Fear of Brave? An Analysis of GDPR Challenges to Behavioral Advertising
On September 12, 2018, a complaint was submitted to the Irish Data Protection Commission1on behalf of Johnny Ryan, Chief Policy and Industry Relations Officer at Brave Software, Inc., seeking to trigger, for the first time, an EU-wide investigation into certain data practices within the digital advertising industry. On the same day, a companion complaint was filed with the UK Information Commissioner’s Office2on behalf of Jim Killock of the Open Rights Group, a non-profit organization, and academic Michael Veale of University College London.
The complaints (the “Complaints”), which are essentially identical in nature and rely, in part, on an accompanying written report from Ryan3(the “Ryan Report”), allege that (i) OpenRTB and Authorized Buyers, the most widely used real-time bidding (“RTB”) protocols promulgated by IAB Technology Laboratory (“IAB Tech Lab”) and Google, respectively, are “mass data broadcast mechanisms” that violate the General Data Protection Regulation (the “GDPR”); (ii) there are no technical measures or adequate controls to support data protection during the RTB process; and (iii) legitimate interest can never be a valid legal basis in the context of widely broadcast RTB bid requests.4
Although this is not the first assault on behavioral advertising and real-time bidding,5it is the first broad one under GDPR and could have profound implications across the entire digital advertising ecosystem. Although the Complaints raise certain concerns over transparency, consumer control, data security, and accountability, many of their allegations and arguments are hyperbolic or misleading, and, in certain cases, incorrect both as a matter of fact and as a matter of law. As such, although the Complaints are helpful to crystallize and shine the light on important issues, they do not demonstrate pervasive industry-wide violations of GDPR or that a massive EU-wide assessment into RTB is warranted. Rather, specific and particularized allegations of GDPR violations should be investigated, as is the case with any other industry.
I. The Backstory
From smartphones and tablets to over-the-top platforms and social media networks, content is increasingly – and in many industries exclusively – being created and consumed digitally. Concomitant with this digital transformation in media, entertainment, and journalism has been the rapid and widespread adoption of digital advertising (“AdTech”).6Significantly, in 2017, AdTech revenue overtook broadcast and cable television advertising revenue for the first time and became an $88 billion industry in the U.S. alone. That figure is poised to rise to $107 billion by the end of this year.7
Despite its prevalence, AdTech, particularly online behavioral advertising (“OBA”), has been a lightning rod for criticism from privacy advocates. OBA is the serving of relevant and targeted advertisements to an individual based on information collected regarding his or her interactions with content on one or more digital properties. Such information is often collected via cookies, pixel tags, software development kits, and/or application program interfaces (“APIs”), depending on the type of digital property (e.g., website or mobile application), and utilized in the RTB process.
RTB facilitates “programmatic” (or automated) buying or selling of digital advertising and is carried out through technical protocols (e.g., OpenRTB and Authorized Buyers) implemented by various organizations. At a high level, RTB works as follows: A company (in AdTech parlance, a “Publisher”) owns or controls available ad space (“Ad Inventory”) on a website or other digital property. When an end user visits the Publisher’s online property, an organization such as a supply-side platform (“SSP”) or ad exchange will send a request on behalf of the Publisher soliciting buyers to bid on this available Ad Inventory on a per-impression basis. This bid request is received typically by a demand-side platform (“DSP”), which is an organization that connects buy-side organizations such as advertisers and agencies to a multitude of Publishers. In real-time, numerous advertisers and agencies simultaneously analyze the bid request and then make their bids to purchase the ad impression. The winning buyer will have its advertisement displayed on the Publisher’s digital property for that particular impression. This entire RTB process takes milliseconds from start to finish.
1 Ravi Naik, Grounds of Complaint to the Data Protection Commissioner 1, https://brave.com/DPC-Complaint-Grounds-12-Sept-2018-RAN2018091217315865.pdf.
- IT Outsourcing by Banks and Insurers Facilitated by Revised Regulations
- Reading the Tea Leaves for 2020
- Federal Council Considers Introduction of Cyber Incident Reporting Duty
- CCPA: The 1st Major American Foray into Comprehensive Data Privacy Regulation
- Hedge Funds of All Sizes Are Using More Alternative Data, But Not Without Concerns, According to Lowenstein Sandler Survey
- Lowenstein Client Tower International (NYSE: TOWR) Agrees to Acquisition by Autokiniton Global Group in $900 Million Deal
- The Wall Street Journal: Lowenstein Sandler Is One of the Nation’s Top Power Players in Large Corporate Bankruptcies
WSG Member: Please login to add your comment.