Change is afoot at the U.K.’s data protection watchdog, responsible for enforcing the General Data Protection Regulation.
Top execs from the Information Commissioner’s Office have been on a PR push of late, appearing on stage at industry events, agreeing to interviews with the press to deliver a simple message, again and again: Take GDPR more seriously because the industry’s initial attempts to comply have come up short.
It’s a somewhat unprecedented, open approach for a data protection authority. Before the tour, ICO execs like executive director for technology policy and innovation Simon McDougall were arguably unknown to anyone who sat outside of a corporate policy team. Now, whether it’s through Q&As at conferences or private meetings with advertisers, McDougall is becoming one of the more high-profile voices in ad tech in the U.K. In just the past month, McDougall has warned of “vague answers” in an interview with the Financial Times and spoken of “big issues” in Marketing Week, and expressed “concern about this industry” at an an event hosted by media monetization firm Rezonence.
“Ad tech is unique in terms of the sheer volume of data which is massive, and the type that’s used is troubling at the same time,” he said at this week’s Rezonence event.
The rationale behind the conference appearances and interviews is simple: When the ICO rapped the knuckles of ad tech vendors in June for their misuse of personal data to target ads, it gave them a six-month deadline to make changes. With three months to go, the regulator wants to ensure there is no lack of clarity around that grace period.
These are unusual steps for a regulator to take. Typically regulators enforce rather than seek to educate after all. In its warning report aimed at the ad tech sector, the ICO acknowledged the complex structural underpinnings of buying and selling ads on the open exchange via real-time bidding. The regulator isn’t gunning to cripple ad tech and, by extension, the publishers reliant on programmatic advertising revenue, with its enforcement, said McDougall at the event. Nor does it want to further stifle competition in what’s already an ad market dominated by a few major players, aka Google and Facebook.
But that’s not to say the regulator is a soft touch. As recently as ExchangeWire’s ATS event earlier this month, the ICO’s head of technology and policy Ali Shah warned ad tech vendors not to take its light-touch approach to enforcing GDPR on real-time bidding as a sign it would go easy on the industry. In fact, he said there would be casualties among the ad tech community if vendors continued to breach the law.
Shah’s tough stance ahead of the December deadline is part of a strategy to exert maximum pressure without slamming the door shut.
An exclusive, inside look at what’s actually happening in the video industry, including original reporting, analysis of important stories and interviews with interesting executives and other newsmakers.
In the 16 months since the GDPR came into effect, the ICO has played good cop to the bad cop approach taken by some of its counterparts across Europe, gently nudging the ad tech industry to get its house in order.
“Despite the grace period provided by the ICO, I have seen no indication of any sort that the RTB industry will reform itself,” said Johnny Ryan, chief policy and industry relations officer at browser Brave. “RTB continues to be the largest data breach yet recorded. This is not an abstract problem of legal theory: I fear that every voter in the next U.K. election will have been profiled using data about them leaked out of the RTB system,” said Ryan. He believes it’s essential that the ICO steps in and enforces the law once its grace period ends. “It would have been far better if it had acted far sooner. The industry must be forced to reform.”
When the ICO started to scrutinize Google in February, it said it had received complaints over Google’s heavy-handed data collection for ad targeting, but stopped short of launching a full probe of those practices. But when the Irish Data Protection Commission launched its own investigation into Google three months later it did so with a statutory inquiry into how the company’s ad exchange uses personal data to target people online. Regulators don’t do that unless there’s a problem they need to confirm and subsequently take action on. The ICO, however, has refrained from making similar moves on ad tech to date in part because the Irish DPA is the lead privacy regulator for Google and Facebook in Europe. The U.K. regulator has also arguably had bigger fish to fry.
Hefty fines have already been dished out to British Airways and Marriott International for £183 million ($226 million) and £99 million ($122 million), respectively, for GDPR data breaches. These were major customer data breaches, deemed an act of negligence on behalf of the companies. Both incidents were the result of colossal cyber hacks that pose a more immediate threat to personal data versus the damage caused by targeting a banner ad to a site. Fining ad tech vendors for data breaches doesn’t seem to be as clear-cut. So much so that the ICO seems to have used the PR tour as well as ongoing meetings with the Internet Advertising Bureau in the U.K. and Europe and Google to get to grips with how personal data is traded between companies.
Hires have also been made to sharpen that internal expertise, with plans to grow the regulator from the 750 headcount it covers now to around 800 over the next 12 months. The more ad tech knowledge the ICO has been able to gain, the clearer its guidance to the industry has got for certain unanswered questions.
Whether ad tech vendors have a legitimate interest in using personal data to target ads has caused no small amount of confusion in ad tech circles. Some vendors have used it as a legal basis for collecting and processing personal data. Even the IAB’s Transparency and Consent framework, which is pitched as a standardized framework for compliance with the GDPR, was revamped to incorporate legitimate interests. The problem is the ICO has since dismissed that idea. There’s a strong chance that something developed to offer data privacy isn’t privacy compliant.
“The ICO is saying legitimate interests are knackered, but the TCF is so far down the line that people will start passing legitimate interests as a basis for consent that’s in complete conflict with the regulator,” said Stuart Colman, sales vp at ad tech vendor InfoSum. “My gut tells me the industry won’t move forward enough for a variety of political, commercial and structural reasons. The ICO can’t keep sitting there giving us another six months to fix things. That’s not their job.”