Cookies, consent and compliance: data protection issues in the adtech space

Analysing adtech series part 1

In the words of Simon McDougall, Executive Director for Technology Policy and Innovation at the Information Commissioner's Office (ICO), "advertising is as old as commerce itself". But, just as technology has revolutionised so many other areas of our lives, advertising has been transformed by the digital revolution. The vast amount of data that businesses now hold about us makes it easier than ever to personalise and target ads to generate maximum engagement, leading to an explosion of the advertising technology, or "adtech", industry.

But the use of that data has been high on regulators' and courts' radars over the last year. The first fine under the General Data Protection Regulation 2016 (GDPR), to the tune of €50 million, related to Google's digital advertising practices. The ICO is in the midst of an investigation into data protection practices in adtech and released a damning interim report in July 2019 indicating severe compliance issues in practices around real time bidding. Cookies, on which adtech relies heavily, are also under scrutiny, with the recent Planet 49 case in the Court of Justice of the European Union (CJEU) confirming that relying on implied consent makes cookies compliance crumble.

All of these developments highlight significant challenges for data protection compliance in the adtech space.

Key challenges

Control and the contractual framework

 Adtech involves a complex web of different stakeholders, from advertisers and publishers, to ad exchanges, to demand- and supply-side platforms. It can often be difficult to work out which entities are acting as data controllers and data processors and therefore what contractual frameworks and obligations should be in place. Several different stakeholders may also be "joint controllers", even if some of those stakeholders have no access to personal data. The 2018 Wirtschafakademie case in the CJEU held that an organisation running a Facebook fan page was a joint controller with Facebook in respect of personal data used by Facebook to collate visitor statistics which were then sent to the organisation in an anonymised format. This was on the basis that the organisation set the demographic parameters on which it wished to receive statistics (for example, occupation, age, interests etc.) Joint controller relationships give rise to joint and several liability and an obligation to set out in writing which controller is responsible for which elements of compliance (e.g. who provides the privacy notice).


 The ICO's real time bidding report identified the lack of transparency in real time bidding (as well as adtech more widely) as a major issue. In such a complex ecosystem, it is difficult a) to provide information about personal data processing in a format and language that users will understand; and b) to identify, on a practical level, where and how such information will be provided. Particularly in an online context, where content can be accessed by numerous different demographics, privacy notices provided will need to be intelligible to audiences of all ages and abilities. The language of such privacy notices, as well as the point in the user journey at which they are provided to individuals, will be crucial in demonstrating best practice in transparency compliance.

Lawful basis and consent

 When personal data is processed in an adtech context, organisations must identify the appropriate "lawful basis" for the processing of that data. Often, this may be consent; the Privacy and Electronic Communications Regulations 2003 (PEC Regs) imposes a separate requirement to obtain consent if personal data is collected by cookies or if the advertising in question constitutes "electronic direct marketing". Where this is the case, the ICO's view is that consent is also the most appropriate GDPR lawful basis (indeed, the real time bidding report stresses that current practices that attempt to rely on "legitimate interests" for the collection of data by advertising cookies are unlawful). Organisations will need to consider the practicalities of obtaining consent, including who is responsible for managing consent and how opt-out requests are flowed through the supply chain. If consent is not required under the PEC Regs, it may be possible to rely on "legitimate interests", but this will always require a balancing test to be carried out between the organisation's interests and users' rights.

Cookies consent

 Adtech relies heavily on the use of advertising cookies and similar technologies. Although consent has been required to set these types of cookies for many years, historically organisations have relied heavily on implied consent. The ICO and other regulators have recently issued updated cookies guidance reinforcing the requirement for express consent, particularly where cookies are seen as "intrusive", which will generally include advertising cookies. The need for active consent over implied consent was also reinforced by the Planet 49 case. It is evident that regulators and the courts very much expect that users will be given clear and effective choices about the use of cookies to collect and process personal data for the purposes of advertising.

Practical steps towards compliance

The ICO's investigation into adtech and data protection is continuing and further reports and guidance may be issued in the coming months. There may also be further court cases and fines that will affect how organisations navigate the adtech ecosystem. In the meantime, organisations looking to process personal data in the adtech space should consider taking the following steps:

  • Think carefully about the roles of the different stakeholders involved in the particular arrangement. Consider, on a practical level, who should be responsible for what in terms of compliance and how this will be achieved. Document this in appropriate contractual arrangements.
  • Consider how the appropriate transparency information will be flowed through to data subjects and at what point in the user journey this will occur. Think creatively about layering privacy notices so that the right information is provided to users at the right time.
  • Where advertising, tracking and targeting cookies are used, conduct a cookies audit to help you understand all the cookies that are in use. Update cookies policies and cookies consent wording to ensure express consent is obtained. If third party cookies are used, think particularly carefully about how users can exercise appropriate choice over these.
  • Review all data processing in detail and establish appropriate lawful bases. Where legitimate interests is relied on, conduct a legitimate interests assessment to document this in writing and to ensure that the organisation's interests are appropriately balanced against users' rights.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2019. Specific advice should be sought for specific cases. For more information see our terms and conditions

Date published

07 November 2019


View all