WTF is the ICO? (and why ad tech should worry)
As data protection becomes an increasingly global conversation, businesses are having to familiarize themselves with a growing list of international data protection authorities and government departments. One of them is the U.K.’s ICO.
ICO stands for Information Commissioner’s Office (not — as commonly misinterpreted outside the U.K. — for the cryptocurrency-related term Initial Coin Offering) and is the U.K.’s lead data protection authority. To date, its importance has been understood predominantly in the U.K., but with the U.S. and other countries adopting similar laws to the General Data Protection Regulation, that needs to change quickly.
WTF is the ICO?
The ICO can be considered the U.K. equivalent of the Federal Trade Commission’s Bureau of Consumer Protection. With over 700 employees, the ICO is one of the biggest and best-resourced data protection authorities in Europe, alongside Germany’s. It is the official body designated to rule whether a business is in breach of the EU’s General Data Protection Regulation in the U.K. market. It has the power to issue any business it deems in breach of the GDPR with financial penalties of up to €20 million ($23 million) or 4% of a company’s annual revenue (whichever is higher). It has already fined numerous digital businesses for misuse of consumer data.
So, the ICO is basically the same as the FTC?
Not really. Like the ICO in the U.K., the FTC is the de facto privacy regulator in the U.S. But the legal frameworks each body enforces are very different. The U.K. has stronger laws, particularly with GDPR, yet the FTC has been a more active enforcer to date — and has issued larger fines. The FTC’s largest privacy-focused penalty to date was the $22.5 million fine levied at Google for its circumvention of Safari consumer privacy settings in 2012.
Why is the ICO a worry for ad tech?
The ICO sets the bar for how strictly it will enforce GDPR. Just over a year has passed since GDPR was enforced last May, and the ICO has been quietly investigating the ad tech sector’s application of the law. So far, it hasn’t liked what it has seen. On June 20, it issued a report intended as a warning to ad tech to clean up its act. It outlined several areas in which ad tech should not be operating specifically within the area of how personal data is used within programmatic advertising’s real-time-bidding methods, which take place on the open exchange.
Why is this relevant for the U.S. market if it’s a U.K. regulator?
It is likely that given the size and resources of the ICO among Europe’s data protection authorities, privacy activists in the U.S. will seize on this document as a tool with which to further strengthen their lobbying for more data privacy scrutiny in the U.S. “That document is 100% going to be part of the dialogue in the U.S.,” said Brian Kane, co-founder of U.S. ad tech firm Sourcepoint. “Its analysis is not European — it is around the technological framework [of programmatic advertising,] which is global by design. It will be mimicked and reproduced and introduced as part of the conversation in the U.S.”
But for now, the ICO is more of a worry for ad tech companies in Europe, right?
Wrong. GDPR may once have been a Europe-only problem, but its tentacles have since stretched far outside of Europe. In the U.S., California has passed its own equivalent to the California Consumer Privacy Act, due to roll out in 2020. New York and Washington State are exploring their own alternatives, and the state of Nevada has just launched its own version. U.S. Congress is already discussing whether or not to implement a federal rather than state-by-state law. Last year, several ad tech vendors like Drawbridge and Verve exited Europe citing GDPR as their prime reason, only to be hit with the CCPA, which they have no choice but to comply with, according to ad tech sources. The ICO does have the right to make cases against any U.S. company that has services in Europe, regardless of where their ad servers are based. Although it is yet to enforce that.
Has the ICO fined a global company yet, or just domestic?
The ICO has already sought to issue Facebook with a maximum punishment for its part in the Cambridge Analytica scandal. Granted the fine given was only £500,000 ($635,000) — a sum that can be easily dismissed as a drop in the ocean for the social platform. The ICO was criticized for this. But the core point that gets overlooked is that the ICO would have had the power to fine up to 4% of Facebook’s annual revenue, had the investigation taken place after the arrival of GDPR, where maximum fines can be up to 4% of a company’s annual revenue. For Facebook, that would be into the billions. The ICO was clear that had it been able to investigate post-GDPR, the fine would have been far closer to that maximum penalty.
Last March, the British Parliament also granted the ICO the power to raid Cambridge Analytica’s offices and examine its records. A couple of months later, the ICO ordered Cambridge Analytica to hand over all data and information it held on David Carroll — a U.S. citizen and associate professor at Parsons School of Design in New York — who had previously been denied access by the company. That legal decision paved the way for millions of other American voters to request their data back from the firm under British Protection laws. Carroll wasn’t able to obtain the information under U.S. law.
“The ICO is one of the largest, if not the largest DPA in Europe — their perspective matters,” said Jason Kint, CEO of U.S. publisher trade body Digital Content Next. “They have significant resources in terms of investigators and attorneys, and their experience on the Facebook investigation also makes them very informed.”
Are there individual commissioners we should watch?
By now, most in the media and advertising industries in the U.S. will be familiar with Danish politician Margrethe Vestager, the lead commissioner for the European Commission who has brought significant antitrust fines against Google owner Alphabet and has also issued major fines to Apple and Amazon for unpaid taxes in 2017. But other ones to watch are the ICO’s chief commissioner Elizabeth Denham, who is the former data privacy commissioner for Canada, the face of GDPR and led the Cambridge Analytica U.K. investigation. Her counterpart at the Irish DPA Helen Dixon is another one to watch.
Why is the Irish DPA important to know about too?
The Irish DPA may not match the size and resources or profile of the ICO, but that is likely to change. That is because Facebook’s and Google’s official European headquarters are in Ireland, and that means that their allocated lead authority for GDPR is the Irish DPA, not the ICO, nor the French DPA CNIL which has already sought to fine Google €50 million ($57 million) for violating GDPR. The Irish DPA now has dozens of investigations underway into businesses, including Facebook and Google. Its verdicts, and the line taken by its chief commissioner Helen Dixon, will have ramifications on the entire global ad tech market.
‘Becoming a vertical’: How Complex’s research arm turned into a 7-figure revenue stream
Last year, Complex Collective doubled its number of clients from six to 12 brands, including Banana Republic, the CDC and The Advisory Council.
Member ExclusiveMedia Briefing: Publishers eye opportunity to close the loop with retailers
This week’s Media Briefing looks at how publishers are discussing content syndication opportunities with retailers that could help to address advertisers’ retail media pain points.
Microsoft’s ad revenue hit $10B, and it’s investing — is it a sleeping giant about to wake?
Microsoft's ad revenues hit $10 billion in the same year it spent big on ad tech. What exactly does it have in store for Xandr?
SponsoredHow online commerce platforms can deliver safer shopping experiences
Marni Levine, vice president, commerce operations, Meta In the wake of the pandemic, commerce underwent a rapid shift online, exponentially accelerating and forcing businesses of all sizes to adapt. Now moving into 2022, these trends will only continue as people have grown accustomed to shopping online more for all their needs. According to a PwC […]
Why publishers are using hoteling software to manage their hybrid workforces
Publishers like Quartz and BuzzFeed are using hoteling software to manage employees who are coming in to work from the office.
The Rundown: Horizon Media’s latest report IDs trends brands need to embrace in 2022
Coining a new term or two along the way, Horizon Media's trends report touches on areas such as digital privacy, contactless living, environmental goals, and the need for downtime.