Teavaro's Nico Pizzolato discusses the ICO's recent claims that the ad tech industry is violating data protection laws and what can be done to help online advertising to continue to flourish in the face of increased scrutiny.
With a stringent doctrine of data regulation being approved or in the legislative pipeline across the globe in the past few years, companies have recognised that they need to review the way they collect, use and store data for marketing purposes. In the UK, the data regulator, the Information Commissioner’s Office (ICO), has recently shaken up the industry with two remarkable actions, and in doing so they have highlighted the sins of the industry against data privacy.
The first is the ICO’s adherence to the new penalty structure for data privacy breaches. The ICO intends to fine British Airways £183m – though British Airways intends to appeal – for the data breach that occurred last September, exposing 380,000 transactions, including card details and personal data, to the eyes of fraudsters and hackers. This dwarves the £500,000 fine imposed on Facebook for the Cambridge Analytica scandal that happened before GDPR came into effect. For the first time, the GDPR’s promise of draconian penalties for mishandling data has been implemented in the UK. But the ICO is not waiting for this to sink in, issuing a notice of its intention to fine hotel group Marriott International £99.2m for a similar breach. With these actions, ICO has laid out a new zealotry for data privacy. Stringent enforcement is now a reality.
These punitive actions also lend a certain weight to the statements contained in the report that ICO issued a fortnight earlier. The Update Report into Ad tech and Real Time Bidding gives a disparaging view of the state of data privacy in online behavioural advertising, a wide ecosystem that includes a large slice of the UK economy, from advertisers to publishers, and everything in between. The report – a must read for any marketer who is building a data strategy for their company – highlights several aspects of RTB that have been under scrutiny since the onset of the GDPR due to a number of complaints across Europe. In a barely disguised way, the Commissioner is saying that ad tech is illegal at the moment, insofar as it relies on the Real-Time Bidding (RTB) protocol in its current form as a way to allocate publishers’ inventory. The report’s tone and conclusions are in line with ICO’s counterpart in France, the CNIL (Commission Nationale de l’Informatique et des Libertés) that is investigating complaints of GDPR infringements while urging adtech to self-regulate and reform. (Should encouragement not work, last January the CNIL levied a €50m on Google for collecting users’ consent in ways the contravened the GDPR). And so, a new wind is sweeping across Europe.
But what are the risks RTB poses to marketers in terms of data privacy according to the regulators?
The report gives away the Commissioner’s incredulity at the cavalier way in which customer data has been handled. Its list of high risks is not accompanied by examples of good practices within RTB and therefore while the report points the finger to ‘some market participants’ it is really the entire industry that is under fire, echoing GDPR’s insistence on the responsibility of data controllers for data partners’ infractions. Finally, the report identifies the causes of such mess in a “lack of maturity” over privacy issues, but also in the “commercial incentives to associate personal data with bid requests” - an unholy mix of greed and ignorance. Such proclamations could be seen as commandments from upon high urging the digital marketing ecosystem to convert to the new order.
Behind the regulators’ cautious and iterative approach, stopping short of disrupting a whole industry, there is an awareness that while the problems are clear, the solution requires a major shift in entrenched practices. The IAB (Internet Advertising Bureau) in its response has reiterated its view that it merely provides an instrument that companies can use, but it is not responsible for their compliance with the law. As we discussed in a previous article, this view is amply contested. In any case, legal responsibilities aside, it does not provide a solution to the woes of the industry.
What the ICO report does not look into are the many companies and initiatives that prefigure a different, more transparent relationship between customers, their data, the data controller and the way companies can market themselves. A return to contextual advertising, with more sophisticated contextual audience metrics, has been touted as a way to become 'GDPR-safe', but this seems like a step backwards to go forward.
After the ICO’s prediction that fixing RTB won’t happen “without intervention”, the writing is on the wall for a cookie-based ecosystem. Such a revelation does not mean the end for digital marketing. Instead it can be born again by activating first-party identifiers, and online advertising can continue to flourish. The question remains, will marketers take this opportunity to repent or continue down this path? The knowledge that there are viable alternatives to the current status quo make these opportunities more tempting and will allow consumers to place new faith in how their data is being used.