Insights Information Commissioner’s Office publishes blog on “Adtech – the reform of real time bidding has started and will continue”

Simon McDougall, ICO Executive Director of Technology and Innovation, blogs that the adtech real time bidding (RTB) industry is complex, involving thousands of companies in the UK alone. Many different actors and service providers sit between the advertisers buying online advertising space and the publishers selling it.

The ICO published a report in June 2019, which identified a range of issues and found that any organisation that has not properly addressed these issues risks operating in breach of data protection law.

In Mr McDougall’s view, this is “a systemic problem” and the industry needs to collectively reform RTB. Following the report, the ICO gave industry six months to work on the points raised. Now, Mr McDougall reports, two organisations in the industry are starting to make the changes needed:

  1. the Internet Advertising Bureau (IAB) UK has agreed a range of principles and is developing its own guidance for organisations on security, data minimisation, and data retention, as well as UK-focused guidance on the content taxonomy. It will also educate the industry on special category data and cookie requirements, and continue work on some specific areas of detail;
  2. Google has said it will remove content categories and improve its process for auditing counterparties. It has also recently proposed improvements to its Chrome browser, including phasing out support for third party cookies within the next two years;

Mr McDougall also reports that the ICO has received commitments from other UK advertising trade bodies to produce guidance for their members.

However, while many organisations are on board with the changes that need making, Mr McDougall says that “some appear to have their heads firmly in the sand”. The ICO has reviewed a number of justifications for the use of legitimate interests as the lawful basis for the processing of personal data in RTB and the ICO’s current view is that the justification offered by organisations is “insufficient”. Further, the Data Protection Impact Assessments the ICO has seen have been generally “immature, lack appropriate detail, and do not follow the ICO’s recommended steps to assess the risk to the rights and freedoms of the individual”. The ICO has also seen examples of basic data protection controls around security, data retention and data sharing being insufficient.

Accordingly, the ICO is developing “an appropriate regulatory response”. It will continue to investigate RTB, Mr McDougall says, and while it is too soon to speculate on the outcome of that investigation, given the ICO’s understanding of the lack of maturity in some parts of this industry the regulator anticipates that “it may be necessary to take formal regulatory action”.

Mr McDougall concludes that the most effective way for organisations to avoid the need for further regulatory scrutiny or action is to “engage with the industry reform and transformation” and “encourage their supply chain to do the same”. He says he is both “heartened” at the progress made, and “disappointed” that some are still ignoring the message. “Those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilise its wider powers.” To read the blog post in full, click here.