ICO slams ad tech industry for failure to comply with data protection laws

ICO adtech RTB13 months on from the implementation of the General Data Protection Regulation (GDPR), the UK’s data protection authority, the Information Commissioner’s Office (ICO), has released a report to point out that the ad tech sector was still falling short when it comes to compliance.

In particular, the report addresses the use of personal data in real-time bidding (RTB) within programmatic advertising – an area which has received several complaints in the past year from privacy activists.

The process of RTB sees advertisers on an ad exchange, network, or supply side platform (SSP) receive an impression call when someone visits a website. As the site is loading for that user, ad spaces on the page are auctioned off by the publisher and the slots are filled by the advertisers that have bid to reach people that match criteria. As such, advertisers gain access to information about the user without their direct consent.

The report, which will be passed to the ad tech sector, takes issue with a single visit to a website potentially handing over a person’s personal data to ‘hundreds’ of organisations. The ICO will give the industry six months to get in line with its guidelines for GDPR – as well as the Privacy and Electronic Communications Regulations (PECR) – compliance before conducting another review.

“We are clear about the areas where we have initial concerns, and we expect to see change. But we understand this is an extremely complex market involving many organisations and many technologies,” writes information commissioner Elizabeth Denham in the report.

“With that in mind, we’ll continue engaging with the sector, further exploring the data protection implications of the real time bidding system. We’ll continue collaborating with Data Protection Authorities in other European countries too, who are also looking at complaints in this area.”

According to the ICO, the rules on the use of cookies laid out in the PECR take precedence over the GDPR rules. Under the PECR, organisations are required to provide ‘clear and comprehensive’ information about why any cookie or similar technology is being used and obtain prior consent which is up to the GDPR standard. The report highlights that most industry initiatives focus either solely or primarily on GDPR compliance rather than PECR.

It’s also now been made clear that the processing of any ‘special category data’ – which is any data relating to politics, religion, ethnic groups, mental and physical health, and other highly sensitive data – is entirely prohibited, unless there has been explicit consent. As such, the ICO points to both IAB Europe’s Transparency Consent Framework (TCF) and Google’s Authorised Buyers as being non-compliant because their ‘consent mechanisms’ are not ‘appropriate’ for the processing of special category data.  

When it comes to all other data, due to the PECR, legitimate interest cannot be used as a reason for its collection within RTB.

The ICO goes on to take issue with a lack of transparency in RTB, claiming it “often lacks clarity and does not give individuals an appropriate picture of what happens to their data”, and the data supply chain as a whole, highlighting the potential for data leakage due to the nature of data processing within RTB.

The report isn’t all doom and gloom for the ad tech industry. It makes it clear that the ICO is aware of ‘various ongoing initiatives’ that are looking to change the way the RTB ecosystem works, including changes to the criticised TCF.

However, going back to the doom and gloom, the ICO doesn’t feel any of these initiatives are yet to be ‘fully mature’, doesn’t feel they address its concerns, and doesn’t think the current market would adopt any of the measures voluntarily.

Looking ahead to the next six months, the ICO will conduct further analysis into the processing of special category data without explicit consent and the complexity of the data supply chain.

It will further explore the data protection implications of RTB, continue to engage with key stakeholders, and cooperate with data protection authorities across the European Union.

Depending on the state of the industry in six months’ time, the ICO will undertake a further industry review.

“In the meantime, we expect data controllers in the ad tech industry to re-evaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the RTB ecosystem,” the report reads.

“Following these initial activities, we will continue to focus on both RTB and ad tech in general, and may issue a further update report in 2020.”

Commenting on the report, Rowly Bourne, CEO of Rezonence, said:  “As can be sometimes be the way with government work; it’s a touch a case of stating the obvious that you need explicit consent with the latest ICO report. But nevertheless, it’s good to have clear guidelines for ad-tech.

“We shouldn’t expect much change quickly. It’s taken the ICO over a year to provide UK guidance on the GDPR, and they plan to spend the next 6 months consulting with the industry before advising again — which would still fall inside the two-year grace period so potentially another 12 months before we see anything concrete — but the findings are nevertheless the hard truths we needed to hear.

“It’s also encouraging that it addresses ad-tech and digital marketing specifically, with it being clear is that much of the sector falls short of compliance, and may always do. Most of the general public have not heard of tech outside of GAFA, so are unlikely to give explicit consent to the 7040 AdTech vendors the Lumascape recognises.

“Interestingly, it has in fact been the big tech players — Apple’s Safari ITP 2 and Google Chrome following suit — who’ve begun to move the needle when it comes to privacy, and the same could be true with this report. These browser wars, along with the potential killing of cross app tracking could end much of the immature  ad-tech behaviour that the ICO mentions.

“Only time will tell whether this leads to any action, or ends up as merely another ‘report’, with no action coming off the back of it. Nevertheless, I expect the industry to pause and think, potentially with some consolidation, and would not be surprised to see brands scurry to premium content and an increase in direct IOs in the short-term.”