‘We expect to see change’: ICO warns ad tech not to flout GDPR
It was only a matter of time. U.K. data protection authority the ICO has investigated how the ad tech sector still uses personal data for the purposes of real-time bidding in programmatic advertising. Its verdict: not good enough.
The regulator has given ample time to businesses to show how they have adapted business processes in order to comply properly with the General Data Protection Regulation, introduced last May. But bar a small contingent of publishers and ad tech vendors, many continue to flout the law rather than risk any drop in ad revenues complying more strictly would cause.
On June. 20, the ICO released a report that specifically focuses on how the ad tech sector should comply with GDPR — an area that would be hard for it to ignore given the multiple privacy complaints made against the use of RTB in programmatic advertising by privacy activists.
The report will be circulated to the ad tech sector, and the ICO will check that its stipulations have been followed in six months’ time. It may decide then to write future guidance. The Irish DPA is also investigating many of the same issues raised in the report. Although the ICO hasn’t made any serious threats to businesses that don’t comply, it does intend for this additional clarity on certain areas of GDPR to be adhered to.
“We are clear about the areas where we have initial concerns, and we expect to see change,” wrote Information Commissioner Elizabeth Denham in the report.
Here’s a primer:
Legitimate interest is a goner
There have always been serious question marks over ad tech vendors claiming they have a legitimate interest to process individuals’ personal data for advertising purposes. But that hasn’t been enough of a deterrent it seems. While a lot more businesses have adopted more consent-led strategies after initially adopting legitimate interest strategies at the start, some continue to hide behind it.
The ICO has made it abundantly clear that claiming legitimate interest as a compliance strategy is impossible if a business is using real-time bidding. It cannot be used for bid-request processing, the only option is for businesses to obtain consumer consent.
Ad tech is flouting special-category data rule
GDPR outlines that special-category data — relating to especially sensitive data such as ethnic origin, and health background, to religion, political and sexual orientation — has always been dangerous ground for any ad tech business. Processing this kind of data requires an extra layer of protection as GDPR specifies that it risks harming individuals if misused. The ICO has now stated that any processing of this kind of data is unlawful without explicit consent. But it has also flagged that is has witnessed this GDPR stipulation being flouted by companies which use it within bid requests along with other information like device IDs, cookie IDs and location data.
IAB Europe and Google GDPR framework flaws highlighted
The ICO has examined the attempt at an industry standard around GDPR compliance, led by the Interactive Advertising Bureau Europe, and Google’s own version referred to as its “Authorized Buyers network,” having not yet synced with the IAB version. While the IAB Transparency and Consent Framework is currently undergoing an overhaul, the ICO has made it clear several fundamental areas won’t cut it. The simplest: there are over 450 companies registered with the framework, but a lot more who aren’t and continue to operate with the RTB environment. As such, consumers aren’t likely to understand the extent to which their data is used and by who. “The TCF and Authorized Buyers frameworks are insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent,” stated the report.
Contractual agreements are worthless
In the digital ad trading ecosystem, any data used to buy ads on the open exchange is vulnerable to leakage. If an agency or a publisher agrees to a contract with a demand-side platform or a supply-side platform, there is no way to ensure that vendor won’t knowingly or unknowingly leak that data to countless other third parties in the process of an ad impression being bought and executed. That’s why a large number of publishers, agencies, advertisers, and vendors have relied on contractual agreements to cover their backs. These contracts declare the onus for any data-privacy breach to fall directly onto the shoulders of the company processing the data on the other’s behalf. However, the ICO has now stated that these kinds of contractual agreements are void. Data controllers must triple check themselves how and where their partners share data.
Life-raft extended to small publishers
The ICO has been careful to show its recognition that despite the non-compliant use of real-time bidding on the open exchange, many smaller publishers are also reliant on this form of advertising for survival. “There are additional considerations, in particular, the economic vulnerability of many smaller UK publishers, which make it advisable for us to move carefully and observe the consequences of our actions,” stated the report.
Tinuiti Report: Facebook still in hot demand with clients, despite Apple ATT hit
According to a report from agency Tinuiti, it clients increased their ad spend 32% YOY in Q4 on Facebook and its ever-growing cousin Instagram.
With Marquee, Jellysmack looks to turn non-digital natives into a new generation of internet stars
Jellysmack, one of the largest creators of social video on the internet, is trying to use its insights to make real-life celebs more internet-famous.
Member ExclusiveMedia Briefing: Publishers grapple with an existential crisis as they prepare for post-cookie landscape
This week's Media Briefing looks at why some publishers would prefer to completely reset the online ad market amid the third-party cookie's demise rather than repeat the problems the cookie introduced.
SponsoredHow the relationship between live events and mobile devices is evolving in 2022
Sponsored by AdColony The pandemic has accelerated changes in the way people consume content — and live events are part of that transformation. For advertisers, the questions are the kind on which campaign success depends: In what ways (and numbers) have people returned to watching sports, e-sports and events such as the Grammys? Are they […]
Axios schedules its largest in-person event for April (for now)
Axios' first hybrid event of 2022 will be a two-day summit tied to its What's Next newsletter, and it is not allowing brands to buy virtual-only sponsorships.
Member ExclusiveDigiday+ Research: Where publishers see revenue growth in 2022
Publishers with diversified businesses are less optimistic about ads growth than those focused purely on advertising.