The Information Commissioner’s Office (ICO) has announced it is to resume its investigation into the advertising technology, or adtech, sector after an eight-month suspension because of the Covid-19 pandemic.
Its investigation into real-time bidding (RTB), the practice of buying and selling advertising inventory in instantaneous algorithmic auctions, began in 2019 in response to concerns over the implications of RTB, which is supported by the collection and trading of the personal data of internet users.
These behind-the-scenes auctions are responsible for many of the adverts that people may perceive “follow” them round the internet, and the data collected to support the practice can include personal interests, location, income, relationship status, age, education level, gender and sexual orientation.
“Enabling transparency and protecting vulnerable citizens are priorities for the ICO,” said ICO deputy commissioner Simon McDougall. “The complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now.
“Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data.
“Our work will continue with a series of audits focusing on digital market platforms and we will be issuing assessment notices to specific companies in the coming months. The outcome of these audits will give us a clearer picture of the state of the industry.”
The resumption of the investigation will also consider the role of data brokers, in the wake of the ICO’s investigation into offline direct marketing services, which resulted in an October 2020 enforcement action against credit reference agency Experian and others.
“All organisations operating in the adtech space should be assessing how they use personal data as a matter of urgency,” said McDougall. “We already have existing, comprehensive guidance in this area, which applies to RTB and adtech in the same way it does to other types of processing – particularly in respect of consent, legitimate interests, data protection by design and data protection impact assessments.
“We are also continuing to work with the Competition and Markets Authority in considering Google’s Privacy Sandbox proposals to phase out support for third-party cookies on Chrome.”
Mark Thompson, global lead at KPMG’s Privacy Advisory Practice, said it was not surprising that RTB was once again under the microscope.
“While many in the industry may have breathed a sigh of relief when the ICO initially paused its investigation, today’s announcement should come as no surprise and should be taken as a real signal of intent from the regulator,” he said.
“Organisations now need to understand their risk exposure to the issues identified by the ICO – namely, whether they know what personal data they share with the ecosystem and the data protection laws that apply, how transparent they have been with their users and scrutinising their understanding of their supply chain risk.
Read more about cookies and adtech
- Class action lawsuits filed in Amsterdam and London will accuse Oracle and Salesforce of breaching GDPR in their processing and sharing of personal data to sell online advertising.
- Google will cancel third-party cookies by 2022 and is already eroding their value. Analysts and vendors predict what data strategies and technologies will replace it.
- Many users of online search engines are still unaware that data is being collected about them for personalised advertising, a study has revealed.
“Many organisations will need to look at the actions taken following recent audits by the regulator. These audits can soon turn into enforcement notices requiring costly changes to fix problems at short notice.”
In October 2020, digital privacy advocacy organisation The Open Rights Group brought a legal complaint against the closure of the investigation, saying that advertising firms were “driving a coach and horses” through the General Data Protection Regulation and accusing the ICO of failing to put an end to clearly unlawful practices.
It was two ORG members – executive director Jim Killock and advisory council member and digital rights specialist Michael Veale of University College London – who made the initial 2018 complaint that prompted the investigation.
In a statement responding to the reopening of the investigation, Killock said it made no sense to close complaints as if they were resolved, only to continue investigating the industry anyway.
“By closing our complaint, the ICO is in effect avoiding their accountability duties to update complainants and resolve their complaints,” he said. “If the ICO can act in this way, it makes the complaints process hollow.
“By wrongfully closing our complaints, the ICO may believe it has no timescale or need to bring these complaints to a close. We therefore will be continuing to press for resolution through the Tribunal. The case has already been fast-tracked to the Upper Tribunal, given the importance of the issues involved.”
Killock added: “The ICO has had two and a half years since our complaint. The ICO has resumed its policy of issuing threats to the industry, but has yet to make any meaningful enforcement action.”