The latest technological developments have transformed the digital advertising sector, allowing that programmatic advertising increasingly gains ground and, that, through the use of algorithms and programming codes, advertisers can show their advertising campaigns at the right time and place (means), allowing the audience to be segmented and directing, therefore, advertisements to specific audiences in the most efficient way possible.
The Spanish Data Protection Agency ("AEPD"), exercising the functions attributed to it by law, has approved the Code of Conduct for Data Processing in Advertising Activities (the "Code"), presented by Autocontrol (Association for the Self-Regulation of Commercial Communication), –independent advertising self-regulatory organisation–. The Code is applicable to the processing of personal data in advertising activities carried out by adhered entities established in Spain or affecting data subjects residing in Spain; in the latter case, provided that the processing is related to the supply of goods or services to said data subjects in Spain or the control of their behaviour in Spain.
Although the Code does not specify the application of the General Data Protection Regulation ("GDPR") in the field of programmatic advertising, the truth is that it emphasizes certain data protection aspects that can be applied in this sector. Thus, starting with the lawfulness of the processing of personal data for advertising purposes, the Code highlights that the consent of the data subjects shall be granted unequivocally (e.g. by ticking the opt-in box) or that, in the event the advertising is intended to be personalized, a single consent may be obtained for profiling and advertising. In addition –although it is not mentioned in the Code– if the type of personal data being processed includes special categories of personal data (for example, political opinions, sexual orientation, etc.) for the customization of advertising campaigns, it will be necessary that the consent of the data subject is explicit.
On the other hand, the Code emphasizes that information about the processing of personal data for advertising purposes in the digital environment has to be provided in a layered manner, with scrolling texts or other solutions that facilitate the reading and understanding, which is an aspect particularly relevant in the field of programmatic advertising where the practices related to the processing of personal data turn out to be not very transparent and invisible because, in many cases, it is unknown with which third parties the personal data is shared. In particular, such lack of transparency is due to the exponential growth in this sector of profiling activities, its transfer to third parties, the collection of data from sources outside the data subject (even by association or combination of data sets), as well as automated individual decision-making.
The principles of data protection by design and data protection by default reflected in the Code are of special relevance in the programmatic advertising sector, because the complexity and the innovative use of the technologies in which it is framed, allows the collection and processing of more data than the one needed.
Lastly, it is worth mentioning that the main focus of the Code is the establishment of an out-of-court system to deal with data protection and advertising complaints, in a quick, effective and free manner, between the entities adhered to the Code and the data subjects on issues such as the unlawful processing of their personal data by making use of behavioural advertising cookies.
Although the level of knowledge of data protection principles and obligations by the agents involved in the programmatic advertising sector is arguable and this highlights the complexity of compliance with the GDPR, the Code is a tool that must be considered by the sector in its activities.