U.K. data protection authority, The Information Commissioner’s Office, has stepped up its warning for the ad tech industry to get its house in order quickly if it is to comply with the European Union’s General Data Protection Regulation and avoid heavy fines.
The ICO held an “ad tech fact-finding forum” in London on Tuesday. It discussed the data protection watchdog’s latest findings since it released a report in June taking the ad tech and real-time bidding marketplace to task on GDPR compliance and giving the industry six months to clean up its act. This summer the ICO said the industry’s current real-time bidding protocols violate GDPR. At the time, the ICO outlined “key areas of concern” including issues such as companies’ treatment of sensitive, “special category” data and the often substandard contractual agreements to protect how bid-request data is shared between vendors.
Speakers at the event included Simon McDougall, ICO executive director of innovation; Will DeVries, Google senior privacy counsel; and the IAB U.K.’s head of policy and regulatory affairs, Christie Dennehy-Neil, according to people who attended. Attendees included representatives from brands, ad tech industry executives, privacy campaigners and lawyers. The event was held under Chatham House Rule, which allows attendees to share what presenters said but not identify them or their companies by name. Members of the press were not invited.
In his presentation, the ICO’s McDougall said the data protection authority’s look into the ad tech sector so far had confirmed some direct processing by vendors of special category data — such as ethnicity or data on someone’s health or sex life — without explicit consent, a violation of GDPR.
The ICO also found an over-reliance on contracts as a guarantee of security, and inconsistent arrangements and terms within those contracts. Oftentimes, it said, there was a lack of clarity of which entities would be the “controller” or “processor” of data in GDPR legalese.
As for user consent, the ICO said it found inadequate and — in some cases — inaccurate transparency information was made available. It discovered privacy policies that lacked clarity or provided conflicting information. It was sometimes unclear how users would withdraw consent. The ICO said it had also found a poor standard of companies assessing they have a “legitimate interest” for their collection and retention of data.
The ICO declined to comment when contacted by Digiday.
McDougall said at the event the ICO is set to provide another update on Dec. 20, according to people in attendance, with enforcement likely to follow in the new year. An IAB U.K. spokesman said the trade body is planning an update for its members in “the next couple of weeks.”
Google’s presentation covered its announcement from last week that it will strip contextual content categories from the bid requests its exchange sends to ad buyers beginning February. Google also explained how it expanded the scope and reach of its existing EU user-consent policy audit program for publishers and advertisers and the audits for its Authorized Buyers program, with additional focus on real-time bidding and data compliance. Google also discussed its other recent privacy-related moves, such as its Chrome Privacy Sandbox and how it’s determining how it can use federated learning and cohort models rather than cookies for personalized ad targeting.
One attendee expressed some concern over the sheer amount of audits that could be set to take place between various players in the broad ad tech daisy chain. “It’s not commercial to have 10 different customers review your business because you’ll forever be in audit,” they said.
Google did not immediately respond to a request to comment.
Investigations into ad tech companies over potential GDPR infractions are ongoing. French data protection authority CNIL did issue warnings to location ad tech vendors Fidzup, Teemo and Vectaury last year. The CNIL has now closed those investigations, and the companies avoided fines. Elsewhere, the DPC in Ireland — where many large internet companies’ European headquarters are located — has launched investigations into companies including Google, Facebook, Twitter and Quantcast over GDPR compliance.
“Certainly the ICO has done enough to make it clear to the industry that change is needed and the industry seems clear that’s the case, but the problem is it’s not clear what the way forward is yet,” said Open Rights Group executive director Jim Killock, who attended Tuesday’s meeting. “It’s clear that technology and money could solve the problem, but it’s not clear what problems the ICO really needs to be solved. Without a bit more clarity, I’m not sure how things will move. Ultimately there will be more bad actors until there are more legal cases going forward.”
On the whole, attendees speaking to Digiday agreed the meeting had been productive, but time is rapidly ticking toward the end of the ICO’s six-month grace period. GDPR has been in effect since 2018.
“It was a good meeting, but we should have had it in 2001,” said browser company Brave’s chief policy and industry relations officer Johnny Ryan, a complainant in a current ongoing GDPR investigation by the Irish data protection authority into how Google’s ad exchange processes personal data.
The Rundown: BuzzFeed Inc. revenue up by 26% despite hits to commerce business, expects similar momentum in Q2
Despite significant declines in BuzzFeed Inc.’s commerce business, overall revenue was up, due to increases in the company's advertising and content arms.
Inside Hearst UK’s multi-pronged approach to third-party cookie replacements
Hearst UK's Ryan Buckley and Faye Turner are testing everything from 50,000-person panels to clean rooms.
Out of home fights for greater ad share as it cites better value on action taken by consumers
An OAAA study found that OOH is on par with other media in eliciting action from those consumers who recall seeing the ads. And since it's much less costly, it's a more effective means of influencing consumers.
SponsoredHow marketers and retailers are unlocking the true value of retail media
Ben Kneen, senior director of product management, Xandr It’s a challenging time for retailers in the advertising industry. As they cope with supply chain woes and inflation-related pressures, they seek high-margin revenue streams amid evolving privacy regulations and massive shifts in identity solutions — including IDFA, the deprecation of third-party cookies and more. In light […]
Member ExclusiveMedia Buying Briefing: Omnicom Media Group tackles supply-chain challenges for its clients
The media agency network created a metric designed to help brands calculate where and when to redirect media spend as a result of supply chain issues they face — rather than just putting a halt on spend when there’s a supply crunch.
The Rundown: Podcast production companies and platforms pitch diverse audiences and ad targeting improvements at IAB’s Podcast Upfront
The three-day podcast-focused event highlighted improvements in dynamic ad insertion, machine learning and diversity of creators, content and audiences.