UK’s data regulator again warns ad tech over GDPR compliance
U.K. data protection authority, The Information Commissioner’s Office, has stepped up its warning for the ad tech industry to get its house in order quickly if it is to comply with the European Union’s General Data Protection Regulation and avoid heavy fines.
The ICO held an “ad tech fact-finding forum” in London on Tuesday. It discussed the data protection watchdog’s latest findings since it released a report in June taking the ad tech and real-time bidding marketplace to task on GDPR compliance and giving the industry six months to clean up its act. This summer the ICO said the industry’s current real-time bidding protocols violate GDPR. At the time, the ICO outlined “key areas of concern” including issues such as companies’ treatment of sensitive, “special category” data and the often substandard contractual agreements to protect how bid-request data is shared between vendors.
Speakers at the event included Simon McDougall, ICO executive director of innovation; Will DeVries, Google senior privacy counsel; and the IAB U.K.’s head of policy and regulatory affairs, Christie Dennehy-Neil, according to people who attended. Attendees included representatives from brands, ad tech industry executives, privacy campaigners and lawyers. The event was held under Chatham House Rule, which allows attendees to share what presenters said but not identify them or their companies by name. Members of the press were not invited.
In his presentation, the ICO’s McDougall said the data protection authority’s look into the ad tech sector so far had confirmed some direct processing by vendors of special category data — such as ethnicity or data on someone’s health or sex life — without explicit consent, a violation of GDPR.
The ICO also found an over-reliance on contracts as a guarantee of security, and inconsistent arrangements and terms within those contracts. Oftentimes, it said, there was a lack of clarity of which entities would be the “controller” or “processor” of data in GDPR legalese.
As for user consent, the ICO said it found inadequate and — in some cases — inaccurate transparency information was made available. It discovered privacy policies that lacked clarity or provided conflicting information. It was sometimes unclear how users would withdraw consent. The ICO said it had also found a poor standard of companies assessing they have a “legitimate interest” for their collection and retention of data.
The ICO declined to comment when contacted by Digiday.
McDougall said at the event the ICO is set to provide another update on Dec. 20, according to people in attendance, with enforcement likely to follow in the new year. An IAB U.K. spokesman said the trade body is planning an update for its members in “the next couple of weeks.”
Google’s presentation covered its announcement from last week that it will strip contextual content categories from the bid requests its exchange sends to ad buyers beginning February. Google also explained how it expanded the scope and reach of its existing EU user-consent policy audit program for publishers and advertisers and the audits for its Authorized Buyers program, with additional focus on real-time bidding and data compliance. Google also discussed its other recent privacy-related moves, such as its Chrome Privacy Sandbox and how it’s determining how it can use federated learning and cohort models rather than cookies for personalized ad targeting.
One attendee expressed some concern over the sheer amount of audits that could be set to take place between various players in the broad ad tech daisy chain. “It’s not commercial to have 10 different customers review your business because you’ll forever be in audit,” they said.
Google did not immediately respond to a request to comment.
Investigations into ad tech companies over potential GDPR infractions are ongoing. French data protection authority CNIL did issue warnings to location ad tech vendors Fidzup, Teemo and Vectaury last year. The CNIL has now closed those investigations, and the companies avoided fines. Elsewhere, the DPC in Ireland — where many large internet companies’ European headquarters are located — has launched investigations into companies including Google, Facebook, Twitter and Quantcast over GDPR compliance.
“Certainly the ICO has done enough to make it clear to the industry that change is needed and the industry seems clear that’s the case, but the problem is it’s not clear what the way forward is yet,” said Open Rights Group executive director Jim Killock, who attended Tuesday’s meeting. “It’s clear that technology and money could solve the problem, but it’s not clear what problems the ICO really needs to be solved. Without a bit more clarity, I’m not sure how things will move. Ultimately there will be more bad actors until there are more legal cases going forward.”
On the whole, attendees speaking to Digiday agreed the meeting had been productive, but time is rapidly ticking toward the end of the ICO’s six-month grace period. GDPR has been in effect since 2018.
“It was a good meeting, but we should have had it in 2001,” said browser company Brave’s chief policy and industry relations officer Johnny Ryan, a complainant in a current ongoing GDPR investigation by the Irish data protection authority into how Google’s ad exchange processes personal data.
Fewer stories, told better: News UK is changing how it commissions stories to grow subs
The Times (UK) and The Sunday Times are changing the way they commission stories to grow digital subscriptions.
Member ExclusiveMedia Briefing: How publishers’ fourth-quarter ad sales strategies are shaping up
This week’s Media Briefing checks in with publishers to see where things stand with fourth quarter ad sales as the biggest season in the sales cycle approaches.
‘We are the new type of competition’: How Stagwell Group’s CEO Mark Penn is going after the holding companies
Stagwell chairman and CEO, Is focused on growing its roster of SaaS products, and updating its media arm to fold in first-party data generation that’s not cookie-dependent.
SponsoredHow advertisers can tell the difference between banner blindness and ad-aware consumers
Aditya Padhye, general manager, Trestle at eyeo Advertising is part and parcel of daily life –– from billboards in the street to smartphone apps, its presence is unavoidable. While some advertising strikes a chord with people, there are certain ads that have the opposite effect. Increasing internet usage among all demographics, higher demand for sales […]
‘Journalism can only be as good as our newsroom culture’: Vox Media’s new editors-in-chief are redefining the roles
The modern newsroom has more working against it than it did even a couple years ago and the new guard of editors-in-chief are now facing those challenges head on while leading by example.
BFFs once more, advertisers and publishers rediscover their alliance amid tracking turmoil
Direct deals between advertisers and publishers are being pitched harder now as advertisers see publishers as a valuable source of audience data post-third-party cookies.