17 January 2020
A blog by Simon McDougall, ICO Executive Director of Technology and Innovation
The adtech real time bidding (RTB) industry is complex, involving thousands of companies in the UK
There is a significant lack of transparency due to the nature of the supply chain and the role different actors play. Our June 2019 report identified a range of issues. We are confident that any organisation that has not properly addressed these issues risks operating in breach of data protection law.
This is a systemic problem that requires organisations to take ownership for their own data processing, and for industry to collectively reform RTB. We gave industry six months to work on the points we raised, and offered to continue to engage with stakeholders. Two key organisations in the industry are starting to make the changes needed.
The Interactive Advertising Bureau (IAB) UK has agreed a range of principles that align with our concerns, and is developing its own guidance for organisations on security, data minimisation, and data retention, as well as UK-focused guidance on the content taxonomy. It will also educate the industry on special category data and cookie requirements, and continue work on some specific areas of detail. We will continue to engage with IAB UK to ensure these proposals are executed in a timely manner.
Separately, Google will remove content categories, and improve its process for auditing counterparties. It has also recently proposed improvements to its Chrome browser, including phasing out support for third party cookies within the next two years. We are encouraged by this, and will continue to look at the changes Google has proposed.
Finally, we have also received commitments from other UK advertising trade bodies to produce guidance for their members.
If these measures are fully implemented they will result in real improvements to the handling of personal data within the adtech industry. We will continue to engage with industry where we think engagement will deliver the most effective outcome for data subjects.
This progress has only been possible through the investment of substantial time and goodwill by many industry participants. However, while many organisations are on board with the changes that need making, some appear to have their heads firmly in the sand. It is now clear to us that engagement alone will not address all these issues. For instance, we have reviewed a number of justifications for the use of legitimate interests as the lawful basis for the processing of personal data in RTB. Our current view is that the justification offered by organisations is insufficient. Furthermore, the Data Protection Impact Assessments we have seen have been generally immature, lack appropriate detail, and do not follow the ICO’s recommended steps to assess the risk to the rights and freedoms of the individual. We have also seen examples of basic data protection controls around security, data retention and data sharing being insufficient.
We are using the intelligence gathered throughout last year to develop an appropriate regulatory response. We will continue to investigate RTB. While it is too soon to speculate on the outcome of that investigation, given our understanding of the lack of maturity in some parts of this industry we anticipate it may be necessary to take formal regulatory action and will continue to progress our work on that basis.
The most effective way for organisations to avoid the need for further regulatory scrutiny or action is to engage with the industry reform and transformation, and to encourage their supply chain to do the same. I am both heartened at how much progress we have made, and disappointed that there are some who are still ignoring our message. Those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilise its wider powers.
Simon McDougall is Executive Director for Technology and Innovation at the ICO where he is developing an approach to addressing new technological and online harms. He is particularly focused on artificial intelligence and data ethics.
He is also responsible for the development of a framework for auditing the use of personal data in machine learning algorithms.