Adtech sector comes under increasing ICO pressure
With a focus on the adtech sector active on this side of the Channel, the UK Information Commissioner’s Office recently published an updated report on adtech. This follows industry consultation and focuses on the realities of organisations within the adtech sector complying with GDPR and the UK’s implementation of the e-Privacy Directive (PECR).
Much of the report looks at the real-time bidding component of digital advertising. The ICO considers that this raises several issues under data protection law, relating to transparency, the processing of special category data, establishing an appropriate legal basis, and conducting data protection impact assessments.
In particular the ICO raised concerns over the lack of clarity regarding what will happen to the data subject’s information in the digital advertising context.
The ICO also raised concerns over the use of special categories of personal data (race, ethnicity, sexual orientation, health information etc) for segmentation.
The ICO noted that real-time bidding might trigger the need to conduct a DPIA and that, to date, organisations involved in this activity are not carrying them out. Reasons for a DPIA might include the use of new technologies, profiling individuals on a large scale, invisible processing, tracking of behaviour and geolocation data, as well as the use of personal data of children or other vulnerable individuals for marketing purposes, profiling or automated decision making as a relevant trigger.
The ICO appears keen to engage with the adtech sector, inviting responses and emphasizing that it aims to take a “measured and iterative approach”. The ICO also acknowledged the importance of digital advertising to the availability of content online and consumer decision-making/engagement. The ICO has encouraged those in the adtech industry to “re-evaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the real-time bidding ecosystem.”