UK’s data regulator again warns ad tech over GDPR compliance
U.K. data protection authority, The Information Commissioner’s Office, has stepped up its warning for the ad tech industry to get its house in order quickly if it is to comply with the European Union’s General Data Protection Regulation and avoid heavy fines.
The ICO held an “ad tech fact-finding forum” in London on Tuesday. It discussed the data protection watchdog’s latest findings since it released a report in June taking the ad tech and real-time bidding marketplace to task on GDPR compliance and giving the industry six months to clean up its act. This summer the ICO said the industry’s current real-time bidding protocols violate GDPR. At the time, the ICO outlined “key areas of concern” including issues such as companies’ treatment of sensitive, “special category” data and the often substandard contractual agreements to protect how bid-request data is shared between vendors.
Speakers at the event included Simon McDougall, ICO executive director of innovation; Will DeVries, Google senior privacy counsel; and the IAB U.K.’s head of policy and regulatory affairs, Christie Dennehy-Neil, according to people who attended. Attendees included representatives from brands, ad tech industry executives, privacy campaigners and lawyers. The event was held under Chatham House Rule, which allows attendees to share what presenters said but not identify them or their companies by name. Members of the press were not invited.
In his presentation, the ICO’s McDougall said the data protection authority’s look into the ad tech sector so far had confirmed some direct processing by vendors of special category data — such as ethnicity or data on someone’s health or sex life — without explicit consent, a violation of GDPR.
The ICO also found an over-reliance on contracts as a guarantee of security, and inconsistent arrangements and terms within those contracts. Oftentimes, it said, there was a lack of clarity of which entities would be the “controller” or “processor” of data in GDPR legalese.
As for user consent, the ICO said it found inadequate and — in some cases — inaccurate transparency information was made available. It discovered privacy policies that lacked clarity or provided conflicting information. It was sometimes unclear how users would withdraw consent. The ICO said it had also found a poor standard of companies assessing they have a “legitimate interest” for their collection and retention of data.
The ICO declined to comment when contacted by Digiday.
McDougall said at the event the ICO is set to provide another update on Dec. 20, according to people in attendance, with enforcement likely to follow in the new year. An IAB U.K. spokesman said the trade body is planning an update for its members in “the next couple of weeks.”
Google’s presentation covered its announcement from last week that it will strip contextual content categories from the bid requests its exchange sends to ad buyers beginning February. Google also explained how it expanded the scope and reach of its existing EU user-consent policy audit program for publishers and advertisers and the audits for its Authorized Buyers program, with additional focus on real-time bidding and data compliance. Google also discussed its other recent privacy-related moves, such as its Chrome Privacy Sandbox and how it’s determining how it can use federated learning and cohort models rather than cookies for personalized ad targeting.
One attendee expressed some concern over the sheer amount of audits that could be set to take place between various players in the broad ad tech daisy chain. “It’s not commercial to have 10 different customers review your business because you’ll forever be in audit,” they said.
Google did not immediately respond to a request to comment.
Investigations into ad tech companies over potential GDPR infractions are ongoing. French data protection authority CNIL did issue warnings to location ad tech vendors Fidzup, Teemo and Vectaury last year. The CNIL has now closed those investigations, and the companies avoided fines. Elsewhere, the DPC in Ireland — where many large internet companies’ European headquarters are located — has launched investigations into companies including Google, Facebook, Twitter and Quantcast over GDPR compliance.
“Certainly the ICO has done enough to make it clear to the industry that change is needed and the industry seems clear that’s the case, but the problem is it’s not clear what the way forward is yet,” said Open Rights Group executive director Jim Killock, who attended Tuesday’s meeting. “It’s clear that technology and money could solve the problem, but it’s not clear what problems the ICO really needs to be solved. Without a bit more clarity, I’m not sure how things will move. Ultimately there will be more bad actors until there are more legal cases going forward.”
On the whole, attendees speaking to Digiday agreed the meeting had been productive, but time is rapidly ticking toward the end of the ICO’s six-month grace period. GDPR has been in effect since 2018.
“It was a good meeting, but we should have had it in 2001,” said browser company Brave’s chief policy and industry relations officer Johnny Ryan, a complainant in a current ongoing GDPR investigation by the Irish data protection authority into how Google’s ad exchange processes personal data.
‘An ordinary course of business’: Why agency holding groups could be the next arbitrage target for private equity investors
These are businesses P.E. investors can buy relatively cheaply and then, after a transition of intense cash flow and margin improvement, sell up.
‘On a learning curve here’: E-commerce platforms still struggling with hateful listings
E-commerce platforms face backlash for a few bad actors among thousands of new listings each day.
‘Always on trauma machine’: Social media managers grapple with burnout, leaving the industry
Long hours, low pay, endless hateful comments and today’s starkly polarized political climate is adding fuel to the fire, according to social media managers.
SponsoredCustomer data can help brands boost loyalty and brand revenue
By Karen Wood, senior director, product marketing, Acquia Trust, reliability and making good on brand promises have always been the cornerstones of customer loyalty. Brands that offer a frictionless, flexible customer experience (CX), one that empowers consumers to get the products, services or answers they need, are rewarded by customers returning for more. But what […]
Hearst’s CDS Global makes an identity play with single sign-on solution
Hearst's CDS Global is hoping that a revamped identity solution can win the legacy magazine fulfillment company some new digital business.
‘So much of culture is influenced by Black and Hispanic people’: How PepsiCo is addressing advertising’s problem with race
As awareness of racial inequality grows worldwide, some advertisers are grappling with how to develop a more sensitive understanding of race.