Adtech legal basis and automated decisions
Adtech relies on either consent or legitimate interest. Consent is hard: it must be informed and demonstrable, and firms without a direct relationship rely on third parties to collect it. Legitimate interest is a balancing test; WP29 and EDPB say it is difficult to justify for intrusive cross-site profiling, but safeguards (e.g. an easy opt-out) can shift the balance. LI is never available for special category data. Targeting can be an Article 22 automated decision where it significantly affects someone (e.g. ads for betting aimed at a financially vulnerable person).
| Basis | Key points |
|---|---|
| Consent (Art 6(1)(a)) | Must be informed, demonstrable, as easy to withdraw as to give; hard when relying on third parties to collect it |
| Legitimate interest (Art 6(1)(f)) | Balancing test; hard to justify for intrusive cross-site profiling; safeguards (easy opt-out) help; NOT available for special category data |
| Contractual necessity (Art 6(1)(b)) | Raised by Ireland's DPC for targeting, but EDPB does not believe this is possible |
Targeting involves automated decisions. Whether they significantly affect a person depends on intrusiveness, expectations, delivery and exploiting vulnerabilities. The EDPB's example: targeting a financially vulnerable person interested in betting with adverts that could harm their finances. The ICO says profiling for political advertising may also qualify.