The ICO’s adtech industry investigation resumes

United Kingdom

Introduction

On 22 January 2021, the Information Commissioner’s Office (ICO) announced that it was resuming its investigation into the adtech industry, which had focused specifically on real time bidding (RTB). The previous investigation, which the ICO launched in February 2019, was paused in May 2020 due to the need for the ICO to focus its resources elsewhere during the COVID-19 pandemic.

In its new statement, the ICO has warned organisations in the adtech sector to urgently assess how they use personal data. The regulator signalled that it plans to conduct a series of audits on companies’ data management platforms as well has looking more closely at the role data brokers play in the adtech industry.

Background

RTB allows website publishers to auction off advertising space on their website or app to advertisers who want to target the particular individual visiting the site. Within milliseconds, advertisers automatically place bids to compete against other advertisers for the space. RTB is one of the most widely used technologies in programmatic (automated) advertising and accounts for billions of online adverts placed on webpages and apps every day in the UK.

As the UK’s regulator responsible for data protection, the ICO’s focus on RTB stems from the complexity and scale of its use and the risks that it poses to the rights of individuals. In particular, the ICO is concerned with ensuring that people have confidence in how their data is used, especially in regards to complex online systems like RTB.

As part of its previous investigation, the ICO issued an Update report into adtech and real time bidding (ICO Report) in June 2019. The ICO Report set out certain areas of concern in respect of compliance with relevant data protection and e-privacy laws, including issues around obtaining consent from individuals, profiling and automated decision-making, large scale processing (including in respect of special category data, such as information concerning an individual’s health which is subject to more stringent rules under UK data protection law) and the tracking of location and/or behaviour of individuals.

The ICO was also concerned about how widely personal data is shared between companies and that many individuals do not understand what data about them is shared as part of the RTB process.

Following the ICO Report, the ICO said that it wanted to engage with the industry and continue to gather information before undertaking a further review six months later. In that time, the ICO spoke to a number of stakeholders, including Google and the Internet Advertising Bureau (IAB UK), the industry body for digital advertising, and also hosted a follow-up session to the initial fact-finding forum it had previously held.

Following those discussions, the ICO announced that IAB UK was developing its own guidance for organisations on security, data minimisation, and data retention, and that Google had agreed to remove content categories, and improve its auditing process.

Since then, the IAB UK published guidance on cookies and consent, special category data and data protection impact assessments. In addition, the Data & Marketing Association (DMA) and the Incorporated Society of British Advertisers (ISBA) jointly published “The Seven-Step Ad Tech Guide”, which was produced in consultation with the ICO. For more detail about the content of the guide, please see our previous article for a summary of its recommendations. 

Recommencing the investigation

In its statement announcing that its investigation had resumed, the ICO drew specific attention to the continued failure to obtain consent from individuals to whom ads were being served using RTB. In addition, the ICO stressed that where personal data is shared with hundreds of companies without putting into place appropriate safeguards, this risks the security of the data and makes it more difficult to ensure data is not retained for longer than is necessary.

The ICO will also review the role of data brokers in the adtech eco-system. This follows from its investigation into data protection compliance in the direct marketing data broking sector and its subsequent enforcement action against Experian in October 2020 for its use of personal data from its data broking businesses for direct marketing purposes in breach of data protection laws. Although passing reference had been made to data brokers in the ICO Report, the specific mention of them in the latest announcement suggests that the ICO will be looking in much closer detail at the role they play.

In addition, the new statement specifically refers to the ICO continuing its work by conducting a series of audits focusing on data management platforms, in order to better understand the current state of the industry. Adtech organisations can therefore expect to receive notices in respect of such audits over the next few months.

The ICO accepts that the investigation will be “vast and complex” and whist it will eventually publish its final findings, regular updates are not to be expected.

The new statement from the ICO makes clear that the regulator still has significant concerns about the way in which the adtech industry operates in terms of its compliance with data protection laws. Whilst there has been a level of engagement from the industry, the recent announcement from the ICO suggests that industry action so far has not been sufficient to resolve the compliance issues on a wide scale. Indeed, in its previous announcements, the ICO seems to suggest that targeted enforcement action taken against organisations who are not engaging with the ICO or making sufficient changes to their processes is inevitable.

Our previous article analysing the ICO Report provides some useful guidance for organisations on the steps they should take in light of the ICO’s priority areas and, given the ICO’s renewed focus on adtech, companies should ensure they are reviewing their processes and making any necessary changes as soon as possible.