Latest ICO adtech ‘warning’ infuriates privacy groups

adtech programmaticThe Information Commissioner’s Office is once again under fire over its inaction on the adtech industry’s mass abuse of data, despite the regulator launching a pre-emptive strike against firms developing new systems designed to replace third-party cookies.

In a new Commissioner’s “Opinion”, published late last week, the watchdog has warned companies that are developing new solutions that they must comply with data protection law and stop the excessive collection and use of people’s data.

The standards demand that new digital advertising technologies offer people the ability to receive ads without tracking, profiling or targeting based on swathes of personal information.

Where people choose to share their data, all companies within the adtech supply chain must ensure there is meaningful accountability, and give people control over their data and the ability to exercise their information rights, the ICO states.

Additionally, companies should be able to justify that the use of personal data for online advertising is fair, necessary and proportionate, as well as be clear with people about how and why their information is being used.

Currently, one of the most significant proposals in the online advertising space is the Google Privacy Sandbox. The ICO has been working with the Competition & Markets Authority (CMA) to review how Google’s plans will safeguard people’s personal data while, at the same time, supporting the CMA’s mission of ensuring competition in digital markets. This has resulted in the CMA securing improved commitments from Google on its proposals to remove third party cookies and other functionalities from its Chrome browser.

Information Commissioner Elizabeth Denham said: “Digital advertising is a complex ecosystem that grew quickly with the ecommerce boom and without people’s privacy in mind.

“What we found during our ongoing adtech work is that companies are collecting and sharing a person’s information with hundreds, if not thousands of companies, about what that person is doing and looking at online in order to show targeted ads or content. Most of the time, individuals are not aware that this is happening or have not given their explicit consent. This must change.

“That is why we want to influence current and future commercial proposals on methods for online advertising early on, so that the changes made are not just window dressing, but actually give people meaningful control over their personal data.

“I am looking for solutions that eliminate intrusive online tracking and profiling practices, and give people meaningful choice over the use of their personal data. My office will not accept proposals based on underlying adtech concepts that replicate or seek to maintain the status quo.”

But despite some data protection experts arguing that the only solution is co-ordinated action by regulators on an international basis, the ICO’s latest warning has irked privacy campaigners, who have long argued that the UK watchdog should be far tougher on the issue.

Open Rights Group executive director Jim Killock said: “The ICO has investigated, reported twice and explained repeatedly that the Google and the IAB-led adtech industry are in massive breach of the law.

“Billions of pieces of personal information are shared without meaningful security or consent. Yet we have seen no actual enforcement action.

“The ICO cannot delay and prevaricate indefinitely. Each time it swerves away from action, it is sending the signal that data protection laws are optional, negotiable, and ultimately of secondary importance even to the regulator. We need better than that.”

Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties’ and a long-term crusader against the adtech industry, has taken a slightly more conciliatory approach, by welcoming the Opinion. Even so, he added: “ICO enforcement would convince the industry far more effectively than today’s restating of data protection principles that have applied for 17 years.”

Both organisations point to imminent action from the Belgian Data Protection Authority – Autorité de la Protection des Donnés – which is close to issuing a potentially significant draft adtech ruling. This will conclude that the IAB’s Transparency & Consent Framework (“TCF”), widely used across the industry, is in breach of GDPR.

In response, Ryan said at the time: “We have won. The online advertising industry and its trade body, IAB Europe, have been found to have deprived hundreds of millions of Europeans of their fundamental rights. We hope the decision of the Belgian authority will finally force the online advertising industry to reform.”

Related stories
Privacy groups claim victory over looming adtech ruling
Targeted ads use ‘illegal surveillance’, lawmakers told
War on ‘illegal’ adtech RTB heads to the German courts
ICO gunning for data brokers as adtech probe resumes
DMA wades into ICO row over axed adtech investigation
Adtech breach widens, two years after first complaints
$273bn behavioural ad industry ‘is in breach of GDPR’

Print Friendly