Train or Ship: UK Information Commissioner’s Office issues new opinion on Adtech initiatives | Fox Rothschild LLP
What does the UK Information Commissioner’s Office have to say about what it takes to make adtech initiatives data protection compliant?
“There is an opportunity for market players to move towards developing solutions that incorporate key data protection compliance considerations. They should also place the interests, rights and freedoms of individuals at the heart of their design. the UK ICO said in a new notice.
Here are some key points:
- New initiatives in adtech must address the risks posed by adtech and take into account data protection requirements from the outset.
- Any proposal which has the effect of maintaining or reproducing existing monitoring practices is not an acceptable response to the significant data protection risks that the Commissioner has already described.
Adtech proposals must:
- integrate default data protection requirements into the design of the initiative,
- offer users the choice of receiving advertisements without tracking, profiling or targeting based on personal data; Market participants must demonstrate high confidentiality, no default tracking options, and demonstrate how user choice can be exercised throughout the data lifecycle,
- be transparent about how and why personal data is processed across the ecosystem and who is responsible for this processing,
- articulate the specific purposes of the processing of personal data and demonstrate how it is fair, lawful and transparent,
- address existing privacy risks and mitigate any new privacy risks their proposal introduces.
To be compliant, new initiatives must:
- move away from current online tracking methods and profiling practices,
- improve transparency for individuals and organizations,
- reduce existing friction in the online experience,
- provide individuals with meaningful control and choice over the handling of device information and personal data,
- ensure that valid consent is obtained, if applicable,
- ensure that there is demonstrable accountability throughout the supply chain.
Organizations must demonstrate that the new approaches do not introduce additional privacy threat vectors or result in increased use of fingerprints or both.
About online tracking:
- Online tracking may involve many types of processing operations defined in data protection law, depending on the circumstances.
- Online monitoring can therefore be considered as processing activities involving the monitoring of the actions of individuals, in particular over a period of time (including the behavior, location or movements of individuals and their devices), in particular to: build profiles concerning them; take actions or decisions affecting them; offer them goods and services; evaluate the effectiveness of the services they use; and analyze or predict their personal preferences, behaviors and attitudes.
- Aside from the PECR, neither the balancing test nor a compatibility assessment would allow processing to be fair and lawful without consent. This is due to the nature, scope, context and purposes of these processing activities, as well as the risks they present to rights and freedoms.
- Organizations should not assume that there are no requirements for compliance with PECR or data protection law just because TPCs are removed (or that they are not already using them for any purpose. feedback).
First party data is not inherently lower risk than third party data:
- Certain uses of first-party cookies may be considered to pose a lower risk to privacy (for example, the concept of “first party analytics”). However, this is not a general rule and does not necessarily apply only to first-party cookies. The risks ultimately depend on the nature, scope, context and purposes of the processing and the way in which it is implemented.
- Regardless of the categorization of personal data by an organization, processing must be carried out in accordance with the law.
- What is relevant for data protection purposes is: (1) whether the data is personal data; (2) the body or bodies responsible for determining the purposes and means of processing and for demonstrating compliance; and (3) if the processing involves disclosure to other organizations, clarify who they are, their roles and responsibilities, and how they will treat the data in accordance with the law after receiving it.
- Likewise, what is relevant for the purposes of PECR (ePrivacy) is: (1) who is responsible for processing information on terminal equipment; and (2) the purposes for which they wish to process it.
- Data protection law imposes obligations on the entity or entities that determine the purposes and means of processing personal data. The entity responsible for these decisions is the controller. This is the case regardless of: (1) where the controller obtains the personal data (ie directly from an individual or elsewhere); and (2) whether the controller is a large technology platform with multiple departments, or a single organization that seeks to share personal data with other organizations.
- Emphasis should be placed on the nature of the risks involved, as well as their likelihood and severity.
Data sharing by large companies
- Data protection law does not automatically allow platforms to track individuals across multiple services indefinitely, or otherwise use personal data in a way that smaller market players might not be able to. do it.
- Although legitimate interests are the most flexible legal basis for processing, organizations cannot assume that it is the most appropriate. If they are based on legitimate interests, they take on an additional responsibility to consider and protect the rights and interests of individuals.
- Organizations may be able to process data as part of intragroup transmission or sharing with other organizations if the disclosure is fair and consistent with the original purpose. The disclosing entity must justify the disclosure. The receiving entity must justify its own processing, taking into account the way in which it received the data. However, data cannot be transmitted for a new purpose – internal or external – if this would be incompatible with the original purpose, given the circumstances.
- The interpretive guidance in the recitals of the UK GDPR regarding intragroup transmission for internal administrative purposes does not mean that an organization can always rely on legitimate interests for this type of processing.
- The Commissioner addressed the TCF in depth in the 2019 report, noting that it was insufficient to ensure transparency, fair treatment or free and informed consent. There were also concerns arising from a lack of clarity on how compliance was monitored and a reliance on contractual controls.
- Subsequent iterations of the TCF and its use by publishers did not significantly address these issues.
On GPC (Global Privacy Control):
- GPC’s draft specification states that it is intended to convey a “general request” regarding the sale or sharing of personal data, but “is not intended to withdraw a user’s consent to local storage in accordance with the ePrivacy directive […] nor is it intended to oppose direct marketing by virtue of a legitimate interest. “
- As such, the GPC does not currently appear to offer a means by which user preferences can be expressed in a way that fully aligns with UK data protection requirements.
On solutions based on identifiers:
- In general, these solutions do not respond to the issues raised in the 2019 report concerning transparency, control, consent or accountability.
- They also introduce a more fundamental question as to whether it is necessary, proportionate or fair for individuals to have to provide their personal data in the first place. This is particularly the case if solutions based on identifiers only offer an opt-out.
- It is important to remember that: (1) if terminal equipment information is processed, PECR Rule 6 (Art 5 eprivacy) applies whether the information is personal data or not; and (2) the concept of personal data is broader than that of direct identifiability.
- Information is personal data when it relates to an identified or identifiable natural person.
- In these solutions, an identifier is created for the purpose of processing information relating to this individual. This regardless of the extent to which the original e-mail address or other information such as their name can be deduced from it. Depending on the specifics, these approaches may also not result in effective pseudonymization, especially if the originating email address is also involved.
- It is also unclear whether these solutions allow individuals to have a general choice about follow-up in the first place, and what happens when they make that choice. This can essentially replicate the current issues with tracking walls.
- These approaches must also ensure that they do not use dark patterns and nudge techniques to trick individuals into “agreeing” to be followed in order to access these services.
- Several elements of the W3C Self-Assessment Questionnaire: Security and Confidentiality may apply in the context of controllers who need to undertake DPIAs. While W3C processes do not replace any legal requirements like DPIAs, they may be relevant considerations.
- Even when the entity offering the adtech solution is not a controller or processor, it is good practice to undertake a DPIA.