The approval of the first code of conduct under the GDPR regarding the processing of data in the advertising sector and its impact on the programmatic advertising ecosystem

Written on 23 Dec 2020

Following the recent approval by the Spanish Data Protection Agency of the Code of Conduct for Data Processing in Advertising Activities, this article analyses its implications in the programmatic advertising sector.

The latest technological developments have transformed the digital advertising sector, allowing that programmatic advertising increasingly gains ground and, that, through the use of algorithms and programming codes, advertisers can show their advertising campaigns at the right time and place (means), allowing the audience to be segmented and directing, therefore, advertisements to specific audiences in the most efficient way possible.

The Spanish Data Protection Agency ("AEPD"), exercising the functions attributed to it by law, has approved the Code of Conduct for Data Processing in Advertising Activities (the "Code"), presented by Autocontrol (Association for the Self-Regulation of Commercial Communication), –independent advertising self-regulatory organisation–. The Code is applicable to the processing of personal data in advertising activities carried out by adhered entities established in Spain or affecting data subjects residing in Spain; in the latter case, provided that the processing is related to the supply of goods or services to said data subjects in Spain or the control of their behaviour in Spain.

Although the Code does not specify the application of the General Data Protection Regulation ("GDPR") in the field of programmatic advertising, the truth is that it emphasizes certain data protection aspects that can be applied in this sector. Thus, starting with the lawfulness of the processing of personal data for advertising purposes, the Code highlights that the consent of the data subjects shall be granted unequivocally (e.g. by ticking the opt-in box) or that, in the event the advertising is intended to be personalized, a single consent may be obtained for profiling and advertising. In addition –although it is not mentioned in the Code– if the type of personal data being processed includes special categories of personal data (for example, political opinions, sexual orientation, etc.) for the customization of advertising campaigns, it will be necessary that the consent of the data subject is explicit.

Despite the Code raising the legitimate interest as another legal basis for the processing of personal data for advertising purposes, it does not seem that this can be considered as a valid condition for the lawfulness of the processing in the programmatic advertising sector, as already stated by the Information Commissioner's Office –ICO– (United Kingdom data protection authority) in its report on programmatic advertising issued on June 2019. The main reason for this rejection is that the processing of personal data in the programmatic advertising ecosystem is carried out through the use of cookies and similar technologies on publisher's web pages or mobile applications, which entails –by virtue of the provisions included in the Law on Information Society Services and Electronic Commerce– the need to obtain the informed consent of the users. The information addressed to the data subjects should avoid ambiguous descriptions regarding the use of advertising cookies and inform –as the case may be– that the advertisement is executed based on a profile drawn up on the basis of the browsing or use of the mobile application by the user and, if applicable, the use of cookies or technologies of third parties, if applicable.

On the other hand, the Code emphasizes that information about the processing of personal data for advertising purposes in the digital environment has to be provided in a layered manner, with scrolling texts or other solutions that facilitate the reading and understanding, which is an aspect particularly relevant in the field of programmatic advertising where the practices related to the processing of personal data turn out to be not very transparent and invisible because, in many cases, it is unknown with which third parties the personal data is shared. In particular, such lack of transparency is due to the exponential growth in this sector of profiling activities, its transfer to third parties, the collection of data from sources outside the data subject (even by association or combination of data sets), as well as automated individual decision-making.

The principles of data protection by design and data protection by default reflected in the Code are of special relevance in the programmatic advertising sector, because the complexity and the innovative use of the technologies in which it is framed, allows the collection and processing of more data than the one needed.

Lastly, it is worth mentioning that the main focus of the Code is the establishment of an out-of-court system to deal with data protection and advertising complaints, in a quick, effective and free manner, between the entities adhered to the Code and the data subjects on issues such as the unlawful processing of their personal data by making use of behavioural advertising cookies.

Although the level of knowledge of data protection principles and obligations by the agents involved in the programmatic advertising sector is arguable and this highlights the complexity of compliance with the GDPR, the Code is a tool that must be considered by the sector in its activities.