In previous issues of DWF Data Protection Insights, we've reported on the ICO's investigation into the adtech industry. This was paused at the start of the pandemic, but resumed in January 2021. On 25 November the ICO published a Commissioner's Opinion calling on companies that are designing new methods of online advertising to comply with data protection law and stop the excessive collection and use of personal data.
The ICO has been working with the Competition and Markets Authority (CMA) to review how Google's plans to replace third party cookies with alternative technologies that still enable targeted digital advertising will safeguard personal data while supporting the CMA's mission of ensuring competition in digital markets. The ICO considers that this presents a window of opportunity for developers to reflect on genuinely applying a data protection by design approach. The Opinion states that new initiatives must take account of data protection risks from the outset and, in particular:
- engineer data protection requirements by default into the design of the initiative;
- offer users the choice of receiving adverts without tracking, profiling or targeting based on personal data;
- be transparent about how and why personal data is processed across the ecosystem and who is responsible for that processing;
- articulate the specific purposes for processing personal data and demonstrate how this is fair, lawful and transparent; and
- address existing privacy risks and mitigate any new privacy risks that their proposal introduces.
After considering the risks of adtech, the Opinion ends by setting out the Commissioner's recommendations on how to meet its expectations of any solution, proposal or initiative:
- Demonstrate and explain the design choice – use the least privacy-intrusive approach possible to achieve the purpose.
- Be fair and transparent about the benefits and outcomes the solution seeks to achieve, including the use cases it seeks to address. Demonstrate how the design process ensures the user experience in practice and avoids dark patterns and nudge techniques.
- Minimise data collection and further processing - ensure the solution processes the minimum amount of data necessary to achieve its purposes. Consider whether the outcomes can be achieved without using personal data. The solution must be designed so that an organisation using it can identify a specific, explicit and legitimate purpose for the processing activities.
- Protect users and give them meaningful control – ensure that the solution allows individuals to exercise their rights, and allows organisations to obtain freely given, specific, informed and unambiguous consent, which is as easy to withdraw as it is to give.
- Necessity and proportionality – the solution must enable organisations to demonstrate that it is a targeted and effective way to achieve their purpose, and the benefits are not disproportionate to any risk to privacy rights, and must assist organisations in demonstrating that they cannot reasonably achieve the purpose using a less intrusive method.
- Lawfulness, risk assessments and information rights – the solution must allow organisations to identify the appropriate lawful basis and meet its requirements, e.g. if the lawful basis is consent, ensuring that this consent meets the UK GDPR standard.
- Special category data – the solution must address the potential for processing special category data, including allowing the organisation to identify the appropriate condition from Article 9 of the UK GDPR (in addition to the Article 6 lawful basis).
If your organisation is using or proposing to use any form of adtech which involves processing personal data, please contact one of our privacy specialists for advice on how to comply with the law, including conducting the necessary DPIAs.