‘We will use our powers’: ICO prepares to go to battle with ad tech industry

Brands and businesses in the advertising sector that have failed to engage with the UK privacy regulator’s efforts to reform real-time-bidding (RTB) face imminent regulatory action if they do not act quickly.

The Information Commissioner’s Office (ICO) says while a number of industry participants have made efforts to engage with the changes that need making to the way personal data is used, some organisations still have “their heads firmly in the sand” and it is “clear that engagement alone will not address all these issues”.

As such, the ICO is warning those that have so far failed to engage or transform to “prepare for the ICO to utilise its wider powers”. It is currently using the intelligence it has gathered over the last year to develop an “appropriate regulatory response”.

The regulator’s main concerns centre around the use of legitimate interest in processing personal data in RTB. It has also criticised companies for “immature” Data Protection Impact Assessments that it claims lack detail and do not follow the ICO’s recommended steps. There have also been examples where companies are failing to introduce even basic data protection controls.

The move comes after the ICO’s review into real-time bidding last summer found a number of brands continuing to fund businesses that misuse people’s personal data. It raised particular concerns about the use of sensitive data – data that relates directly to health, sexuality or religion – which is being shared and used without people’s consent at scale.

The ICO gave the industry six months to work on the points it raised in June’s report and says it believes any that have not addressed these issues is now in breach of data protection law.

Those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilise its wider powers.

Simon McDougall, ICO

“We are confident that any organisation that has not properly addressed these issues risks operating in breach of data protection law,” says the ICO’s executive director of technology and innovation, Simon McDougall, at the time.

“This is a systemic problem that requires organisations to take ownership for their own data processing, and for industry to collectively reform RTB.”

It is not all bad news for the ad tech industry. The ICO two key industry organisations that have started to make positive changes during that time.

The Internet Advertising Bureau (IAB) UK has agreed a range of principles that align with the ICO’s concerns and is developing its own guidance for organisations on security, data minimisation and data retention, as well as UK-focused guidance on the content taxonomy.

The UK’s industry body for digital advertising has also pledged to educate the industry on special category data and cookie requirements.

“We have made good progress, but what matters now is the outcome,” says IAB UK head of policy and regulatory affairs Christie Dennehy-Neil.

“Implementing the actions outlined in our response to the ICO needs our members and the wider industry to work with us and be willing to take action where necessary to deliver meaningful change.”

UK privacy regulator calls on brands to stop ‘bankrolling’ illegal activities

Separately, Google will remove content categories and improve its process for auditing counterparties. It has also recently proposed improvements to its Chrome browser, including phasing out support for third-party cookies within the next two years.

The ICO says it has also received commitments from other UK advertising trade bodies to produce guidance for their members, and that it will continue to engage with industry where it thinks engagement will deliver the most effective outcome for data subjects.

“The most effective way for organisations to avoid the need for further regulatory scrutiny or action is to engage with the industry reform and transformation, and to encourage their supply chain to do the same,” McDougall adds.

“I am both heartened at how much progress we have made, and disappointed that there are some who are still ignoring our message. Those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilise its wider powers.”

Nick Johnson, an adtech lawyer at Osborne Clarke, says today’s announcement is a statement of intent that enforcement actions are imminent, which may include large GDPR fines for advertising sector businesses.

“The regulator has its sights firmly fixed on those businesses which say they rely on legitimate interests rather than individuals’ consent,” Johnson says.

“What the ICO says about the IAB framework suggests that those who have signed up for that framework and properly implemented its principles may be much less at risk of enforcement action than others.”