ICO fixes the ad tech industry in its sights

Over recent months the UK’s data protection authority, the Information Commissioner’s Office (ICO), has clearly fixed the ad tech industry within its sights.

In June 2019 the ICO announced, with the publication of its “Update report into ad tech and real time bidding” that the way personal data was currently used by ad tech firms within programmatic advertising transactions via real-time bidding (RTB) on the open exchange, was in its view not compliant with GDPR.

One of the report’s conclusions, which followed an extensive industry investigation by the ICO, was that ad tech businesses could not rely on ‘legitimate interest’ as a justification for the use of personal data within programmatic advertisement trading on the open exchange. The report acknowledged that many ad tech firms still need to address the issue of how they justify the use of personal data within programmatic ad trading on the open exchange, and so the ICO would give firms six months to get their houses in order.

This message was followed up recently at a London conference in September 2019. Ali Shah, the ICO’s head of technology and policy, invited ad tech firms to engage positively with the ICO if they were relying on legitimate interest, rather than consent, to justify their processing of personal data.  Mr Shah said that if firms believe they have a business case for continuing with their current practice, they should approach the ICO to make that case. This is to be welcomed, as some in the industry believe that the ICO has not fully grasped the complexities of the issue.

Those who come forward by the end of the year will not, apparently, be subject to financial penalties. However it should not be assumed that hefty fines will be withheld after that. We have already seen how the ICO fined Facebook the maximum it was entitled to under the previous legislation, and its intention to fine Marriott International and British Airways £99 million ($122 million) and £183 million ($226 million) respectively for breaches of GDPR.

The ICO also now has the resources and technological expertise to pursue such breaches, having added hundreds of staff in the last few years, bringing the total staff to ca. 700 and making it one of the largest data protection authorities in the world.

Having said this, the ICO seemingly does not wish to hinder technological innovation either. It has now opened the beta phase of its Sandbox, a new service designed to support organisations using personal data to develop products and services that are innovative and have demonstrable public benefit.

It has conducted extensive consumer research, in which 63% of 2,000 respondents said they would be content for their data being to be used for personalized advertising. But this number halved when they were told exactly how their data was used in order to do that, by multiple digital partners in the advertising supply chain.

Speak to us about how we can help you with implementing GDPR practices in your organisation to fulfil your GDPR requirements. Contact Matthew Clayton or Kym Fletcher.