‘We expect to see change’: ICO warns ad tech not to flout GDPR
It was only a matter of time. U.K. data protection authority the ICO has investigated how the ad tech sector still uses personal data for the purposes of real-time bidding in programmatic advertising. Its verdict: not good enough.
The regulator has given ample time to businesses to show how they have adapted business processes in order to comply properly with the General Data Protection Regulation, introduced last May. But bar a small contingent of publishers and ad tech vendors, many continue to flout the law rather than risk any drop in ad revenues complying more strictly would cause.
On June. 20, the ICO released a report that specifically focuses on how the ad tech sector should comply with GDPR — an area that would be hard for it to ignore given the multiple privacy complaints made against the use of RTB in programmatic advertising by privacy activists.
The report will be circulated to the ad tech sector, and the ICO will check that its stipulations have been followed in six months’ time. It may decide then to write future guidance. The Irish DPA is also investigating many of the same issues raised in the report. Although the ICO hasn’t made any serious threats to businesses that don’t comply, it does intend for this additional clarity on certain areas of GDPR to be adhered to.
“We are clear about the areas where we have initial concerns, and we expect to see change,” wrote Information Commissioner Elizabeth Denham in the report.
Here’s a primer:
Legitimate interest is a goner
There have always been serious question marks over ad tech vendors claiming they have a legitimate interest to process individuals’ personal data for advertising purposes. But that hasn’t been enough of a deterrent it seems. While a lot more businesses have adopted more consent-led strategies after initially adopting legitimate interest strategies at the start, some continue to hide behind it.
The ICO has made it abundantly clear that claiming legitimate interest as a compliance strategy is impossible if a business is using real-time bidding. It cannot be used for bid-request processing, the only option is for businesses to obtain consumer consent.
Ad tech is flouting special-category data rule
GDPR outlines that special-category data — relating to especially sensitive data such as ethnic origin, and health background, to religion, political and sexual orientation — has always been dangerous ground for any ad tech business. Processing this kind of data requires an extra layer of protection as GDPR specifies that it risks harming individuals if misused. The ICO has now stated that any processing of this kind of data is unlawful without explicit consent. But it has also flagged that is has witnessed this GDPR stipulation being flouted by companies which use it within bid requests along with other information like device IDs, cookie IDs and location data.
IAB Europe and Google GDPR framework flaws highlighted
The ICO has examined the attempt at an industry standard around GDPR compliance, led by the Interactive Advertising Bureau Europe, and Google’s own version referred to as its “Authorized Buyers network,” having not yet synced with the IAB version. While the IAB Transparency and Consent Framework is currently undergoing an overhaul, the ICO has made it clear several fundamental areas won’t cut it. The simplest: there are over 450 companies registered with the framework, but a lot more who aren’t and continue to operate with the RTB environment. As such, consumers aren’t likely to understand the extent to which their data is used and by who. “The TCF and Authorized Buyers frameworks are insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent,” stated the report.
Contractual agreements are worthless
In the digital ad trading ecosystem, any data used to buy ads on the open exchange is vulnerable to leakage. If an agency or a publisher agrees to a contract with a demand-side platform or a supply-side platform, there is no way to ensure that vendor won’t knowingly or unknowingly leak that data to countless other third parties in the process of an ad impression being bought and executed. That’s why a large number of publishers, agencies, advertisers, and vendors have relied on contractual agreements to cover their backs. These contracts declare the onus for any data-privacy breach to fall directly onto the shoulders of the company processing the data on the other’s behalf. However, the ICO has now stated that these kinds of contractual agreements are void. Data controllers must triple check themselves how and where their partners share data.
Life-raft extended to small publishers
The ICO has been careful to show its recognition that despite the non-compliant use of real-time bidding on the open exchange, many smaller publishers are also reliant on this form of advertising for survival. “There are additional considerations, in particular, the economic vulnerability of many smaller UK publishers, which make it advisable for us to move carefully and observe the consequences of our actions,” stated the report.
Member Exclusive‘Math doesn’t add up’: Publishers still face tough choices
“Just salary cuts will at most bring the costs down by 10%, at most, I can guarantee,” one exec messaged me.
Complex Networks plans to diversify its way through the pandemic
Complex Networks bills itself as one of the most diversified digital media companies in the business, so it’s counting on diversification to protect its business.
‘Rats out of the sewers’: Ad fraudsters are leaping on the coronavirus crisis
For ad fraudsters, the coronavirus pandemic is a crisis too tempting to go to waste. Website traffic is surging. But with advertisers adding coronavirus-related keywords to their block lists and others pausing spend altogether, ad prices on news sites are low. With less competition in the auction, low quality ads — and even publishers’ own […]
SponsoredRegulations are prompting publishers to develop new strategies around user log-ins
In a post-GDPR and post-cookie world, more publishers are making concerted efforts to explain the value of their content to users and increase the volume of consumer authentication.
WTF are post-auction discounts?
Post-auction discounts let advertisers compete in the auction as if it bid $6 or $7 or more, but then benefit from a discount after winning the auction.
Highsnobiety closes commerce, cuts 25% of staff
Highsnobiety was one of a few publishers who invested in product creation for its commerce business, rather than just peppering its site with affiliate links.