ICO to adland: You can no longer hide behind opaque tech
People want the ad industry to use their information in a way that is lawful, transparent and secure. It's Simon McDougall's job to ensure that happens - so prepare for major change
The innovation and intelligence driving much of programmatic advertising is incredible. However, its reach, scale and complexity has created a situation we can’t ignore. In particular, with real time bidding (RTB), we have noted explosive growth in the industry, coupled with a lack of maturity across many participating firms. Some adtech players aren’t complying with the GDPR, and people don’t know what is happening with their data.
Let me be clear: we’re not out to shut down the adtech industry or to stifle innovation. But the industry needs to change. And we’ve been clear that as an industry problem, it requires an industry solution.
We began our review of the adtech sector last year, through our own policy research and by engaging with industry. Our Update Report details our initial observations, and prioritises two areas.
Our first area of concern is special category data – often known as ‘sensitive data - which covers areas such as race, religion and sexuality. There is no reason for the vast majority of adtech organisations to be processing special category data within RTB and where it is processed, explicit consent is needed.
Our work over recent months has reinforced our view that the key issues identified in our report need to be fixed"
Our other area of focus is the problems that are caused by just relying on contracts for sharing data across the supply chain. The GDPR states that before any organisation decides to share personal data they should have formed a view on whether the other organisation has the proper technical and organisational controls in place to handle the data safely. Given the nature of RTB, we do not think a sole reliance on contractual agreements is valid.
We have other concerns around adtech, for instance we’ve heard some in the industry claiming legitimate interests (LI) is a relevant lawful basis allowing personal data to be processed. This is wrong – except for some very specific exemptions in the rules, you need consent to set cookies. We remain open to seeing examples elsewhere in the ad serving process where LI may be applicable, but have not yet seen examples that meet GDPR requirements.
So, where do we go from here?
As a pragmatic regulator, we deliberated over all the options available to us and decided the best course of action would be to give the industry time to reflect and review its practices to address our concerns and enable us to keep learning.
We adopted this approach as we know the ecosystem is complex and complicated. We also understand that many smaller publishers rely on this business model and would be vulnerable if we decided to pursue regulatory action straight away.
Fewer heads remain in the sand and there is a greater understanding that change is coming"
Our work over recent months has reinforced our view that the key issues identified in our report need to be fixed. We’ve identified the issues and now the industry must find its own solutions. If we don’t see fundamental changes then we will have to consider our next steps, which could include regulatory action.
People want clarity and explanations. It is no longer sufficient to hide behind complex and opaque technology. “It’s complicated” is no longer an excuse. People expect players across the advertising industry to use their information in a way that is respectful, lawful, transparent and secure.
In terms of the industry finding its own solutions, Google’s recent announcement is an important statement of intent and we look forward to seeing what practical impact it will have on its operating model and the industry more widely. Our dialogue with IAB UK and IAB Europe has also been productive and we are continuing to discuss a range of initiatives and changes.
We also held our second Adtech Fact Finding Forum on Tuesday 19 November. We brought together the participants from our March event and heard from Google and IAB UK on the changes they are planning. We also held a breakdown sessions, giving participants the opportunity to discuss the two themes of bid requests and information security in greater depth.
Rounding the day off, we heard from the DMA and ISBA and also moderated a panel on the Future of Adtech. Overall, it was a successful day and we were struck by the change of tone in the room. Fewer heads remain in the sand and there is a greater understanding that change is coming.
The GDPR applies to all sectors and adtech is no exception. We understand that real change is challenging, but real change is needed. We look forward to continuing to work with industry to make this change happen.
Simon McDougall is Executive Director for Technology and Innovation at Information Commissioner’s Office