Back to top


Submitted by David LeDuc on July 10, 2019

The recent updated report by the UK’s Information Commissioner’s Office (ICO) on advertising technology and real-time bidding (RTB) has gained a lot of attention, for good reason. It deserves a thorough read and careful consideration by all ad tech companies that process personal data of EEA (European Economic Area) residents.

Overall, the ICO’s measured and iterative approach is welcome, as is the open door to industry to continue the dialogue about compliance. These underscore the fact that General Data Protection Regulation (GDPR) guidance and compliance are still evolving. The report comes at a time when practices have already been evolving over the first 12 months since GDPR came into enforcement, and it should be expected to continue evolving—not just due to the ICO report—for at least the next 12 months. 

It is also refreshing to have a regulator issue a detailed and thoughtful perspective that does not represent a strict regulatory conclusion, but rather a midway assessment based on research and discussions thus far. While the tone and stated concerns are at times startling, the report and overall process reflect recognition that this is a “dynamic debate” and that the ICO “look[s] forward to continuing our engagement in this area.” Indeed, this is a call to action for industry to continue making changes to better support compliance with GDPR and UK’s Privacy and Electronic Communications Regulations (PECR), and to actively engage with the ICO and other regulators throughout that process. 

The ICO, on July 3rd, also published additional guidance on cookies, elaborating on how consent should be approached under the GDPR and PECR. This guidance largely mirrored the conclusions in the recent ICO report but also provided some additional key detail and clarifications highlighted below, including the widely mis-reported declaration that legitimate interest as a legal basis is “dead” under GDPR. 

The NAI is eager to assist member companies in continuing to develop compliance measures, and in engaging the ICO and other Data Protection Authorities, and we will look for opportunities to represent our membership in this debate as it evolves.


Transparency, Consent, Legitimate Interest and the Supply Chain

Beginning with an assessment of the lawful bases for processing personal data and the PECR, the report identifies “…a lack of clarity from a significant number of controllers regarding the appropriate lawful basis for processing, as well as the particular requirements of each basis.”

While the conclusion of the report can be summarized as arguing that industry has more work to do in order to meet many of PECR and GDPR requirements, including transparency, lawful basis (consent and legitimate interest), and accountability, we think there are important details and nuances worth noting.

On transparency, a high-level conclusion from the ICO is that, “in RTB the privacy information provided often lacks clarity and does not give individuals an appropriate picture of what happens to their data.” This is not the first criticism of industry transparency, and it identifies an area where industry has made great strides, but the complexity of RTB poses continued regulatory challenges. Collectively we need to continue working to strike a balance that achieves the “clear and comprehensive information” called for by the regulation, but that also is not overwhelming to consumers.  

The ICO also raises several concerns about processing on the basis of consent, which are also not entirely surprising in most cases.  With respect to the processing of special category data—referring to what is also known as sensitive personal data—the report finds that, “market participants must therefore modify existing consent mechanisms to collect explicit consent, or they should not process this data at all.” While the industry has collectively spent significant resources to develop mechanisms to obtain consent, such as the IAB Europe’s Transparency & Consent Framework (TCF), the TCF is not designed to collect explicit consent nor to establish one’s legal basis for processing special category data.

Additionally, with respect to the requirement for obtaining consent to comply with PECR – the report highlights the rules on the use of cookies and similar technologies in Regulation 6 of PECR, noting that they take precedence over the GDPR, where applicable, highlighting that its guidance “…states that if organisations are required to obtain consent for marketing in accordance with PECR, then in practice consent is the appropriate lawful basis under the GDPR.” One thing the report did not take into account is parties downstream in a bid request that may not be using cookie and similar technologies.The new cookie guidance could serve as an official clarification that PECR always requires consent for the setting of non-essential cookies (such as those used for the purposes of analytics, marketing and advertising). The ICO, however, acknowledges differing opinions on some points, particularly regarding the use of partial cookie walls. 

On legitimate interest, while most initial reactions characterized the report as a complete rejection of legitimate interest (it came across that way to many at first blush), the report is more nuanced. Specifically, the report asserts that legitimate interest cannot be used as a lawful basis for the “main” processing of bid requests (relying on older guidance focused on interest-based advertising). And the ICO does explicitly state that legitimate interest is not a lawful basis that may be used to comply with PECR, which is not a surprise and in-line with guidance from other regulators. However, the report leaves the door open to the notion that legitimate interest could be “applicable elsewhere in the RTB ecosystem,” provided that “organisations take on the extra responsibility for ensuring that the interests, rights and freedoms of individuals are fully considered and protected.” 

The ICO guidance on cookies clarifies that subsequent processing of cookie data may or may not require consent, depending on the “nature, scope, context and purpose(s) of the processing operations themselves,” though certain cases are “highly likely to require consent as its lawful basis.” The guidance notes that use of any other lawful basis to process data after cookie consent has been gained may confuse users, but it also recognizes that it “may be possible,” depending on careful consideration of the specific circumstances. The ICO is careful to not rule out specific circumstances in which legitimate interest or another basis might be used following initial consent for setting cookies. 

Finally, the ICO report expressed concerns regarding security in the data supply chain. Highlighting concerns about “data leakage,” the report states, “there are no guarantees or technical controls about the processing of personal data by other parties, eg retention, security etc.” Though, the TCF v2 specifically provides publishers with the ability to not only approve certain vendors but also to only surface the vendors it has approved—and vendors may only process personal data as communicated by the appropriate signal. 


Compliance Frameworks

The report reflects the ICO’s detailed assessment of the most widely adopted data protection compliance frameworks such as the IAB Europe Transparency and Consent Framework (TCF) and Google’s Authorized Buyers Program, as well as industry technical standards such as the OpenRTB protocol. The TCF remains the only industry-wide standard to address the ICO’s concerns about the ecosystem’s ability to meet the transparency, lawful basis and accountability requirements in the GDPR.  It enables publishers to provide transparency into the vendors they’ve approved to process the data of users visiting their digital properties and pass user choice about vendors and their processing purposes across the third-party ecosystem in a unified manner. Without an industry standard, there is no way for publishers and third parties to “speak the same language” about vendors, whether they’ve been disclosed to users and an individual user’s choice about those vendors. Therefore, it’s not surprising that in assessing the “various ongoing initiatives to change the way the RTB ecosystem operates,” the TCF is not only a central focus, but also specifically identified as one of the examples that “[in] due course . . . may address some or all of the issues that concern us.”  

Both the TCF and implementations of the tool are still evolving and maturing, at least partially based on direction received from the ICO and other regulators. The ability of the 3rd party ecosystem to function effectively and provide competition and choice in the market relies on its success. Therefore, the report shouldn’t change the widely-held conclusion that the digital advertising ecosystem would be well served by market participants continuing to implement and support the TCF Version 2.0. In fact, the flexibility of the TCF is a critical element, allowing different entities to offer differing implementations, but also providing opportunity for the ICO and other regulators to assess differing implementations. 


Conclusions and Next Steps

The ICO has clearly stated its intention to take an iterative approach to guidance, and that the conclusions in this report are not yet final. While the report encourages industry to rely on existing guidance for now, the ICO has left open the possibility of issuance of additional guidance if necessary.

The NAI is pleased that the ICO has committed to review its position again towards the end of the year in order to determine whether it still maintains the same concerns, and “whether further action is required.” Our industry therefore has 6 months to provide feedback into the ongoing RTB assessment process, including steps to be taken to address specific concerns, or discussions about differing perspectives about any current conclusions.  During this time, we welcome the opportunity to engage with the ICO, and we encourage ad tech companies to broadly do the same.  

Submitted by Rod Ghaemmaghami on June 21, 2019

By: Rod Ghaemmaghami and Matthew Nichols

IAB Europe held their annual Interact conference in Warsaw, Poland on June 4th-5th, 2019. The conference focused on digital advertising and marketing, with speakers and attendees from companies and organizations across the EU and U.S.

The NAI had a strong presence this year. NAI President and CEO, Leigh Freund, led a panel on the challenges of global interoperability for the Ad Tech industry. She was joined by NAI Board Chairman Doug Miller (Verizon Media), NAI Board Member Julia Shullman (AppNexus, a Xander Company), and Stevan Randjelovic (GroupM EMEA) to share key takeaways on how to approach new regulatory obligations (including GDPR and CCPA). NAI Board Member Alice Lincoln (MediaMath) participated on a panel discussing the impact of the GDPR one year after its enforcement date and on the ongoing development of the industry-led IAB Europe’s Transparency and Consent Framework (TCF).

Two main topics relevant to Ad Tech that were discussed throughout the two-day conference were: The future of Ad Tech and programmatic advertising; and the lessons learned from GDPR and strategies for complying with future regulations.


The Future of Ad Tech and Programmatic Advertising

In many of the presentations, speakers noted that building consumer trust and empowering the consumer are critical to the future of Ad Tech. One of the presentations compared the programmatic lifecycle to that of economic cycles, and explained that programmatic advertising has reached the peak of its current wave. The concerns that were previously associated with programmatic – that it would cause the end of agencies, that data-driven ads wouldn’t last, and that GDPR would ultimately disrupt and end data-driven advertising – have been disproven. Fears are now shifting to how automation may take over everything and how bigger players in the ecosystem will take all the growth. Other speakers, however, argued that the bigger players have been responsible for new growth and that these fears are unjustified.

Based on the presentations, speakers pointed to three main trends they had seen so far in 2019. First, there may be a shift away from advertising as we know it now. With the potential interest by some to move towards a universal ID, some speakers highlighted increasing  browser led restrictions on third-party cookies. Second, speakers discussed how monetization has changed with the move towards header bidding, which creates a competitive environment. Third, there has been more emphasis on brands wanting to have direct integrations with their consumers.

Speakers discussed the future of technology, more generally, and suggested that the biggest tech trends will be: digital assistants; more touch, less typing; a machine-to-machine marketing world; Native; Video; OTT; and Audio.


GDPR and Strategies for Future Regulation

After noting the trends and changes in the technology and business models of Ad Tech companies, speakers discussed the impact of regulation on the Ad Tech industry and how to prepare for new regulations in the future. One speaker framed the impact of GDPR by explaining how online ads make up 45% of advertising in European markets versus 34% of advertising in the U.S. Despite GDPR, this speaker’s research demonstrated continued growth of digital ads in Europe.

Many speakers agreed that the biggest trend in 2018 was collaboration by industry. A lot of this collaboration has been (and still is) in relation to developing the TCF. Version 2.0 of the TCF has been an incredible relationship builder within the industry, allowing the industry members to speak with each other and build consensus on important issues.  

Some additional changes to the TCF’s most recent version include changes based on regulator feedback concerning the user experience, the updating and creation of new purposes of processing, and the creation of stacks as a way of bundling and presenting purposes for ease of use by users. These changes add greater clarity around legitimate interest, give users clear control when vendors rely on legitimate interest, and allow publishers to work with vendors for specific purposes. It creates opportunity for sell-side publishers to be more transparent, and allows for more opportunity for publishers and advertisers to communicate.

The TCF is an example of a self-regulatory solution to the requirements of GDPR and CCPA. Going forward, to ensure industry alignment and build the best solutions to regulations for consumers, companies should: join industry efforts, ensure familiarity with their business model and how their technology interacts with partners, and work on internal data inventory and mapping.


Submitted by Leigh Freund on April 8, 2019

Today, the Network Advertising Initiative (NAI) joined with other leading trade organizations representing America’s advertising industry as steering committee members of a new coalition, Privacy for America

The mission of the Coalition is to promote a transformative, robust U.S. privacy framework that would set forth clear, enforceable and nationwide consumer privacy protections, establish new prohibitions on a variety of data practices, and strengthen enforcement by the Federal Trade Commission (FTC).

With our increasingly complex and evolving digital landscape, Americans deserve clear protections that prohibit companies from using their data in unexpected or harmful ways. Consumers should be able to count on strong data privacy and security protections without being subjected to endless notices, terms, conditions, and clicks to access the content and services they enjoy across the Internet.

The Coalition will build on and compliment the NAI’s nearly two decades as the leading self-regulatory organization for third-party digital advertising.  We have always been committed to ensuring privacy protections throughout the digital advertising ecosystem, and this effort will promote federal privacy legislation to translate this commitment into a new law applying not only to digital advertising, but across the economy.

In the weeks ahead, the Coalition will meet with leaders in Congress, the Federal Trade Commission, the Department of Commerce, the White House, companies across the U.S. economy, and other key stakeholders to create robust new privacy protections to restore trust between consumers and businesses.

The Coalition will be drawing on the vast expertise and experience of Jessica Rich as a key advisor.  Jessica is a former Director of the FTC’s Consumer Protection Bureau, and a steadfast proponent of strong consumer privacy and data security protection.