Privacy & Information Security Law Blog

Simon McDougall, Executive Director for Technology Policy and Innovation for the UK Information Commissioner’s Office (“ICO”), has stated that “change is needed” in the adtech sector. In a speech delivered on July 11, 2019, at the Westminster Media Forum, focusing on the future of online advertising regulation, McDougall commented that “heads are still firmly in the sand” in some pockets of the digital advertising industry, and that many real-time bidding practices are currently being conducted in an unlawful manner, whether or not industry players are aware of it.

His comments follow an ICO report on adtech released in June 2019, that warned of increased focus on this sector by the regulator, particularly with regards to the real-time bidding component of digital advertising. According to McDougall, this report was intended as a warning and a wake-up call for adtech industry participants, and he added in his speech that the profiling of individuals on the scale that the ICO has witnessed in the adtech industry feels “wrong…disproportionate, intrusive and unfair.”

Although McDougall pointed to various areas of the industry that are causing the regulator concern, he stated that the ICO’s focus in the short-term is primarily on the use of special category (also known as sensitive) data processed as part of real-time bidding, such as race, religion and mental health. Reliance on contracts for sharing data across the adtech supply chain is another aspect of the industry coming under the ICO’s scrutiny. McDougall commented that the level of vendor diligence needed with regards to the technical and organizational controls that should be in place to protect personal data, as required by the EU General Data Protection Regulation (“GDPR”), cannot possibly be performed in relation to every organization that advertising data is currently shared with.

McDougall stated: “The need for explicit consent for processing special category data in real-time bidding is unambiguous. The need for organisations to be accountable for who they share data with is unambiguous. This is simple stuff.”

McDougall did acknowledge the difficulties that companies face in ensuring compliance with the GDPR while engaging in targeted marketing. He remarked: “We know how complex this ecosystem and market is, and how many organisations and complicated technologies are involved. We understand that many smaller publishers rely on this business model and would be left vulnerable if we decided to impose regulatory action now. We also understand that programmatic advertising and real-time bidding can offer enormous value if done in the right way, with privacy respectful and compliant processes and systems in place.”

This recognition, however, did not alter McDougall’s view that significant change is needed in the industry, and that the complexity involved would no longer constitute an excuse for non-compliant processing.

He gave the industry six months to make the necessary changes, and emphasized that the ICO will be monitoring progress and will proceed towards enforcement if the expected adjustments are not made.