Site navigation

ICO Warns AdTech Industry Over Data Protection Violations

Ross Kelly


ICO Adtech Data Protection

The Open Rights Group has welcomed an ICO investigation but warned that regulators could be failing to act swiftly. 

The online advertising industry is failing to adhere to strict data protection regulations, according to the Information Commissioner’s Office (ICO).

Industry operators could be violating GDPR and the UK Data Protection Act (2018) by not gaining user consent when processing personal data – which often includes information pertaining to race, gender, political beliefs or sexuality.

These claims were outlined in a recent report published by the regulator, which reviewed how personal data is used in real-time bidding (RTB) in programmatic advertising. Real-Time Bidding is a set of technologies and practices used in online advertising, which allows advertisers to compete for available digital advertising space in milliseconds.

Billions of online adverts are placed on webpages and apps in the UK every day through automated processes such as these.

The ICO highlighted a series of key concerns related to RTB’s use within data protection frameworks. In particular, the regulator suggested it has seen little evidence that companies involved in RTB are recognising the importance of data protection impact assessments (DPIA), which are a key requirement under GDPR.

Due to these shortcomings, the risk to personal data usage within RTB are rarely mitigated and, more often than not, aren’t fully understood.

In a blog post, Simon Mcdougall, executive director for Technology Policy and Innovation at the ICO, commented: “Whilst we accept that RTB is an innovative means of advertisement delivery, our view is that, in its current form, it presents a number of challenges to good data protection practices.”

Privacy notices provided to individuals also lack clarity, the report shows, and fail to offer users “full visibility of what happens to their data”.

Additionally, the scale of the creation and sharing of personal data profile in RTB appears “disproportionate, intrusive and unfair”, – especially considering that many data subjects are unaware that this processing is even taking place.

Privacy rights watchdog, the Open Rights Group (ORG), welcomed the ICO’s move to investigate potential illegality within the adtech industry – but raised concerns about the “slow pace of action”.

Jim Killock, ORG executive director, said: “The ICO’s conclusions are strong and very welcome but we are worried about the slow pace of action and investigation. The ICO has confirmed that massive illegality on behalf of the adtech industry. They should be insisting on remedies and fast.”

The processing of non-special category data could also risk violating regulations, specifically the Privacy and Electronic Communications Regulations (PECR). While companies normally do not require consent for handling this type of data, the widespread use of cookies within the industry to process information dictates that consent must be agreed initially.

The ORG insists that the processing of this special-category data is taking place unlawfully at the point of collection due to the perception that legitimate interests can be used for placing and/or reading a cookie or other technology – rather than obtaining consent.

Even if an argument can be made for reliance on legitimate interests, the watchdog insists, participants within the industry ecosystem are unable to show they have implemented appropriate safeguards.

Going forward, the ICO will continue to gather information and engage with the industry to further enhance its knowledge on the issue, McDougall said, adding that the regulator already provides guidance on the subject for companies operating within the space.

McDougall added: “If you operate in the adtech space, it’s time to look at what you’re doing now and to assess how you use personal data. We already have existing, comprehensive guidance in this area, which applies to RTB and adtech in the same way it does to other types of processing – particularly in respect of consent, data protection by design and data protection impact assessments (DPIAs).”

Ross Kelly

Staff Writer

Latest News

%d bloggers like this: