UK’s data regulator again warns ad tech over GDPR compliance
U.K. data protection authority, The Information Commissioner’s Office, has stepped up its warning for the ad tech industry to get its house in order quickly if it is to comply with the European Union’s General Data Protection Regulation and avoid heavy fines.
The ICO held an “ad tech fact-finding forum” in London on Tuesday. It discussed the data protection watchdog’s latest findings since it released a report in June taking the ad tech and real-time bidding marketplace to task on GDPR compliance and giving the industry six months to clean up its act. This summer the ICO said the industry’s current real-time bidding protocols violate GDPR. At the time, the ICO outlined “key areas of concern” including issues such as companies’ treatment of sensitive, “special category” data and the often substandard contractual agreements to protect how bid-request data is shared between vendors.
Speakers at the event included Simon McDougall, ICO executive director of innovation; Will DeVries, Google senior privacy counsel; and the IAB U.K.’s head of policy and regulatory affairs, Christie Dennehy-Neil, according to people who attended. Attendees included representatives from brands, ad tech industry executives, privacy campaigners and lawyers. The event was held under Chatham House Rule, which allows attendees to share what presenters said but not identify them or their companies by name. Members of the press were not invited.
In his presentation, the ICO’s McDougall said the data protection authority’s look into the ad tech sector so far had confirmed some direct processing by vendors of special category data — such as ethnicity or data on someone’s health or sex life — without explicit consent, a violation of GDPR.
The ICO also found an over-reliance on contracts as a guarantee of security, and inconsistent arrangements and terms within those contracts. Oftentimes, it said, there was a lack of clarity of which entities would be the “controller” or “processor” of data in GDPR legalese.
As for user consent, the ICO said it found inadequate and — in some cases — inaccurate transparency information was made available. It discovered privacy policies that lacked clarity or provided conflicting information. It was sometimes unclear how users would withdraw consent. The ICO said it had also found a poor standard of companies assessing they have a “legitimate interest” for their collection and retention of data.
The ICO declined to comment when contacted by Digiday.
McDougall said at the event the ICO is set to provide another update on Dec. 20, according to people in attendance, with enforcement likely to follow in the new year. An IAB U.K. spokesman said the trade body is planning an update for its members in “the next couple of weeks.”
Google’s presentation covered its announcement from last week that it will strip contextual content categories from the bid requests its exchange sends to ad buyers beginning February. Google also explained how it expanded the scope and reach of its existing EU user-consent policy audit program for publishers and advertisers and the audits for its Authorized Buyers program, with additional focus on real-time bidding and data compliance. Google also discussed its other recent privacy-related moves, such as its Chrome Privacy Sandbox and how it’s determining how it can use federated learning and cohort models rather than cookies for personalized ad targeting.
One attendee expressed some concern over the sheer amount of audits that could be set to take place between various players in the broad ad tech daisy chain. “It’s not commercial to have 10 different customers review your business because you’ll forever be in audit,” they said.
Google did not immediately respond to a request to comment.
Investigations into ad tech companies over potential GDPR infractions are ongoing. French data protection authority CNIL did issue warnings to location ad tech vendors Fidzup, Teemo and Vectaury last year. The CNIL has now closed those investigations, and the companies avoided fines. Elsewhere, the DPC in Ireland — where many large internet companies’ European headquarters are located — has launched investigations into companies including Google, Facebook, Twitter and Quantcast over GDPR compliance.
“Certainly the ICO has done enough to make it clear to the industry that change is needed and the industry seems clear that’s the case, but the problem is it’s not clear what the way forward is yet,” said Open Rights Group executive director Jim Killock, who attended Tuesday’s meeting. “It’s clear that technology and money could solve the problem, but it’s not clear what problems the ICO really needs to be solved. Without a bit more clarity, I’m not sure how things will move. Ultimately there will be more bad actors until there are more legal cases going forward.”
On the whole, attendees speaking to Digiday agreed the meeting had been productive, but time is rapidly ticking toward the end of the ICO’s six-month grace period. GDPR has been in effect since 2018.
“It was a good meeting, but we should have had it in 2001,” said browser company Brave’s chief policy and industry relations officer Johnny Ryan, a complainant in a current ongoing GDPR investigation by the Irish data protection authority into how Google’s ad exchange processes personal data.
How The 19th relied on memberships and funding to launch during a pandemic
In order to keep on schedule to launch ahead of the U.S. presidential election, non-profit publisher The 19th had to rely heavily on membership and fundraising to meet its launch goal of $4 million.
‘Let the buyers know you exist’: How Morning Brew plans to grow brand ad dollars from its base of direct response
Direct-response ads accounted for 90% of Morning Brew's 2019 revenue in 2019. Its CEO wants brand advertising to account for 50% by the end of 2021.
‘A significant uptick in deal flow’: Why Europe is becoming a hotbed of ad tech innovation
Ad tech companies with data privacy and identity solutions are in vogue among the sector's investors and acquirers.
SponsoredPublishers: Assessing risk and ensuring payments in times of crisis
As the industry navigates the continued impacts of COVID-19, here’s the questions publishers should ask their programmatic partners or ad management providers to protect themselves from clawbacks and lost revenue.
‘We can be agile and evolve’: News UK is quickly growing a 7-figure incremental revenue stream from social video
The goal for Social Studio is a 10-day turnaround from campaign booking to going live.
Lack of events revenue squeezes B2B media, forcing virtual volume — and innovation
Advertising, subscriptions and commerce have begun to recover. But events have not, and B2B media companies are feeling the squeeze.