Why marketers must conduct GDPR Data Protection Impact Assessments of RTB
This note examines the GDPR requirement that marketers conduct data protection impact assessments (DPIAs) when buying digital media using “real-time bidding” advertising.
Summary:
- A 2018 European Court of Justice decision demonstrates that a marketer that buys targeted advertising is a “controller” of the personal data used for that targeting, even if the marketer does not process the data itself.
- The first consequence is that the marketer must conduct a Data Protection Impact Assessment (DPIA) of “real-time bidding” (RTB), per Article 35 of the GDPR.
- In turn, a DPIA of RTB will require that the marketer consult a European data protection authority, per Article 36 of the GDPR.
- The second consequence is that the marketer is exposed to liability from the way that RTB treats personal data. (Article 26 (3) and Article 82 (2) of the GDPR).
Marketers: “joint controllers” with no data?
The European Court of Justice decided in the Wirtschaftsakademie case[1] in June 2018 that a marketer is a controller[2] of data processing when it commissions targeted advertising, even if it does not have direct access to personal data being processed.
The Wirtschaftsakademie decision concerned a particular marketer’s use of Facebook fan pages. The Court ruled that the marketer’s use of Facebook for advertising “gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account.”[3]
In addition, the Court observed that the marketer
“can ask for — and thereby request the processing of — demographic data relating to its target audience, including trends in terms of age, sex, relationship and occupation, information on the lifestyles and centers of interest of the target audience and information on the purchases and online purchasing habits of visitors to its page, the categories of goods and services that appeal the most, and geographical data which tell the fan page administrator where to make special offers and where to organize events, and more generally enable it to target best the information it offers.”[4]
By asking for such targeting, the marketer causes the processing of the personal data that enable such targeting. The marketer “must be regarded as taking part, by its definition of parameters depending in particular on its target audience and the objectives of managing and promoting its activities, in the determination of the purposes and means of processing”. [5]
Furthermore, the marketer is a controller not only because it specifies targets, but also because it receives statistical reporting on the effect of this targeting. “The production of those statistics is based on the prior collection … and the processing of the personal data of those visitors for such statistical purposes”.[6]
Therefore, a marketer is “a controller responsible for that processing within the European Union”[7]. It is possible that this can apply to an agency working on behalf of a marketer also. See previous analysis of the Wirtschaftsakademie decision here.
Though the ruling was made in the context of marketing activities on Facebook, the Court’s reasoning applies to all advertising technologies that process personal data[8] to target and report on advertising at the request of a marketer. For example, the “real-time bidding” ad auction system reports on performance to the marketer, and is used for virtually identical targeting to that described by the Court:
“…demographic data relating to its target audience, including trends in terms of age, sex, relationship and occupation, information on the lifestyles and centres of interest of the target audience and information on the purchases and online purchasing habits of visitor…”[9]
This has two consequences that may not be clear to marketers who commission, or who cause the commissioning of, RTB advertising. First, it exposes such a marketer to liability. Second, it requires that the marketer conducts a Data Protection Impact Assessment (DPIA) of RTB.
The marketer’s liability
Whereas the marketer in the Wirtschaftsakademie case was shown to be a joint controller with Facebook, a marketer that uses RTB will inevitably be a joint controller with a large number of RTB companies. The RTB system was built to widely spread personal data, not to protect it. As we and others have explained to European data protection authorities in our complaints against the IAB and Google RTB system, RTB is a data protection free zone.[10] Our complaints have resulted in investigation of Google’s RTB system by the Irish Data Protection Commission (Google’s lead GDPR authority, and a scathing report from the UK Information Commissioner’s Office, which vindicates our complaints.[11]
Due to the lack of transparency in the RTB industry, and the absence of data protection to limit how data are passed around in the open RTB market, it is likely that a marketer cannot learn of the totality of the companies involved in a single RTB advertising campaign that it has commissioned. This exposes marketers to a broad and boundless hazard. They are liable for misuse of data by adtech companies that they may never even have heard of.
Chart credit: The Economist
The inability to know who one’s joint controllers are offends the idea of how joint controllership is intended to work. Article 26 (1) makes clear that joint controllers must be transparent and cooperative:
“They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject”.[12]
That this is impossible is a further sign that RTB is a data protection free zone.
Article 82 (2) of the GDPR provides that “Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation”.[13] Not only is the marketer liable, despite never touching the data, but it may also be the most obvious party to confront with this liability, because its it likely to be far better known than the adtech companies that caused the problem. The advertiser’s name is on the advertisement.