ICO pulls no punches in new report into adtech

In a report issued yesterday, the ICO issued an unmitigated slap-down of the adtech industry, branding it ‘immature in its understanding of data protection requirements’.

Specifically, the report mentions concerns about the methods of ‘real-time bidding’ (RTB), for which adtech companies rely on legitimate interest grounds of GDPR, rather than the higher standard of consent as outlined in PECR which should be used to gather information about customers through reading cookies.

In other words, adtech companies are not lawfully gaining customer consent for the processing of personal data.

Furthermore, the ICO outline that, even if legitimate interest was the correct legal ground for processing, there is no evidence to suggest companies are carrying out relevant legitimate interest assessments as is also required by law.

Similarly, the report outlines how the sharing of detailed customer profiles to hundreds of other companies is done without the valid consent of users.

Recently, the ICO has recognised that many businesses in many sectors need more time to comply with requirements around privacy by design and privacy policy requirements. This is mirrored here too—though more strongly—as the report says ‘privacy information provided to individuals [by adtech companies] lacks clarity whilst also being overly complex’.

Finally, the ICO raise concerns about the legality of retention—including data minimisation—and the subsequent security of personal data. Their conclusion states that individuals have ‘no guarantees’ about the safety of their data processed and stored by adtech companies.

A full summary is available on page 23 of the report.

DMA Director of Policy and Compliance, John Mitchison, said:

“For a long time, individuals and organisations have raised concerns about the advice and practices of industry bodies and individual businesses. The ICO has finally given its opinion of the adtech industry and whether or not the practices relied on by so many organisations are compliant. As many suspected they are not and the industry must accept this harsh reality in order to make the changes necessary to come up the higher standards set by GDPR. These changes might have to be more significant than just tinkering around the edges in an attempt to retain the status quo.

If the digital marketing industry is to remain unencumbered by strict legislation, it must get its act together to ensure that their businesses comply with the laws that govern online practices. Ignorance of the interplay between GDPR and PECR cannot be an excuse.

Ultimately, this report ties into wider conversations about trust in our industry. Businesses must learn that they will not be successful in the long run if they do not have the complete trust of their users and customers.

While many have made great steps forward in their data protection practices following GDPR and as a consequence of the numerous high-profile data breaches of 2018, this report reminds us there is still much to do.”

The ICO acknowledges that digital marketing is ‘here to stay’. But, this doesn’t necessarily offer a cast-iron assurance to adtech companies that they might be looking for. After all, digital marketing can be limited substantially and still be digital marketing. Businesses will have to keep a keen ear to the road to discover and move toward responsible and law-abiding practices if they want to prevent regulation cracking down in future.

The ICO says the adtech industry will be given a chance to respond to the report. It is not said whether these responses will be published.

If you would like to discuss this further, please contact the policy and compliance team.