The clock is ticking for ad tech businesses that are still playing fast and loose with their compliance with the General Data Protection Regulation.
In June, the U.K.’s data protection authority, the Information Commissioner’s Office, told the ad tech industry that the current way personal data is used within programmatic advertising transactions on the open exchange, via real-time bidding, is not compliant. The DPA gave a six-month grace period for them to address any gaping holes. That leaves four months to go.
Speaking at ExchangeWire’s ATS event in London on Sept. 9, the ICO’s head of technology and policy, Ali Shah, encouraged ad tech businesses still relying on a legitimate interest to come forward and engage with the regulator. Shah promised those that do so won’t face financial penalties — as long as they come forward within the next four months.
Shah stressed that the report that shook the ad tech sector by condemning the current misuse of data within RTB was the result of an extensive industry investigation by the ICO. One of the outcomes of it was that ad tech businesses could not rely on the legitimate-interest clause for the use of data within programmatic ad trading on the open exchange. The report acknowledged that the ICO is aware there are still many ad tech businesses that need to address this. Shah said that if there are ad tech businesses using RTB that genuinely believe they have a business case for using the legitimate-interest clause, they should make their case to the ICO.
“I’d be remiss if I didn’t say that if we don’t see meaningful change [within the next four-month window] we’ll have to leverage our full powers of enforcement,” said Shah on stage at ATS London.
Under GDPR, the ICO has the power to fine companies in breach of the law a maximum of €20 million ($22 million) or 4% of global revenue, whichever is higher. The ICO has already announced its intention to fine British Airways and Marriott International £183 million ($226 million) and £99 million ($122 million) respectively for GDPR data breaches. The ICO has already fined Facebook the maximum amount it could under the previous data protection law, £500,000 ($618,000).
Shah added it is not the ICO’s intention to hinder technological innovation where businesses are providing useful tools and services to consumers. He referenced extensive consumer research run by the ICO, in which 63% of 2,000 respondents said they would be fine with their data being used for personalized ads. But once they were then informed exactly how their data was used in order to do that — by multiple digital ad partners in the ad supply chain — that number then halved.
He stressed how the ICO has beefed up its technological expertise with hundreds of staff added in the last few years, taking the total to some 700 people. That makes it one of the biggest DPAs worldwide and is a sign of just how seriously it takes policing data privacy and whether or not companies abuse it for their own benefit, according to Shah.
“Now is not the space to stop and sit on the fence — that time is disappearing,” he said.
In November, just before the six-month deadline, the ICO will hold a forum for publishers, ad tech vendors, agencies and advertisers, which will address what judgments it has made on whether businesses have done enough, particularly with RTB, to be compliant.
There may be some work to do. Before he made those comments, he asked the room who had read the ICO report, and half the room raised their hands. Meanwhile, some delegates tweeted about the irony of the fact that just as Shah took the stage a noticeable number of people left the theater.
However, speaking to other ad tech executives at the event, there was a sense of relief that the ICO was open to having conversations where they could make their case, given they believe the ICO hasn’t fully grasped the full complexity of the digital ad landscape.
“The tide is coming in, in six months,” said Will King, commercial director of The Media Trust, later on during the conference.