Teavaros Nico Pizzolato discusses the ICOs recent claims that the ad tech industry is violating data protection laws and what can be done to help online advertising to continue to flourish in the face of increased scrutiny.

With a stringent doctrine of data regulation being approved or in the legislative pipeline across the globe in the past few years, companies have recognised that they need to review the way they collect, use and store data for marketing purposes. In the UK, the data regulator, the Information Commissioner’s Office (ICO), has recently shaken up the industry with two remarkable actions, and in doing so they have highlighted the sins of the industry against data privacy.

The first is the ICO’s adherence to the new penalty structure for data privacy breaches. The ICO intends to fine British Airways £183m – though British Airways intends to appeal – for the data breach that occurred last September, exposing 380,000 transactions, including card details and personal data, to the eyes of fraudsters and hackers. This dwarves the £500,000 fine imposed on Facebook for the Cambridge Analytica scandal that happened before GDPR came into effect. For the first time, the GDPR’s promise of draconian penalties for mishandling data has been implemented in the UK. But the ICO is not waiting for this to sink in, issuing a notice of its intention to fine hotel group Marriott International £99.2m for a similar breach. With these actions, ICO has laid out a new zealotry for data privacy. Stringent enforcement is now a reality.

These punitive actions also lend a certain weight to the statements contained in the report that ICO issued a fortnight earlier. The Update Report into Ad tech and Real Time Bidding gives a disparaging view of the state of data privacy in online behavioural advertising, a wide ecosystem that includes a large slice of the UK economy, from advertisers to publishers, and everything in between. The report – a must read for any marketer who is building a data strategy for their company – highlights several aspects of RTB that have been under scrutiny since the onset of the GDPR due to a number of complaints across Europe. In a barely disguised way, the Commissioner is saying that ad tech is illegal at the moment, insofar as it relies on the Real-Time Bidding (RTB) protocol in its current form as a way to allocate publishers’ inventory. The report’s tone and conclusions are in line with ICO’s counterpart in France, the CNIL (Commission Nationale de l’Informatique et des Libertés) that is investigating complaints of GDPR infringements while urging adtech to self-regulate and reform. (Should encouragement not work, last January the CNIL levied a €50m on Google for collecting users’ consent in ways the contravened the GDPR). And so, a new wind is sweeping across Europe.

But what are the risks RTB poses to marketers in terms of data privacy according to the regulators?

1. There is a persistent confusion on the quality of consent required for dropping trackers like cookies. While companies could process some personal data on the basis of legitimate interest, consent for cookies should be actively and clearly given and the purpose of the cookies explained in simple terms. When setting up cookies, companies should be mindful of both the GDPR and the recently updated PECR (Privacy and Electronic Communication Regulation) and the way they combine together. Consent, not legitimate interest, may provide the appropriate basis for cookies other than the essential ones.
2. The report claims that the content taxonomies used by the IAB’s and Google’s protocols for bidding contain data information that the GDPR identifies as sensitive, such as health, religion, ethnicity or political orientation. The IAB has made some progress on this, changing old categories such as ‘depression’ or ‘Catholicism’ into more comprehensive ones, such as, ‘mental health’ and ‘Christianity’, but are users informed clearly that such information will be shared or even captured? The regulator does not think that is the case.
3. Most companies are at fault for not carrying a privacy assessment. The GDPR mandates a data protection impact assessment (DPIA) when there exists a “large-scale processing of special categories of data”, but companies have often negligently plugged into the existing RTB protocols without assessing the impact on the customer data that they are controlling.
4. Complexity is a major problem with RTB, in conflict with GDPRs requirement to explain clearly and break down for the user the different services for which consent is collected (the basis of CNIL’s fine on Google, which was deemed to have failed in doing so). As it stands, in RTB, data is harvested for a number of purposes and fired off to dozens, even hundreds, of organisations in milliseconds. What users cannot understand, they cannot give consent to, according to the law.
5. Perhaps more damning and less remediable for RTB, the regulator finds it naïve to design a system that relies simply on contractual obligations to protect personal data. Data leakage has been dogging programmatic advertising since the onset and there is really no secure knowledge of what data the hundreds of entities in the chain capture, retain or how they use it.

The report gives away the Commissioner’s incredulity at the cavalier way in which customer data has been handled. Its list of high risks is not accompanied by examples of good practices within RTB and therefore while the report points the finger to ‘some market participants’ it is really the entire industry that is under fire, echoing GDPR’s insistence on the responsibility of data controllers for data partners’ infractions. Finally, the report identifies the causes of such mess in a “lack of maturity” over privacy issues, but also in the “commercial incentives to associate personal data with bid requests” – an unholy mix of greed and ignorance. Such proclamations could be seen as commandments from upon high urging the digital marketing ecosystem to convert to the new order.

Behind the regulators’ cautious and iterative approach, stopping short of disrupting a whole industry, there is an awareness that while the problems are clear, the solution requires a major shift in entrenched practices. The IAB (Internet Advertising Bureau) in its response has reiterated its view that it merely provides an instrument that companies can use, but it is not responsible for their compliance with the law. As we discussed in a previous article, this view is amply contested. In any case, legal responsibilities aside, it does not provide a solution to the woes of the industry.

What the ICO report does not look into are the many companies and initiatives that prefigure a different, more transparent relationship between customers, their data, the data controller and the way companies can market themselves. A return to contextual advertising, with more sophisticated contextual audience metrics, has been touted as a way to become GDPR-safe, but this seems like a step backwards to go forward.

Instead, Teavaro has been passionate, even before regulation had made change inevitable, about the design of systems to harness data within the customer relationship. This is a matter of sound business, rather than only legal compliance. Recent research has vindicated this perspective by suggesting that the use of cookies has a negligible impact on publishers’ revenue, by extension casting doubts on the overall benefits for other stakeholders too. The architecture of such customised systems comprises building a unified customer view by stitching together first party identifiers that companies can collect with clear permission, transparency and fairness, providing easy to use controls to the users. With this as a base, data activation tools, such as Teavaro’s DataAction, can then harness such personal data with a protocol that ensures that it is shared only with parties that have the clearance to read it, from data controller partnership to individual user permissions. Such systems are designed to put the data controller in the driving seat, not the ad tech firms.

After the ICO’s prediction that fixing RTB won’t happen “without intervention”, the writing is on the wall for a cookie-based ecosystem. Such a revelation does not mean the end for digital marketing. Instead it can be born again by activating first-party identifiers, and online advertising can continue to flourish. The question remains, will marketers take this opportunity to repent or continue down this path? The knowledge that there are viable alternatives to the current status quo make these opportunities more tempting and will allow consumers to place new faith in how their data is being used.