Privacy Implications of Real-Time Bidding – Lessons From the Mobilewalla Enforcement Action

With advances in digital technology and consumers’ insatiable appetite for “free” content, the advertising technology industry (AdTech) has played a crucial role in delivering highly personalized ad campaigns to consumers while enabling publishers to offer content at no financial cost. Advertisers have gained new opportunities to engage with consumers through apps and digital platforms, which are largely enabled by the collection of user data, and they can include personal and sensitive data often collected through features like cookies embedded in the apps and devices. It is what happens during the next step in the process of delivering a targeted ad, however, that has prompted renewed attention by regulators. The use of this information in real-time bidding (RTB) for ad space enables the delivery of targeted and tailored advertisements to device users. Enormous volumes of ad sales are transacted through RTB daily.

The Federal Trade Commission (FTC) recently took action against Mobilewalla, a data broker, for collecting and selling sensitive location data for purposes of online advertising without consent from consumers. The FTC’s complaint alleged that Mobilewalla collected large amounts of sensitive consumer data (including visits to health clinics and places of worship) from RTB exchanges and third-party aggregators, often without consumers’ knowledge, and then sold this “raw data to third-parties, including advertisers, data brokers, and analytics firms” (FTC Mobilewalla press release).

The FTC has always considered location data to be highly sensitive and emphasized that companies that collect and process location data must not retain such data for purposes other than the original purposes for which it was collected without the consumer’s consent. As part of the settlement with the FTC, Mobilewalla is prohibited from selling sensitive location data; banned from collecting consumer data from online advertising auctions for purposes other than participating in those auctions; required to delete all previously collected sensitive location data and implement measures to prevent further collection or sale of such data; and required to establish comprehensive privacy programs. This action marks a significant step taken by the FTC to protect consumers from misuse of the data collected through RTB. Since RTB involves collecting and using vast amounts of personal data to determine which ads should be displayed to the user, it results in greater scrutiny because of concerns about privacy and data security. It may also prompt privacy regulators to sharpen their focus to determine if privacy laws, which at the core prioritize transparency and the safety and security of individuals, have been violated.

The FTC highlighted the following key issues in its enforcement action against Mobilewalla:

• Lack of Consent. Mobilewalla collected and retained sensitive location data without consumers’ knowledge or consent.
• Lack of Control. The rapid nature of RTB results in sharing and processing data in milliseconds, thereby making it difficult to enforce strict controls over how data is used and retained by multiple parties involved in the bidding process. In the Mobilewalla case, the FTC found that Mobilewalla retained data from auctions it did not win, which is against RTB exchange rules that prohibit the use of consumer data for non-advertising purposes.
• Data Misuse. The lack of strict controls over how data is used and retained by multiple parties involved in the bidding process can lead to the widespread dissemination and potential misuse of the sensitive data. 
  
  

RTB is the process that facilitates the placement of personalized ads on a user’s device. Placement of ads in various media has always been big business for advertising. In the digital age, ad space is sold through auction platforms that process bids for the ad space. To more accurately match the placement of ads with a consumer’ interests, bidders have access to data about the consumer made available from the digital property (e.g., mobile application or website) selling the ad space. Although the technology-driven RTB process swiftly culminates in the placement of an ad in a matter of milliseconds, it is nuanced, requiring the identification, analysis, and sharing of user information by the multiple parties involved in the rapid ad placement transaction. 

RTB is a dynamic process involving the following notable players: (i) the publisher that desires to sell the ad space; (ii) a supply-side platform (SSP), which facilitates the sale of available ad space on a vast number of ad exchange platforms; (iii) the adjacent demand-side platform (DSP), which houses advertiser ads for placement opportunities; (iv) the advertiser (i.e., the business seeking ad placement); and (v) the ad exchange, which is the platform that actually conducts the buy/sell transaction between the buyers and sellers.

The RTB process is triggered when a user accesses a digital property and involves at a minimum all the players mentioned above. When the property is accessed by an end user, cookies and pixels are used to alert the SSP of the available impression (i.e., the first transfer of information), and the SSP examines available information regarding the end user, including web history and demographic details, such as age and gender. This data is then sent to the ad exchange (i.e., the second transfer of information), which promptly connects to and shares such information with the DSPs (i.e., the third transfer of information). The auction begins, and the DSPs then bid in accordance with the advertisers’ prescriptive guidance. Unless an exception applies (e.g., an ad is rejected for brand protection), the highest bidder generally wins, and the bid is instantaneously sent to the publisher and the ad appears on the user’s screen for such digital property. This all happens in just 100 milliseconds – about the same length of time it takes to blink an eye. 

In the end, although there is one bid winner that may have the legal right to use the identifying user information, a vast number of bidders have access to this information. This process occurs for each ad impression, across a multitude of digital properties, for millions of ad sales each day. Due to the sheer volume of RTB transactions, the level of information sharing, and a global trend toward privacy protection, increased attention is being paid by the FTC and privacy regulators to confirm collection and use practices are being adhered to during the various stages of the RTB process.

By taking the appropriate steps during your company’s interaction with a consumer’s data, such as employing technical and organizational measures to seal the points of vulnerability for such data to be improperly used, collected, and shared, companies can avoid FTC scrutiny and the imposition of fines by jurisdictional privacy supervisory authorities. Given the nature of the RTB ecosystem, however, it is important that all participants align their own data collection, sharing, and usage practices with applicable law. Below are some steps that may help decrease your risk depending on your interaction with the data:

• Disclose Practices: Accurately disclose your collection and sharing practices in your privacy policy.
• Obtain Consent: Obtain the consumers explicit consent (including for new use purposes), to collect and share their personal data in connection with advertising. This is of utmost importance in the context of sensitive information.
• Provide and Honor Opt-Out: Have mechanisms in place to honor a consumer’s opt-out choice with respect to advertising.
• Minimize Data Collection: Consider the stalwart privacy principles of data minimization and the case for collecting less data for your stage of the process. As part of this process, identify all types of data being collected by the company and third-party service providers, including data from cookies and tracking technologies.
• Evaluate Data Usage: Ensure data is used only for the purposes for which it was originally collected.
• Assess Data Sharing and Risks: Review with whom the data is shared and how third parties use it. Implement a compliance program to verify that third-party vendors obtain necessary consumer consents, especially for location data. Consider the risks associated with collecting and processing location data and evaluate whether the benefits outweigh these risks.
• Implement Data Deletion Procedures: Establish and enforce procedures to delete data, particularly sensitive data, when it is no longer needed.
• Post an Advisory Notice for Bidding Platforms: In addition to the foregoing, if you are a bidding platform, consider adding an “advisory” message as a pop-up prior to any bidder’s’ use of your platform that states that the information shared during the RTB process should be treated as confidential information and may be used only for the specific purpose of the bidder’s participation in the current auction and should not be collected, used, or shared for any other purpose.