Just 24 hours after the adtech sector was accused of systemic breaches of GDPR, the guns are now being turned on the data-driven marketing industry, amid warnings that the mass collection, use and storage of consumer information poses major risks to privacy and security.
Submissions to the joint Parliamentary Human Rights Committee from both regulators and privacy groups have set off alarm bells among some in the industry that the sector is facing a new crackdown on established practices.
The committee has published the evidence as part of its new inquiry into the rights of privacy in the digital environment, following last year’s Cambridge Analytica scandal.
In its submission, the Information Commissioner’s Office said: “The mass collection and aggregation of data, particularly by companies with data-driven business models, underpins the risks to individuals’ privacy at a very fundamental level.
“Businesses have always collected data on customers and users, but the rapid development of technology, particularly online, has allowed this collection and aggregation to be done on an industrial scale. It has reached the point where data collection is not simply a means to a business end, but the end in itself. Data has become the commodity.”
In April, Bounty UK was forced to scrap all its contracts with data brokers following a £400,000 fine from the ICO for illegally sharing personal information belonging to more than 14 million people.
The regulator discovered the company had shared 34.4 million records between June 2017 and April 2018 with credit reference and marketing agencies, including Acxiom, Equifax, Indicia and Sky.
At the time, the ICO said that the number of personal records and people affected in the case was “unprecedented” in the history of its investigations into the data broking sector.
Some in the industry claimed Bounty was being victimised for practices which had been widespread for over 20 years. But ICO deputy commissioner Steve Wood told the Human Rights Committee that the ICO was actively “calling out” private companies sharing data in this way. He said in the next few years legal precedents are likely to be set on a European level against private companies amassing data.
One industry source said: “The data-driven marketing industry has been put on notice to adapt or die. If you have your house in order, you have nothing to fear. Then again, Bounty didn’t think it was doing anything wrong and look what happened to them.”
Other organisations to file submissions to the committee include digital charity Doteveryone, which cited research that showed 62% of people are unaware that social media companies make money by selling data to third parties.
It added that ensuring digital rights are protected requires more than “one-off legislation”, and recommended the establishment of an oversight body called the Office for Responsible Technology. It added: “The entire regulatory ecosystem must be strengthened to ensure it can respond to the digital technologies in an agile and ongoing manner.”
Fears were also expressed that firms can build a profile around sensitive information such as political and religious views, socio-economic status, sexual orientation and other details of their family life.
Privacy International said: “Companies routinely derive data from other data, such as determining how often someone calls their mother to calculate their credit-worthiness. As a result, potentially sensitive data can be inferred from seemingly mundane data, such as future health risks.”
ICO: online ad industry ‘leaving millions at risk of harm’
Adspend nears £24bn with surge in data-driven activity
$273bn behavioural ad industry ‘is in breach of GDPR’
Let battle commence: first GDPR complaints are filed
Bounty ditches broker deals after £400,000 ICO fine
Experian in ICO sights as Emma’s Diary gets walloped
Major UK data firms under scrutiny as watchdog bites
Emma’s Diary first broker to be fingered in ICO probe
Cambridge Analytica row ‘lets genie out of the bottle’