‘We expect to see change’: ICO warns ad tech not to flout GDPR
It was only a matter of time. U.K. data protection authority the ICO has investigated how the ad tech sector still uses personal data for the purposes of real-time bidding in programmatic advertising. Its verdict: not good enough.
The regulator has given ample time to businesses to show how they have adapted business processes in order to comply properly with the General Data Protection Regulation, introduced last May. But bar a small contingent of publishers and ad tech vendors, many continue to flout the law rather than risk any drop in ad revenues complying more strictly would cause.
On June. 20, the ICO released a report that specifically focuses on how the ad tech sector should comply with GDPR — an area that would be hard for it to ignore given the multiple privacy complaints made against the use of RTB in programmatic advertising by privacy activists.
The report will be circulated to the ad tech sector, and the ICO will check that its stipulations have been followed in six months’ time. It may decide then to write future guidance. The Irish DPA is also investigating many of the same issues raised in the report. Although the ICO hasn’t made any serious threats to businesses that don’t comply, it does intend for this additional clarity on certain areas of GDPR to be adhered to.
“We are clear about the areas where we have initial concerns, and we expect to see change,” wrote Information Commissioner Elizabeth Denham in the report.
Here’s a primer:
Legitimate interest is a goner
There have always been serious question marks over ad tech vendors claiming they have a legitimate interest to process individuals’ personal data for advertising purposes. But that hasn’t been enough of a deterrent it seems. While a lot more businesses have adopted more consent-led strategies after initially adopting legitimate interest strategies at the start, some continue to hide behind it.
The ICO has made it abundantly clear that claiming legitimate interest as a compliance strategy is impossible if a business is using real-time bidding. It cannot be used for bid-request processing, the only option is for businesses to obtain consumer consent.
Ad tech is flouting special-category data rule
GDPR outlines that special-category data — relating to especially sensitive data such as ethnic origin, and health background, to religion, political and sexual orientation — has always been dangerous ground for any ad tech business. Processing this kind of data requires an extra layer of protection as GDPR specifies that it risks harming individuals if misused. The ICO has now stated that any processing of this kind of data is unlawful without explicit consent. But it has also flagged that is has witnessed this GDPR stipulation being flouted by companies which use it within bid requests along with other information like device IDs, cookie IDs and location data.
IAB Europe and Google GDPR framework flaws highlighted
The ICO has examined the attempt at an industry standard around GDPR compliance, led by the Interactive Advertising Bureau Europe, and Google’s own version referred to as its “Authorized Buyers network,” having not yet synced with the IAB version. While the IAB Transparency and Consent Framework is currently undergoing an overhaul, the ICO has made it clear several fundamental areas won’t cut it. The simplest: there are over 450 companies registered with the framework, but a lot more who aren’t and continue to operate with the RTB environment. As such, consumers aren’t likely to understand the extent to which their data is used and by who. “The TCF and Authorized Buyers frameworks are insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent,” stated the report.
Contractual agreements are worthless
In the digital ad trading ecosystem, any data used to buy ads on the open exchange is vulnerable to leakage. If an agency or a publisher agrees to a contract with a demand-side platform or a supply-side platform, there is no way to ensure that vendor won’t knowingly or unknowingly leak that data to countless other third parties in the process of an ad impression being bought and executed. That’s why a large number of publishers, agencies, advertisers, and vendors have relied on contractual agreements to cover their backs. These contracts declare the onus for any data-privacy breach to fall directly onto the shoulders of the company processing the data on the other’s behalf. However, the ICO has now stated that these kinds of contractual agreements are void. Data controllers must triple check themselves how and where their partners share data.
Life-raft extended to small publishers
The ICO has been careful to show its recognition that despite the non-compliant use of real-time bidding on the open exchange, many smaller publishers are also reliant on this form of advertising for survival. “There are additional considerations, in particular, the economic vulnerability of many smaller UK publishers, which make it advisable for us to move carefully and observe the consequences of our actions,” stated the report.
‘I could barely walk’: Some COVID long-haulers radically reduce work hours to cope with symptoms
Professionals who are COVID long-haulers, have had to radically adjust their working schedules in order to cope with symptoms.
Member ExclusivePublishing Summit Recap: Publishers establish infrastructure to future-proof data sets
Publishers shared insights at the Digiday Publishing Summit at the end of September in Miami.
Dow Jones expands Twitter ad revenue-sharing deal to include more properties and for additional years
Dow Jones is adding Barron's, MarketWatch and Investor's Business Daily to become part of Twitter's Amplify program, which has helped the media company to attract social ad buyers.
SponsoredQuestion of the Day: The state of the holiday season for publishers
The Digiday Publishing Summit brought leaders in the world of media companies together with the platform and technology partners that work with them. Across the course of three days in Miami, in September 2021, experts and executives framed the state of publishing — identifying trends and next steps to follow in the year to come. In […]
Publisher and agency executives scrutinize email-based universal IDs as the third-party cookie’s long-term heir apparent
Email-based universal IDs may improve upon the cookie in some ways, but relying upon the email address can introduce privacy concerns.
Member ExclusiveMedia Buying Briefing: A look at the big topics at the Media Buying Summit this week
Media buyers, planners and clients’ efforts to adapt to a changed world will be addressed in a number of ways at Digiday’s Media Buying Summit in Miami this week.