IAB and ICO clashed over adtech legal basis, documents show

European adtech trade body the Interactive Advertising Bureau clashed with the UK Information Commissioner’s Office over the lawful basis for processing cookies data, documents seen by GDR show.

Correspondence obtained by GDR through a freedom of information request illustrate an ongoing relationship between the two parties, with the ICO on one occasion spending £405 (€467) on dinner for officials from both groups – just a few months after publishing a report stating that some elements of the trade body’s transparency and consent framework were not compliant with the GDPR.

Some parts of the documents provided to GDR were redacted. The ICO told GDR that commissioner Elizabeth Denham had personally approved these redactions so that the two groups could continue to hold “free and frank” discussions.

The correspondence shows that the regulator continued to raise concerns about the industry’s reliance on legitimate interests as a basis for processing data in the adtech ecosystem shortly before IAB Europe announced the release of its new transparency and consent framework.

On 21 August, IAB Europe said it had launched its updated version of the transparency and consent framework following meetings with European data protection authorities.

But in an email sent on 14 August – just one week before the IAB announced the new framework – the ICO said its focus was “still on obtaining a compelling argument from industry that legitimate interests can be relied upon as lawful basis for the processing of personal data collected via the use of non-essential cookies or similar technologies”.

The new framework, the IAB told the regulator, mandates the use of consent as a legal basis for processing data via tracking cookies. It also contains more granular forms of consent that adtech players must obtain before processing data, the IAB said.

The ICO acknowledged in January this year that the granularity changes in the new framework seemed to be inspired by the need for greater transparency, but that there was “still a question around valid consent for placing of cookies and the apparent suggestion that legitimate interests could be used as a basis for subsequent processing of personal data collected through cookies”.

Officials from the trade body appeared to have made little progress in moving the ICO away from the debate over legitimate interests. In notes ahead of a July meeting, the IAB said that data is still collected from users to “technically deliver ads and measure performance” even if users have objected to data being used to target the ad.

The ICO said in response that “while the IAB believed that data collection purely for the purpose of ad measurement reduces privacy risk, it is still likely to involve the use of cookies or similar technologies. This raises questions over the IAB’s suggestion that legitimate interests can be relied upon as the lawful basis for such processing.”

Technical meetings between the two parties were still continuing into late August, after the IAB had released the new framework.

The regulator earlier told the IAB that it had three main concerns with the way that data is processed in the adtech ecosystem; the issues came off the back of complaints submitted by privacy activist organisations Privacy International and Brave. The issues raised in those complaints, the ICO said, were transparency, lawful basis and the security of processing.

Townsend Feehan, IAB Europe's chief executive, told GDR that the purpose of the meetings was to clarify the ICO's "misconceptions" about the framework and to assert that it does comply with the GDPR. The trade body hoped to "enlist [the ICO's] help" in updating the framework and persuade officials that the framework is the best way to bring the real-time bidding process in line with the GDPR.

Feehan acknowledged the ICO's views on consent for subsequent processing of data obtained through cookies, but said that consent under the ePrivacy rules, combined with GDPR restrictions, can be "almost impracticable".

ePrivacy rules dictate that personal data can only be obtained via cookies if a user has consented, Feehan said. The GDPR requirement for consent to be "freely-given" can be interpreted in a very onerous way, she said, and that could do major damage to the industry. 

The body went ahead with the new framework despite the ICO's objections, Feehan said, because it represents organisations across the EU. The organisation has met with other European data protection authorities, she said.

Feehan declined to specify which other regulators the IAB has visited, but said that it has met with five and has more planned this year. "We’re trying to get [the new framework] in front of as many regulators as possible – we think it’s the best way to get the industry standardised. In general the DPAs [data protection authorities] are definitely pleased when they see version two".

Johnny Ryan, chief policy officer at privacy-focused browser Brave, told GDR in August that real-time bidding (RTB) – the process through which website operators auction advertising space in milliseconds over the internet – should fundamentally be considered a data breach.

“That means it fails the GDPR at the first test,” Ryan said at the time. “It also means that consent is not possible because nobody can say where the data in question will end up, or what will happen to them. Consent is a tool of data protection law. But if there is no protection of the data, then consent is irrelevant.”

Ryan also said the IAB has let website operators and advertisers down by providing faulty guidance on the GDPR. “[The framework] has plagued internet users in Europe, and exposed brands and publishers to legal hazard,” he said. “The IAB has to do better. Its new consent framework repeats version one’s cardinal sin: asking you to consent to an RTB data breach is clearly not appropriate.”