UK’s data regulator again warns ad tech over GDPR compliance

U.K. data protection authority, The Information Commissioner’s Office, has stepped up its warning for the ad tech industry to get its house in order quickly if it is to comply with the European Union’s General Data Protection Regulation and avoid heavy fines.

The ICO held an “ad tech fact-finding forum” in London on Tuesday. It discussed the data protection watchdog’s latest findings since it released a report in June taking the ad tech and real-time bidding marketplace to task on GDPR compliance and giving the industry six months to clean up its act. This summer the ICO said the industry’s current real-time bidding protocols violate GDPR. At the time, the ICO outlined “key areas of concern” including issues such as companies’ treatment of sensitive, “special category” data and the often substandard contractual agreements to protect how bid-request data is shared between vendors.

Speakers at the event included Simon McDougall, ICO executive director of innovation; Will DeVries, Google senior privacy counsel; and the IAB U.K.’s head of policy and regulatory affairs, Christie Dennehy-Neil, according to people who attended. Attendees included representatives from brands, ad tech industry executives, privacy campaigners and lawyers. The event was held under Chatham House Rule, which allows attendees to share what presenters said but not identify them or their companies by name. Members of the press were not invited.

In his presentation, the ICO’s McDougall said the data protection authority’s look into the ad tech sector so far had confirmed some direct processing by vendors of special category data — such as ethnicity or data on someone’s health or sex life — without explicit consent, a violation of GDPR.

The ICO also found an over-reliance on contracts as a guarantee of security, and inconsistent arrangements and terms within those contracts. Oftentimes, it said, there was a lack of clarity of which entities would be the “controller” or “processor” of data in GDPR legalese.

As for user consent, the ICO said it found inadequate and — in some cases — inaccurate transparency information was made available. It discovered privacy policies that lacked clarity or provided conflicting information. It was sometimes unclear how users would withdraw consent. The ICO said it had also found a poor standard of companies assessing they have a “legitimate interest” for their collection and retention of data.

The ICO declined to comment when contacted by Digiday.

McDougall said at the event the ICO is set to provide another update on Dec. 20, according to people in attendance, with enforcement likely to follow in the new year. An IAB U.K. spokesman said the trade body is planning an update for its members in “the next couple of weeks.”

Google’s presentation covered its announcement from last week that it will strip contextual content categories from the bid requests its exchange sends to ad buyers beginning February. Google also explained how it expanded the scope and reach of its existing EU user-consent policy audit program for publishers and advertisers and the audits for its Authorized Buyers program, with additional focus on real-time bidding and data compliance. Google also discussed its other recent privacy-related moves, such as its Chrome Privacy Sandbox and how it’s determining how it can use federated learning and cohort models rather than cookies for personalized ad targeting.

One attendee expressed some concern over the sheer amount of audits that could be set to take place between various players in the broad ad tech daisy chain. “It’s not commercial to have 10 different customers review your business because you’ll forever be in audit,” they said.

Google did not immediately respond to a request to comment.

Investigations into ad tech companies over potential GDPR infractions are ongoing. French data protection authority CNIL did issue warnings to location ad tech vendors Fidzup, Teemo and Vectaury last year. The CNIL has now closed those investigations, and the companies avoided fines. Elsewhere, the DPC in Ireland — where many large internet companies’ European headquarters are located — has launched investigations into companies including Google, Facebook, Twitter and Quantcast over GDPR compliance.

“Certainly the ICO has done enough to make it clear to the industry that change is needed and the industry seems clear that’s the case, but the problem is it’s not clear what the way forward is yet,” said Open Rights Group executive director Jim Killock, who attended Tuesday’s meeting. “It’s clear that technology and money could solve the problem, but it’s not clear what problems the ICO really needs to be solved. Without a bit more clarity, I’m not sure how things will move. Ultimately there will be more bad actors until there are more legal cases going forward.”

On the whole, attendees speaking to Digiday agreed the meeting had been productive, but time is rapidly ticking toward the end of the ICO’s six-month grace period. GDPR has been in effect since 2018.

“It was a good meeting, but we should have had it in 2001,” said browser company Brave’s chief policy and industry relations officer Johnny Ryan, a complainant in a current ongoing GDPR investigation by the Irish data protection authority into how Google’s ad exchange processes personal data.