UK regulator again warns ad tech to clean up its act
The Information Commissioner’s Office, the U.K.’s data protection authority, continued its tough talk tour on Wednesday, warning again that ad tech companies are coming up short in their compliance with the General Data Protection Regulation. The question now is when the ICO will back up its words with actions.
The latest verbal salvo came on Wednesday at an Interactive Advertising Bureau event in London. The ICO’s head of technology and policy, Ali Shah, vowed the regulator will use its “full power” this year to stop ad tech vendors from playing fast and loose with GDPR compliance. In June the authority gave companies six months to comply with the regulation. In the ICO’s estimation, which it has repeatedly stated in the past several months, many companies are coming up short in complying.
“Every time we look further into the [real-time bidding] space it reinforces the concerns we had at the beginning of the processes,” Shah said. “Those players in RTB who have ignored the window of opportunity to conform to regulation must prepare for the ICO to use its wider powers.”
Shah’s tone on Wednesday represents a subtle shift by the regulator, which has tried to exert maximum pressure on ad tech vendors without resorting to imposing fines or conducting full-blown investigations of specific companies. This prior, carrot-like approach functioned almost like a stick because members of the ad tech vendor community knew that the grace period would eventually end and noncompliant companies would be at risk of being discovered, Shah said.
But not all players in the advertising industry believe the regulator has done enough to enforce GDPR on businesses, (although they are still reeling from the fallout of the regulation going into effect).
“The ICO doesn’t have a culture of enforcement and doesn’t want to be seen as a bully,” said a data privacy expert who wished to remain unnamed. “They’ve acted like the friendly industry regulator and threatened fines if things don’t change, but it’s clear that some companies have called their bluff in the belief nothing will happen.”
This data privacy expert was irked by the ICO’s decision earlier this month to accept the IAB and Google’s recent proposals to reform how ads are traded in real time. The ICO backed the IAB’s plan to guide the ad industry on the collection of special category data, which has sensitive information about online users. In addition, the ICO accepted Google’s decision to stop sharing data about the type of content people consume online and improve its auditing process. The ICO arrived at that decision even though it confirmed in November that ad tech vendors had been processing special category data without users’ consent and were breaching the GDPR.
The ICO’s decision to seek improvements from Google and the IAB rather than punish both organizations is emblematic of a lack of enforcement of the GDPR across the board, said Darren Guarnaccia, chief product officer at digital experience platform company Crownpeak.
“The ICO is understaffed, and even when there is a clear violation like a breach, the lack of resources means it is common to give companies extra time to ‘fix’ their violations instead of handing out fines,” Guarnaccia said. “All of this is contributing to the general wait-and-see stance that some companies may be taking regarding GDPR.”
On Wednesday Shah, however, warned the ad tech industry to not regard its recent decisions as a sign the agency would let companies off the hook for data breaches. He did admit, however, ICO responses will take a while to materialize, given the opaque, intermingled makeup of the ad tech ecosystem. Under the GDPR, the ICO has the power to fine companies that breach the law as much as €20 million ($22.2 million) or 4% of their global revenue, whichever is higher. The ICO has already fined British Airways and Marriott International £183 million ($202.8 million) and £99 million ($109.8 million), respectively, for GDPR data breaches. But those fines stemmed from cyberattacks that pose a threat to personal data. They are not cases of a business potentially using data without users’ consent to target a banner ad. Fining ad tech companies isn’t as straightforward for the ICO it seems.
“If anyone feels like we’re stepping away from the issue or not acting quick enough, it’s important to remember that it takes significant steps to do the right due diligence about what appropriate action is needed,” Shah said. “The window to sit back and see what happens has closed.”
‘We’re not in advertising mode’: Anheuser-Busch CMO Marcel Marcondes on staying relevant
Last month, Anheuser-Busch announced that it would use its production lines to produce hand sanitizer to help consumers amid the coronavirus pandemic. But that’s only one way the world’s largest beer company is changing the way it operates during this crisis. As the situation has evolved, the company has developed initiatives aimed at helping consumers […]
It took a global pandemic, but Facebook Live is back in favor
With people at various levels of lockdown, Facebook Live has gone from being a back-up way to being at events to being one of the only ways during the pandemic.
‘Be helpful’: How marketers are adapting their messaging to a fraught environment
Using that tactic -- fostering a sense of community with some version of “we’re in this together” and making explicit how big businesses are trying to help -- is common in the new advertising.
SponsoredRegulations are prompting publishers to develop new strategies around user log-ins
In a post-GDPR and post-cookie world, more publishers are making concerted efforts to explain the value of their content to users and increase the volume of consumer authentication.
‘Right thing to do at the right time’: The definitive oral history of Hyundai’s assurance program
Here’s the story of how the Hyundai Assurance came to be and how it was revived in recent weeks.
Member ExclusiveFinance is the new creative: Balance-sheet crunch leads ad and media businesses to seek new liquidity avenues
This is the second of a weekly column about the big changes and challenges facing media and marketing leaders. Be sure to join Digiday+, our membership program, to get access to this column and all Digiday articles, research and more. First came the shock. Then came the bills. Eager to maintain positive free cash flow […]