Information Commissioner’s Office puts adtech companies on notice as it relaunches investigation into widespread non-compliance with privacy rules
The Information Commissioner’s Office (ICO) said it is to resume its probe into the UK’s ££13 billion advertising technology sector, following an eight-month suspension due to the pandemic.
The investigation was announced in January of last year, after the ICO said it found evidence of widespread non-compliance with the EU’s General Data Protection Regulation (GDPR), which is also enforced in UK law.
The probe was then put on hold in May, with the regulator saying it was reluctant to place “undue pressure on any industry at this time” due to Covid-19.
It added at the time that “concerns about adtech remain and we aim to restart our work in the coming months”.
One of the elements the ICO is to focus on is real-time bidding (RTB), which involves buying and selling advertising inventory in real time and trading in personal data for ad-targeting purposes.
The ICO said companies involved in RTB did not appear to be complying with GDPR protections on the commercial use of personal information.
“The complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now,” said ICO deputy commissioner Simon McDougall.
“Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data.”
He said the ICO would carry out a series of audits focusing on digital marketing platforms, with assessment notices being issued to specific companies “in the coming months”.
The ICO said it believes the audits will give it a clearer picture of the current state of the industry.
The regulator is also to look into the role of data brokers.
This aspect of the probe follows an investigation into offline direct marketing services that resulted in an October 2020 enforcement action against credit reference agency Experian and others.
“All organisations operating in the adtech space should be assessing how they use personal data as a matter of urgency,” McDougall said.
“We already have existing, comprehensive guidance in this area, which applies to RTB and adtech in the same way it does to other types of processing – particularly in respect of consent, legitimate interests, data protection by design and data protection impact assessments.”
McDougall said the ICO is working with the Competition and Markets Authority in considering Google’s Privacy Sandbox proposals, which would phase out support for third-party cookies in the Chrome browser.
The plan, announced by Google in January 2020, would oblige advertisers to access user data via Google’s own Privacy Sandbox browser technology.
Mark Thompson, global lead at KPMG’s Privacy Advisory practice, said the ICO’s statement should put firms on notice that the way they handle users’ personal information could put them at risk.
“Organisations now need to understand their risk exposure to the issues identified by the ICO – namely, whether they know what personal data they share with the ecosystem and the data protection laws that apply, how transparent they have been with their users and scrutinising their understanding of their supply chain risk,” Thompson said.
He advised organisations to look at the actions taken following recent ICO audits, as these can become enforcement notices requiring costly changes to fix problems at short notice.