0330 161 1234
April’s session for in-house counsel—hosted by LexisNexis in collaboration with Radius Law, Flex Legal and Crafty Counsel, led us into the complex and fast-growing world of adtech. Vincent Potier, Founder of London Digital Ventures Limited and Co-founder of Klever Programmatic Inc. took us on a tour of:
The session’s participants gave us a good idea of what they consider to be the number one issue facing legal departments operating in the field of adtech through a wordcloud poll. Many highlighted issues related to regulation, privacy and compliance, as well as difficulties in understanding the technology and in keeping up with changes in the market and in regulation.
Vincent then sought to demystify these challenges…
Vincent noted that there is no single definition of ‘adtech’, which, broadly speaking, refers to the technologies, software and services used by advertisers and publishers to create, run, manage and optimise digital advertising campaigns, and for the process of buying, selling, delivering and targeting digital advertising.
Vincent was quick to challenge the misconception that this term refers solely, or even principally, to the likes of Facebook, Google and Amazon. Indeed, by number, the majority of companies operating in the adtech ecosystem are small or mid-sized.
The term—and the concept—were inexistent 20 years ago. However, in the past two decades, adtech has grown exponentially, with the global programmatic spend in 2021 estimated to be at US$170bn. By programmatic, we mean advertising that takes place through an automated process, rather than by manually buying inventory from publishers. This term, and more broadly ‘programmatic advertising’, is therefore tightly connected with adtech. For more information on these terms, see Practice Note: Adtech and programmatic advertising—introduction and Adtech and programmatic advertising—glossary.
Vincent made no secret of the fact that the adtech ecosystem is complex. He told us that the two key things to remember in order to get a basic understanding of its functioning are that:
He also gave us a rundown of a couple of key terms:
Demand-side platforms (DSPs) are platforms which allow buyers, such as advertisers and advertising agencies, to bid for certain ad space.
Supply-side platforms (SSPs) are platforms used by publishers to sell their ad inventory to the various demand sources (including DSPs).
The way the system operates is:
When a user accesses a publisher’s web page through their browser, which contains an ad slot, the browser sends an ad request to the SSP
The SSP determines what is known about the user before passing on the ad request to the ad exchange
The ad exchange holds an auction for the impression by sending a bid request to the DSPs connected to the ad exchange
The DSPs submit their bids to the exchange by sending a bid response and the highest bidder displays the ad in the ad slot on the web page being viewed by the user.
This process is called real time bidding (RTB) and happens in milliseconds, countless times per day. Read more about this process here.
The biggest piece of regulation in this sphere is the EU GDPR, which Vincent stated has changed everything. Indeed, prior to the EU GDPR, the digital data industry had never been fully regulated.
A key issue that Vincent highlighted was the inherent cross-border nature of adtech and online data more widely. A consequence of the EU’s legislation is that it fostered changes in legislation further afield—Canada, California, Utah, Colorado and Virginia, South Africa, China and more countries now have legislation similar to the EU GDPR.
For more information on the legal issues to consider in respect of adtech, see Practice Note: Adtech and programmatic advertising—legal issues. See also: Adtech and programmatic advertising—data use.
Significant restrictions and obligations were imposed by the EU GDPR concerning, among other things:
The adtech industry was then faced with the question of how to obtain EU GDPR compliant consent from users for the processing of their data for the purposes of advertising and how to communicate this consent to the relevant parties.
In response, IAB Europe, an industry association for online advertising, launched the transparency and consent framework (TCF) in 2018. The TCF is a standardised method through which all stakeholders in the adtech ecosystem (publishers, vendors and, indirectly, advertisers) can technically communicate an end user’s choices and preferences as to how personal data relating to that user may be used.
From the user’s perspective, this appears as the initial pop-up presented on websites they access, which contain information on the use of cookies and the processing of their personal data, including the sharing of their data with third parties, and a call to action for the user to express their consent and objections.
However, regulators have found faults in this.
In 2020, the ‘The Seven-Step Ad Tech Guide’ was published, highlighting and addressing the privacy concerns raised by the Information Commissioner’s Office in its investigation into RTB and the adtech industry. It also included information on the ICO’s views on the TCF and how it planned to develop it. Read more about it in our News Analysis: UK Adtech receives new guidance to address the privacy challenges of real time bidding in programmatic advertising.
More recently, the Belgian data protection authority (APD) ruled that IAB Europe is a data controller in respect of the TCF and the processing of data through the framework, and a joint controller with other participating organisations and, among other things, that IAB Europe does not currently sufficiently monitor and police participating organisations’ compliance with the rules of the TCF. For a more detailed analysis of the ruling, see News Analysis: Transparency and Consent Framework changes ahead (APD v IAB).
The Dutch Data Protection Authority (DPA) also stated that businesses are violating the EU GDPR if they are using the TCF, see: Companies using IAB Europe’s adtech framework are violating EU GDPR, Dutch DPA warns.
The French data protection authority (CNIL) has gone even further, stating that transfers to the US of data collected via Google Analytics are illegal. Read more here: CNIL finds personal data transfers to US via Google Analytics illegal, LNB News 10/02/2022 60.
These decisions have enormous consequences—implying that the current system is not fit for purpose and that something must be done to avoid falling foul of the EU GDPR.
Vincent was convinced that the ‘eruption’ of the EU GDPR cannot be fixed by applying duct tape—there must be a radical rethink of the system. This starts by accepting the system is not fit for purpose and then focusing on the following key points:
Vincent believes it will be industry players, such as the main DSPs and other key stakeholders, that will drive these changes, with regulators following.
To keep on top of the latest developments in adtech, see Practice Note: Adtech and programmatic advertising—tracker.
To hear more about hot topics for in-house counsel and to seek answers on complex topical issues, join our next session and in the meantime, sign up to Radius Law’s Slack channel.
Join us for the next session on: The 10 biggest things to get right in In House Legal Tech and Operations
Date: Wednesday 25 May 2022
Time: 10:00 – 11:00
Format: Virtual event
Register now
* denotes a required field
