‘Don’t sit on the fence’: UK regulator reiterates GDPR warning to ad tech companies
The clock is ticking for ad tech businesses that are still playing fast and loose with their compliance with the General Data Protection Regulation.
In June, the U.K.’s data protection authority, the Information Commissioner’s Office, told the ad tech industry that the current way personal data is used within programmatic advertising transactions on the open exchange, via real-time bidding, is not compliant. The DPA gave a six-month grace period for them to address any gaping holes. That leaves four months to go.
Speaking at ExchangeWire’s ATS event in London on Sept. 9, the ICO’s head of technology and policy, Ali Shah, encouraged ad tech businesses still relying on a legitimate interest to come forward and engage with the regulator. Shah promised those that do so won’t face financial penalties — as long as they come forward within the next four months.
Shah stressed that the report that shook the ad tech sector by condemning the current misuse of data within RTB was the result of an extensive industry investigation by the ICO. One of the outcomes of it was that ad tech businesses could not rely on the legitimate-interest clause for the use of data within programmatic ad trading on the open exchange. The report acknowledged that the ICO is aware there are still many ad tech businesses that need to address this. Shah said that if there are ad tech businesses using RTB that genuinely believe they have a business case for using the legitimate-interest clause, they should make their case to the ICO.
“I’d be remiss if I didn’t say that if we don’t see meaningful change [within the next four-month window] we’ll have to leverage our full powers of enforcement,” said Shah on stage at ATS London.
Under GDPR, the ICO has the power to fine companies in breach of the law a maximum of €20 million ($22 million) or 4% of global revenue, whichever is higher. The ICO has already announced its intention to fine British Airways and Marriott International £183 million ($226 million) and £99 million ($122 million) respectively for GDPR data breaches. The ICO has already fined Facebook the maximum amount it could under the previous data protection law, £500,000 ($618,000).
Shah added it is not the ICO’s intention to hinder technological innovation where businesses are providing useful tools and services to consumers. He referenced extensive consumer research run by the ICO, in which 63% of 2,000 respondents said they would be fine with their data being used for personalized ads. But once they were then informed exactly how their data was used in order to do that — by multiple digital ad partners in the ad supply chain — that number then halved.
He stressed how the ICO has beefed up its technological expertise with hundreds of staff added in the last few years, taking the total to some 700 people. That makes it one of the biggest DPAs worldwide and is a sign of just how seriously it takes policing data privacy and whether or not companies abuse it for their own benefit, according to Shah.
“Now is not the space to stop and sit on the fence — that time is disappearing,” he said.
In November, just before the six-month deadline, the ICO will hold a forum for publishers, ad tech vendors, agencies and advertisers, which will address what judgments it has made on whether businesses have done enough, particularly with RTB, to be compliant.
There may be some work to do. Before he made those comments, he asked the room who had read the ICO report, and half the room raised their hands. Meanwhile, some delegates tweeted about the irony of the fact that just as Shah took the stage a noticeable number of people left the theater.
However, speaking to other ad tech executives at the event, there was a sense of relief that the ICO was open to having conversations where they could make their case, given they believe the ICO hasn’t fully grasped the full complexity of the digital ad landscape.
“The tide is coming in, in six months,” said Will King, commercial director of The Media Trust, later on during the conference.
‘We see a world where publisher data replaces third-party data’: News U.K. puts its data at the nucleus of post-cookie push for media budgets
News U.K. has overhauled the way it collects, sorts and monetizes its audience data across all its titles via first-party data platform Nucleus.
Here’s why the loss of the third-party cookie is heading toward a collapse in the middle
In the absence of third-party cookies, marketers will need to work more closely with trusted publishers to reach their audiences. Who will lose out? It is posed for a collapse in the middle.
Member ExclusiveMedia Briefing: What to expect from the Digiday Publishing Summit
This week's Media Briefing previews the upcoming Digiday Publishing Summit, which kicks off on Sept. 27 and will feature speakers from media companies including The Washington Post, BDG, Group Nine Media and Essence.
SponsoredHow retailers can be ready for holiday shoppers this year
Suchi Sastri, managing director and partner, Boston Consulting Group As the holiday season approaches and the pandemic continues to evolve, retailers want to know what to expect. Will e-commerce continue to grow at the rate it did last year? How big of a role will in-store shopping play in holiday shopping? While it’s still early, […]
How the pandemic has been a real a buzz kill for office happy hour bonding, culture
As COVID-19 crawls on, more companies are rethinking the wisdom of mixing booze and the stresses of the workplace.
‘Football has lost its soul’: How Copa90 is repositioning itself around the creator economy
Copa90’s overseers believe there’s another shift happening in tandem with the corporatization of the sport that has the potential to be just as transformative