UK regulator ICO is suddenly everywhere and anywhere with warnings for ad tech
Change is afoot at the U.K.’s data protection watchdog, responsible for enforcing the General Data Protection Regulation.
Top execs from the Information Commissioner’s Office have been on a PR push of late, appearing on stage at industry events, agreeing to interviews with the press to deliver a simple message, again and again: Take GDPR more seriously because the industry’s initial attempts to comply have come up short.
It’s a somewhat unprecedented, open approach for a data protection authority. Before the tour, ICO execs like executive director for technology policy and innovation Simon McDougall were arguably unknown to anyone who sat outside of a corporate policy team. Now, whether it’s through Q&As at conferences or private meetings with advertisers, McDougall is becoming one of the more high-profile voices in ad tech in the U.K. In just the past month, McDougall has warned of “vague answers” in an interview with the Financial Times and spoken of “big issues” in Marketing Week, and expressed “concern about this industry” at an an event hosted by media monetization firm Rezonence.
“Ad tech is unique in terms of the sheer volume of data which is massive, and the type that’s used is troubling at the same time,” he said at this week’s Rezonence event.
The rationale behind the conference appearances and interviews is simple: When the ICO rapped the knuckles of ad tech vendors in June for their misuse of personal data to target ads, it gave them a six-month deadline to make changes. With three months to go, the regulator wants to ensure there is no lack of clarity around that grace period.
These are unusual steps for a regulator to take. Typically regulators enforce rather than seek to educate after all. In its warning report aimed at the ad tech sector, the ICO acknowledged the complex structural underpinnings of buying and selling ads on the open exchange via real-time bidding. The regulator isn’t gunning to cripple ad tech and, by extension, the publishers reliant on programmatic advertising revenue, with its enforcement, said McDougall at the event. Nor does it want to further stifle competition in what’s already an ad market dominated by a few major players, aka Google and Facebook.
But that’s not to say the regulator is a soft touch. As recently as ExchangeWire’s ATS event earlier this month, the ICO’s head of technology and policy Ali Shah warned ad tech vendors not to take its light-touch approach to enforcing GDPR on real-time bidding as a sign it would go easy on the industry. In fact, he said there would be casualties among the ad tech community if vendors continued to breach the law.
Shah’s tough stance ahead of the December deadline is part of a strategy to exert maximum pressure without slamming the door shut.
In the 16 months since the GDPR came into effect, the ICO has played good cop to the bad cop approach taken by some of its counterparts across Europe, gently nudging the ad tech industry to get its house in order.
“Despite the grace period provided by the ICO, I have seen no indication of any sort that the RTB industry will reform itself,” said Johnny Ryan, chief policy and industry relations officer at browser Brave. “RTB continues to be the largest data breach yet recorded. This is not an abstract problem of legal theory: I fear that every voter in the next U.K. election will have been profiled using data about them leaked out of the RTB system,” said Ryan. He believes it’s essential that the ICO steps in and enforces the law once its grace period ends. “It would have been far better if it had acted far sooner. The industry must be forced to reform.”
When the ICO started to scrutinize Google in February, it said it had received complaints over Google’s heavy-handed data collection for ad targeting, but stopped short of launching a full probe of those practices. But when the Irish Data Protection Commission launched its own investigation into Google three months later it did so with a statutory inquiry into how the company’s ad exchange uses personal data to target people online. Regulators don’t do that unless there’s a problem they need to confirm and subsequently take action on. The ICO, however, has refrained from making similar moves on ad tech to date in part because the Irish DPA is the lead privacy regulator for Google and Facebook in Europe. The U.K. regulator has also arguably had bigger fish to fry.
Hefty fines have already been dished out to British Airways and Marriott International for £183 million ($226 million) and £99 million ($122 million), respectively, for GDPR data breaches. These were major customer data breaches, deemed an act of negligence on behalf of the companies. Both incidents were the result of colossal cyber hacks that pose a more immediate threat to personal data versus the damage caused by targeting a banner ad to a site. Fining ad tech vendors for data breaches doesn’t seem to be as clear-cut. So much so that the ICO seems to have used the PR tour as well as ongoing meetings with the Internet Advertising Bureau in the U.K. and Europe and Google to get to grips with how personal data is traded between companies.
Hires have also been made to sharpen that internal expertise, with plans to grow the regulator from the 750 headcount it covers now to around 800 over the next 12 months. The more ad tech knowledge the ICO has been able to gain, the clearer its guidance to the industry has got for certain unanswered questions.
Whether ad tech vendors have a legitimate interest in using personal data to target ads has caused no small amount of confusion in ad tech circles. Some vendors have used it as a legal basis for collecting and processing personal data. Even the IAB’s Transparency and Consent framework, which is pitched as a standardized framework for compliance with the GDPR, was revamped to incorporate legitimate interests. The problem is the ICO has since dismissed that idea. There’s a strong chance that something developed to offer data privacy isn’t privacy compliant.
“The ICO is saying legitimate interests are knackered, but the TCF is so far down the line that people will start passing legitimate interests as a basis for consent that’s in complete conflict with the regulator,” said Stuart Colman, sales vp at ad tech vendor InfoSum. “My gut tells me the industry won’t move forward enough for a variety of political, commercial and structural reasons. The ICO can’t keep sitting there giving us another six months to fix things. That’s not their job.”
At agencies, furloughs are the new layoffs
Agency execs and experts believe that agencies are more inclined to use a furlough than a layoff if they have that option. Agencies are a people business and the need to retain top talent any way they can will likely encourage agencies to use furloughs when possible.
Member ExclusiveMall rats: Gen Z shoppers are rerouting the future of physical retail
As “retail apocalypse” rumors continue to fly, teenagers are reviving shopping centers’ foot traffic. Among the draws are a social experience, immediate gratification, a personal branding opportunity and a much-needed break from their mobile phones.
‘Everyone wants control’: Traffic soars, but programmatic ad prices drop
Since the onset of the global pandemic, advertisers have either paused or pulled media dollars, which has sent programmatic prices haywire. All of this has been driven by the uncertainty of what lies ahead.
SponsoredSurvey: The threats of deceptive ads in 2020
Publishers and advertisers: How are you planning to block, eliminate and avoid deceptive ads in 2020? How will deceptive ads impact the 2020 election? Are you seeing deceptive ads that exploit the coronavirus crisis? Take this short survey and we’ll provide the results.
‘More volatile than ever’: Freelancers brace for a rough job market
Due to the coronavirus, freelancers say the job market is much more competitive and that, overall, prospects are slim to none.
‘Your communities want to hear from you more than ever’: How SAP CMO Alicia Tillman is leading through the coronavirus crisis
SAP felt the hit of the coronavirus outbreak early on this year, canceling three of its own customer events and a large presence at SXSW on safety grounds. As the situation developed, SAP’s CMO Alicia Tillman instructed her team to reprioritize the media mix around digital and short-term activations that can help its corporate customers […]