The Information Commissioner’s Office has given ad tech a second chance to become compliant with the General Data Protection Regulation.
But without actual enforcement, there may be no point.
Last week, the ICO issued the ad tech sector with a stark warning not to continue with practices that violate GDPR. The gist of its warning was that many of the current practices within programmatic advertising — specifically real-time-bidding — are essentially now illegal.
The document clarifies specific areas in which the ICO will not tolerate the misuse of personal data for the purposes of targeted advertising. In particular: Legitimate interest cannot be relied on for businesses operating RTB, special-interest category data which includes ethnic origins, health and political orientation, require explicit consent, while contractual agreements alone can’t be relied on for compliance.
On the surface, the document is extremely worrying for ad tech. But ad tech businesses remain unfazed, partly because there is no threat of serious penalties and partly because any attempt to address the issues raised will take a long time to fix given the complexity of the digital ad supply chain. Until it can call out specific players for GDPR violation, any major changes will be unlikely, at least in the short term.
The ICO said it will work closely with the IAB and Google on their GDPR frameworks to help them become fully compliant and check back in six months to ensure there is evidence of change. But officially, it has only committed to potentially issuing further guidance, rather than strict punishment.
“They [the ICO] have punctured the tin but not ripped the lid off [of ad tech],” said Dan Wilson, CEO of London Media Exchange. “This [how data is used within RTB-based ad calls] has been flagged as a systemic risk to privacy. They can’t issue statements like that and walk away.”
Media agencies like Essence have welcomed the ICO’s warning as a necessary step to shining a light on continued GDPR malpractice. “Practices which effectively game the acquisition of user consent have a shelf life, and we’re keen to see the back of,” said Ryan Storrar, svp and head of media activation for EMEA at Essence. However, Storrar added that warnings alone won’t change the status quo. “A lot of people are talking about it, but only enforcement will bring change. A lot of the report’s findings are unsurprising, but they need to make examples [of businesses falling foul.]”
To date, the ICO has made it clear it will favor the carrot to the stick when it comes to the majority of GDPR assessments. But many media agencies and some ad tech vendors have said that it’s time for the ICO to show its teeth. “It has to happen — without those fines there is very little impetus to change,” said Brian Kane, co-founder of publisher tech vendor Sourcepoint.
The ICO will need to do more than issue a written wrist slap, as it did with the Washington Post. “That was the most wishy-washy of statements,” said Kane. “It was meaningless. At some future point, the ICO will come out with some sort of fine against someone. They have given plenty of warning and time to adjust.”
Many advertising executives believe that if ad tech businesses that are in breach don’t respond hastily to the latest warning, there will be serious repercussions. “Not taking the ICO’s guidelines seriously at this point would be equal to playing with fire,” said Alessandro de Zanche, an independent publishing consultant. “I have heard that the ICO will be issuing warnings first, then leave an informal buffer of a few months before issuing fines,” he added. “Being in contempt of this and showing an arrogant and defiant approach will just create further damage to an industry whose credibility is through the floor.”
Others agree that the digital ad industry must respond if it’s to avoid further penalties or risk more of a mainstream news spotlight on the issue, which would place it higher on consumer radars, like with issues around brand safety.
“It’s in danger of getting on a larger radar [if left unchecked],” said David Morris, director of solutions consulting, EMEA, at ad tech vendor Tealium. “Cambridge Analytica put a lot of what happens at Facebook on a larger radar, and when GDPR went live, it made mainstream BBC news.”
But there’s still skepticism around whether the current use of data within RTB as a method for trading ads programmatically has a future. “Parts of the industry are willingly prepared to crash against a wall at full speed rather than accepting the obvious: RTB and privacy regulations, GDPR in particular, are incompatible,” said de Zanche.