Earlier this year, the UK’s data protection authority the Information Commissioner’s Office (ICO) fired something of a warning shot towards the ad tech sector with its ‘Update report into adtech and real time bidding‘. The report said that RTB as it currently operates is in many cases not compliant with the EU’s General Data Protection Regulation (GDPR), as well as other privacy regulation.
The industry was given six months to clean up its act, after which the ICO said it would review the progress that had been made. Those six months are now nearly up, and in that time the industry has made real progress says Simon McDougall, executive director of technology policy and innovation at the ICO, but there’s still work to be done. In this Q&A, McDougall discusses the areas in which the industry is still falling short, as well as his broader thoughts on privacy-compliant RTB and data collection.
What do you make of the progress being made by the digital advertising industry on privacy since your ‘Update report into adtech and real time bidding’ was published in June?
We’re in the home stretch of the six month period we outlined in our June report. The tone of the conversation has changed – we’re seeing fewer discussions around whether change is needed and an acceptance and agreement that the status quo is not acceptable. We held the follow-up to our Fact Finding Forum on Real Time Bidding (RTB) a fortnight ago and I was struck by how constructive the discussion was, whilst accepting there were still many chunky points of disagreement among the stakeholders present. During the past six months, we’ve seen some big announcements and some big changes have been agreed, including Google’s recent announcement [that it will strip contextual content categories from bid requests], which is an important statement of intent. It will be interesting to see how these changes play out, and we are working to make sure we fully understand the various proposals being put forward. Am I optimistic? I would say I’m cautiously optimistic and I can safely say the debate has moved on during 2019.
That’s not to say everything is fixed and we can rest easy – far from it. Our engagement over the past six months has validated the issues we raised in our report and we have some big concerns that need to be addressed. We continue to see misunderstandings and poor justifications for the use of legitimate interests (LI) as a lawful basis for processing personal data, for instance. While we remain open to LI as a lawful basis for RTB, we haven’t yet seen a credible example of its use.
Is RTB finished or can it exist in a privacy-compliant form do you think?
We’ve been clear throughout that we do not want to blindly stop RTB or to shut down the ad tech industry. There is some really interesting and thoughtful innovation happening in the market that may offer different ways to link brands and publishers in ways that are efficient and privacy-friendly. I do feel that the industry must wake up to the change that’s needed – it simply cannot carry on the way it has been doing. We want the industry to review its current data protection practices, but more importantly its compliance with the law. And in return, we are willing to work with those operating in this field so they can clearly understand our expectations and find the way to do things right. The industry must accept that it created this problem, and it needs to fix it.
Considering that most consumers don’t actually read the fine-print when it comes pretty much everything online (not to mention the fact that it would be deeply impractical for them to do so), can we ever have meaningful consent online?
It’s a critical question, and we also understand it poses practical challenges. But for the placing of cookies, having consent online is not an option but a legal must-have, and businesses operating in this area need to find a way to become compliant. “It’s complicated” is not a valid reason and nor is suggesting that consumers don’t read the fine-print. People have a right to expect their information will be treated in a way that is respectful, lawful, transparent and secure. The GDPR applies to all sectors and ad tech is no exception. We understand this is not easy, but it is what is needed.
To what extent is the video/OTT advertising part of the industry likely to be affected?
Any organisation that uses RTB for either buying or selling advertisements should familiarise themselves with our report and, if necessary, make the changes needed. We are aware that the programmatic world continues to expand into new channels and media – our concerns remain the same.
Is there any part of the data-driven digital advertising ecosystem who you think are demonstrating ‘best practice’ when it comes to privacy?
During our period of engagement, we have seen that it is possible to use data-driven advertising in a privacy respectful way. Unfortunately, this is not the status quo. There is also a widespread interest in demonstrating best practice. In our recent fact-finding event, for example, one of our breakout sessions discussed bid requests and whether personal information is needed within these. Many of our participants suggested much of the data collected is not actually needed and noted that unfortunately the industry has developed in a way that people think it is a commercial imperative to include personal data. It’s very much a crowd mentality and although organisations want to do the right thing, there seems to be a lot of finger pointing and waiting for one section of the industry to move first before making changes.
Is it safe to assume that the use of first party data for targeting will always be permissible?
Organisations using their own customer data is a rich source of information for advertising and beneficial for personalising user experience. I cannot comment on what may or may not be permissible in the future, especially because of how quickly innovation takes place in this market. If organisations are doing a particular kind of advertising in a way that is privacy respectful now, there is a greater likelihood this will be considered permissible in future. However, if organisations are not using first party data in a transparent, lawful and secure way now, then this may in future impact regulators’ perception of it.
Many would say their main concern isn’t so much about companies having access to individual data points, but they’re more concerned about individual companies knowing pretty much everything about them. Is that something you’re concerned with?
We’re concerned about users not consenting to the data being collected and processed about them and organisations’ preference for data maximisation over data minimisation. We think there should be much greater transparency at point of collection about why organisations are collecting and processing information and how personal information is used to profile people to make decisions about them.
Many are concerned for the welfare of publishers and the knock-on effects on journalism, which would in turn have an impact on democratic accountability. Is this something that will be factored into the ICO’s recommendations?
We understand that many smaller publishers rely on this business model and would have been left vulnerable if we’d decided to take enforcement action straight away. That is why we have chosen to take a measured approach by engaging with the industry to bring about change. As a pragmatic regulator, we don’t take action lightly, quickly or without serious thought for the consequences, and our view has very much been that the best chance of encouraging substantial industry change is through engagement. However, I would advise against complacency as we will be reviewing the situation in the New Year and considering our next steps.