Knowledge Hub
for Growth

Ad-tech contracts: Data, cookies, fraud and cyber security

An ad tech contract, or advertising technology contract seeks to regulate the relationship between parties wishing to use technology and software platforms to facilitate the buying, selling, and delivery of digital advertising.

This article introduces several heavily negotiated areas of ad tech contracts namely: data, fraud and cyber security.

As a publisher or advertiser, if you’re unsure on how to approach a deal or overcome key negotiation points, then our technology solicitors can help. Drawing on yeas of experience, we can guide you through the contract considerations in ad tech.

Who are the parties to an ad tech contract?

The parties to an ad tech contract can vary, depending on the specific arrangement and the nature of the services being provided, but typically will include:

  • Ad tech provider: the person or organisation offering the advertising technology services.
  • Advertiser/Client: the person or organisation seeking to promote their products, services, or brand through digital advertising.
  • Publisher/App developer: the person or organisation, which owns and operates websites, apps, or other digital properties where advertising is displayed.

Why is it important to focus on data within an ad tech contract?

The ad tech industry is based on data-driven advertising strategies.

As a result, data is a valuable asset and the treatment of that data is not only protected in a variety of jurisdictions by a raft of legal regulations and bodies as outlined in our article, legal considerations for digital advertising, but it will also be protected against theft and other illegal use by sophisticated cyber security measures.

An ad tech contract will typically provide clarity on data ownership, usage, compliance and who does what in terms of data governance, privacy and data protection. Additionally, the contract will provide clarity in terms of measures to combat data breaches, hacks and fraudulent activity.

What data is typically collected in ad tech contracts?

Ad tech contracts typically involve the collection and processing of a high volume of sensitive and personal data, including the following:

  • Audience data: including demographics, user interests, behaviour, location, devices used and preferences.
  • Ad performance data:  such as impressions, clicks, conversions, and engagement rates.
  • Website/App data: including information about page views, session duration, navigation patterns, and user interactions.
  • Data collected directly from the advertiser such as customer profiles, purchase history, loyalty program data, or other proprietary information.
  • Cookie and tracking data: such as user behaviour across websites and apps.

As a result, data privacy is a crucial consideration in ad tech contracts, which will set out rights and obligations to ensure responsible data handling, compliance with laws, mitigation of risks and the appropriate management of any data breaches.

How is that data owned, used and shared? Why do you need to know?

Data ownership

An ad tech contract will clearly define who owns the valuable data generated through the performance of the ad tech services.  This is typically the advertiser. Ownership allows them to control how the data is used, shared and analysed, supporting brand and reputation protection and providing data monetisation and licensing opportunities. Equally, the data owner is often responsible for ensuring that the data is collected and processed in accordance with any data protection and privacy laws.

Data usage and sharing

In addition to ownership, an ad tech contract will typically outline how any generated data can be used and shared and for what purposes. For example, the contract may specify that the ad tech provider may only use the data to provide the contracted services and for a specified period, after which the data must be deleted. These limitations protect the advertiser’s data and brand and ensure that the ad tech provider gives appropriate undertakings around data protection, privacy and confidentiality.

If an ad tech provider wishes to share the data with another party, then consent from the advertiser to do this must be provided in the ad tech contract together with any restrictions on the use of the data by the third party.

Use of Cookies

Cookies enable the delivery of personalised and targeted ads based on a user’s browsing history.

The ad tech contract will address the use of cookies and will specify the responsibilities of the ad tech provider in managing and using cookies. These responsibilities may include the obtaining of any relevant customer or user consents and compliance with any specific cookie legislation.  The ad tech provider will typically be required to have cookie policies in place to ensure appropriate controls and clear guidelines are in place as to cookie consent, compliance and transparency.

For further reading see our guide to GDPR and cookie consent.

Data processing agreement

A data processing agreement (DPA) governs the processing of personal data. It is typically used when a data controller (the entity that determines the purposes and means of data processing) engages a data processor (a person or organisation that processes personal data) to process personal data.

Whilst an ad tech contract may include some provisions related to data processing, a separate DPA is often necessary to address the specific requirements imposed by specific data protection and privacy laws, including an outline of the responsibilities and obligations of both the ad tech provider (the data processor) and the client/advertiser (the data controller). These responsibilities will typically include details of the purpose, scope and duration of the data processing; measures to be implemented to ensure the security and confidentiality of personal data and procedures for handling data subject rights requests, such as access, rectification, or erasure of personal data.

Take down mechanisms

Take down mechanisms in ad tech contracts govern the removal or ‘take down’ of certain content or ads. These are needed in situations of legal non-compliance, infringement of intellectual property rights or data privacy issues or breach of contract.

The process for take down will include notice requirements, protection of data and of intellectual property rights and details of how the parties will deal with any alleged breach of contract.

Ad fraud protections

Ad fraud occurs when ads are not seen by real but by fake users, inflating impressions, clicks and conversion data. 

Any ad tech contract will contain provisions to safeguard against ad fraud including requiring the ad tech provider to employ sophisticated tools and technologies to filter out illegitimate sources and to place any adverts on trusted platforms in viewable positions.

By including these, advertisers attempt to mitigate the risks associated with ad fraud, enhance the transparency and effectiveness of their campaigns, and establish a framework for cooperation with the ad tech provider in combating fraudulent activities so that the advertiser only pays for genuine user interactions.   In the event of breach of these obligations by the ad tech provider, the advertiser may well be able to terminate the contract and seek damages.

Cyber security – what does it mean?

The parties to ad tech contracts will seek to employ cyber security in order to protect data, systems, and infrastructure from cyber threats. As well as ensuring compliance with any relevant cyber security regulations, they adopt measures such as data encryption, security systems and regular security assessments and audit to mitigate the risk of data breaches, unauthorized access, and other cyber security incidents.

If a breach occurs, the contract will provide for notification and remedial action and will establish any applicable remedies between the parties.

About our expert

Julia Ellis

Julia Ellis

Senior Commercial Solicitor
Julia is a senior commercial lawyer who works with businesses of all sizes, from start-ups to multi-national groups across many different sectors (B2B and B2C). She has considerable breadth and depth of experience gained while working in-house and in private practice over the last 18 years. She advises on an extensive range of commercial agreements, as well as on related IP and data protection issues.

What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.


To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry