data is being disclosed with a broad range of information, such as:

Article 14 of the GDPR sets forth similar requirements in the context of when an organization collects personal data from a third party (and not the individuals themselves). Recital 39 of the GDPR explains that “[t]he principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used” and individuals “should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data.” The ICO report is critical of the manner in which organizations address these transparency-related issues in the RTB process. In particular, the ICO report raises concerns that publishers cannot always identify the third parties with whom they share personal data and the nature in which personal data is consistently augmented, both within and outside of the RTB process.

The issue of transparency is a hallmark of many data protection laws, including those in the United States. For example, in addition to COPPA, there are federal laws governing the healthcare sector and financial institutions that mandate the issuance of data privacy notices and statements akin to Articles 13 and 14 of the GDPR. Several U.S. state laws have notice or similar policy requirements related to the collection and use of Social Security numbers, as does BIPA in the context of collecting and using biometric data. Under current California law, certain websites or online service providers that collect personally identifiable information on California residents who access their site or online services must “conspicuously post” a privacy policy containing certain background information on the organizations’ data practices, and the CCPA, which will go into effect in early 2020, will expand this privacy notice requirement in a manner that is even more analogous to the GDPR.

Vendor Management and Third-Party Contracting

The ICO report notes that a single RTB request can result in an individual’s personal data being processed by hundreds of organizations that have no direct relationship with that individual. The nature of the processing in the RTB ecosystem leads to the risk of “data leakage,” which the ICO defines as the circumstances “where data is either unintentionally shared or used in unintended ways.” The ICO report also raises concerns that under such circumstances, there usually are no robust guarantees or technical controls between all the parties to mitigate the risk of a data leakage. Although contractual terms are an important part of data processing between parties, the ICO emphasizes that organizations “cannot rely on standard terms and conditions by themselves, without undertaking appropriate monitoring and ensuring technical and organizational controls back up those terms.”

The ICO raises three important points that all organizations should consider incorporating into their own vendor management process that involves the exchange or processing of personal data, confidential information or other sensitive business data. First, assess whether vendors have the competency to process this information in accordance with the law and industry standards. Second, prior to any exchange of data, a written contract should be executed that memorializes the vendor’s security standards; data assistance, confidentiality and breach notification requirements; and liability and remedies. Third, depending on the nature of the processing, the organization should provide meaningful oversight of the vendor to ensure its ongoing compliance with the contract. Given the degree to which organizations routinely disclose personal data, confidential information and other sensitive data with external entities, a vendor management contracting process has become a standard business practice.

The ICO report raises several data privacy issues in the RTB context that transcend the GDPR and provide insights into complying with multiple data protection laws. For example, it is important for an organization to fully understand the type, nature and scope of data it collects as part of its routine business practices – from cookie data on its website users to general personal information on its rewards program members – to truly recognize its legal obligations related to such data processing, which may include requesting and obtaining an individual’s consent.

Moreover, an organization should assess whether its data privacy policies and notices accurately reflect its current practices and legal obligations. Of particular importance, a data privacy policy should address how data practices operate, provide individuals with notice of their data processing choices and options, disclose to whom personal data is disclosed, and identify the sources from which such data is obtained, especially if the source is not the individual whose personal data is being processed.

An organization should also be cognizant of its third-party and vendor management contracting to mitigate the risk of data leakage by ensuring proper technical controls are in place amongst the parties. Not only does third-party contracting protect personal data rights, it protects a business’s interests and can mitigate legal liability.

Thomas F. Zych 216.566.5605 <a title="Email" href="mailto:Tom.Zych@ThompsonHine.com">Tom.Zych@ThompsonHine.com</a>

Steven G. Stransky 202.263.4126 216.566.5646 <a title="Email" href="mailto:Steve.Stransky@ThompsonHine.com">Steve.Stransky@ThompsonHine.com</a>

Mona Adabi 202.263.4147 <a title="Email" href="mailto:Mona.Adabi@ThompsonHine.com">Mona.Adabi@ThompsonHine.com</a>

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.

https://admin.thompsonhine.com/wp-content/uploads/2022/04/Privacy__Cybersecurity_Update_-_Applying_EU_Guidance_on_Real_Time_Bidding_Beyond_the_GDPR.pdf

Applying EU Guidance on Real-Time Bidding Beyond the GDPR

Services