‘We expect to see change’: ICO warns ad tech not to flout GDPR
It was only a matter of time. U.K. data protection authority the ICO has investigated how the ad tech sector still uses personal data for the purposes of real-time bidding in programmatic advertising. Its verdict: not good enough.
The regulator has given ample time to businesses to show how they have adapted business processes in order to comply properly with the General Data Protection Regulation, introduced last May. But bar a small contingent of publishers and ad tech vendors, many continue to flout the law rather than risk any drop in ad revenues complying more strictly would cause.
On June. 20, the ICO released a report that specifically focuses on how the ad tech sector should comply with GDPR — an area that would be hard for it to ignore given the multiple privacy complaints made against the use of RTB in programmatic advertising by privacy activists.
The report will be circulated to the ad tech sector, and the ICO will check that its stipulations have been followed in six months’ time. It may decide then to write future guidance. The Irish DPA is also investigating many of the same issues raised in the report. Although the ICO hasn’t made any serious threats to businesses that don’t comply, it does intend for this additional clarity on certain areas of GDPR to be adhered to.
“We are clear about the areas where we have initial concerns, and we expect to see change,” wrote Information Commissioner Elizabeth Denham in the report.
Here’s a primer:
Legitimate interest is a goner
There have always been serious question marks over ad tech vendors claiming they have a legitimate interest to process individuals’ personal data for advertising purposes. But that hasn’t been enough of a deterrent it seems. While a lot more businesses have adopted more consent-led strategies after initially adopting legitimate interest strategies at the start, some continue to hide behind it.
The ICO has made it abundantly clear that claiming legitimate interest as a compliance strategy is impossible if a business is using real-time bidding. It cannot be used for bid-request processing, the only option is for businesses to obtain consumer consent.
Ad tech is flouting special-category data rule
GDPR outlines that special-category data — relating to especially sensitive data such as ethnic origin, and health background, to religion, political and sexual orientation — has always been dangerous ground for any ad tech business. Processing this kind of data requires an extra layer of protection as GDPR specifies that it risks harming individuals if misused. The ICO has now stated that any processing of this kind of data is unlawful without explicit consent. But it has also flagged that is has witnessed this GDPR stipulation being flouted by companies which use it within bid requests along with other information like device IDs, cookie IDs and location data.
IAB Europe and Google GDPR framework flaws highlighted
The ICO has examined the attempt at an industry standard around GDPR compliance, led by the Interactive Advertising Bureau Europe, and Google’s own version referred to as its “Authorized Buyers network,” having not yet synced with the IAB version. While the IAB Transparency and Consent Framework is currently undergoing an overhaul, the ICO has made it clear several fundamental areas won’t cut it. The simplest: there are over 450 companies registered with the framework, but a lot more who aren’t and continue to operate with the RTB environment. As such, consumers aren’t likely to understand the extent to which their data is used and by who. “The TCF and Authorized Buyers frameworks are insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent,” stated the report.
Contractual agreements are worthless
In the digital ad trading ecosystem, any data used to buy ads on the open exchange is vulnerable to leakage. If an agency or a publisher agrees to a contract with a demand-side platform or a supply-side platform, there is no way to ensure that vendor won’t knowingly or unknowingly leak that data to countless other third parties in the process of an ad impression being bought and executed. That’s why a large number of publishers, agencies, advertisers, and vendors have relied on contractual agreements to cover their backs. These contracts declare the onus for any data-privacy breach to fall directly onto the shoulders of the company processing the data on the other’s behalf. However, the ICO has now stated that these kinds of contractual agreements are void. Data controllers must triple check themselves how and where their partners share data.
Life-raft extended to small publishers
The ICO has been careful to show its recognition that despite the non-compliant use of real-time bidding on the open exchange, many smaller publishers are also reliant on this form of advertising for survival. “There are additional considerations, in particular, the economic vulnerability of many smaller UK publishers, which make it advisable for us to move carefully and observe the consequences of our actions,” stated the report.
How Forbes’ 30 Under 30 franchise has become a top selling point for the brand
The 30 Under 30 franchise has given Forbes another avenue to sell its advertising clients on cross-platform campaigns for top dollar.
‘Outside the four walls of a restaurant’: Why The Infatuation cooked up a marketplace model during the pandemic
The NYC-focused marketplace, which offers everything from private dinners to cooking classes, will be braided into the rest of the Infatuation's business next year.
‘I believe enough in this to try to do it myself’: CollegeHumor owner Sam Reich on the brand’s future potential
In January, IAC decided it was no longer willing to finance CollegeHumor and sold it to Sam Reich, who had joined the company in 2006 to build out original video.
SponsoredWhy ad buyers (and sellers) need to pay more attention to viewer attention
By Yan Liu, CEO, TVision Like the proverbial tree falling in the forest, we all recognize that oftentimes the TV is on, but no one is in the room to hear or see it. And yet some ad buyers continue to rely on a metric that fails to account for this. To mix metaphors, buyers […]
‘The experience is much more valuable’: How publishers are testing hybrid approaches to keep their events engaging
In order to reignite the spark of excitement that experiential is meant to offer, some publishers have begun testing the limits of hybrid events.
Care packages replace canapés as Coronavirus cancels media holiday party extravagances
With social distancing keeping coworkers apart in December, media companies and agencies have turned to care packages to replace the holiday party.