View all newsletters
Sign up for our free email newsletters

Fighting for quality news media in the digital age.

  1. News
January 25, 2021updated 30 Sep 2022 9:58am

GDPR: Watchdog warns all UK companies involved in adtech to ‘urgently assess how they use personal data’

By Dominic Ponsford

The UK Information Commissioner’s Office has warned that many media companies are breaking the law and urged them to review how they use personal data as it resumed its adtech investigation.

Its probe into the UK’s £13bn a year online advertising industry will particularly look into widespread non-compliance with GDPR, the EU data regulations which were incorporated into UK law in 2018.

Under GDPR people must unambiguously opt-in to receive marketing communications and to share their personal data. GDPR states that marketers and publishers must also abide by strict rules around the storage of data and how it is shared with other companies.

Breaches of GDPR can lead to fines of up to 4% of annual turnover.

Simon McDougall, ICO Deputy Commissioner – Regulatory Innovation and Technology, said: “In May 2020, we paused our investigation into real-time bidding (RTB) and the adtech industry, as we prioritised activities responding to the Covid-19 pandemic. We have now resumed our investigation.

“Enabling transparency and protecting vulnerable citizens are priorities for the ICO. The complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now.

[Read more: Competition watchdog to investigate Google’s plans to build cookie-less web after publisher revolt]

Content from our partners
How PA Media is helping newspapers make the digital transition
Publishing on the open web is broken, how generative AI could help fix it
Impress: Regulation, arbitration and complaints resolution

“Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data.

“Our work will continue with a series of audits focusing on digital market platforms and we will be issuing assessment notices to specific companies in the coming months. The outcome of these audits will give us a clearer picture of the state of the industry.

“Data broking also plays a large part in RTB and following our data broking investigation into offline direct marketing services and enforcement action for Experian in October 2020, we will be reviewing the role of data brokers in this adtech eco-system.

“The investigation is vast and complex and, because of the sensitivity of the work, there will be times where it won’t be possible to provide regular updates. However, we are committed to publishing our final findings, once the investigation is concluded.

“All organisations operating in the adtech space should be assessing how they use personal data as a matter of urgency. We already have existing, comprehensive guidance in this area, which applies to RTB and adtech in the same way it does to other types of processing – particularly in respect of consent, legitimate interests, data protection by design and data protection impact assessments (DPIAs).

“We are also continuing to work with the Competition and Markets Authority (CMA) in considering Google’s Privacy Sandbox proposals to phase out support for third-party cookies on Chrome.”

The ICO has powers to mount investigations and prosecutions under the Data Protection Act, the UK General Data Protection Regulation and the Network Information Systems regulations.

Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • “fairly and lawfully processed
  • “processed for limited purposes
  • “adequate, relevant and not excessive
  • “accurate and up to date
  • “not kept for longer than is necessary
  • “processed in line with subjects’ rights
  • “secure
  • “and not transferred to other countries without adequate protection.”

[Sign up for Press Gazette’s must-read newsletters: Media Monitor (strategic insight every Thursday), PG Daily and Marketing Matters]

Email pged@pressgazette.co.uk to point out mistakes, provide story tips or send in a letter for publication on our "Letters Page" blog

Select and enter your email address Weekly insight into the big strategic issues affecting the future of the news industry. Essential reading for media leaders every Thursday. Your morning brew of news about the world of news from Press Gazette and elsewhere in the media. Sent at around 10am UK time. Our weekly does of strategic insight about the future of news media aimed at US readers. A fortnightly update from the front-line of news and advertising. Aimed at marketers and those involved in the advertising industry.
  • Business owner/co-owner
  • CEO
  • COO
  • CFO
  • CTO
  • Chairperson
  • Non-Exec Director
  • Other C-Suite
  • Managing Director
  • President/Partner
  • Senior Executive/SVP or Corporate VP or equivalent
  • Director or equivalent
  • Group or Senior Manager
  • Head of Department/Function
  • Manager
  • Non-manager
  • Retired
  • Other
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.
Thank you

Thanks for subscribing.

Websites in our network