The UK Information Commissioner’s Office has warned that many media companies are breaking the law and urged them to review how they use personal data as it resumed its adtech investigation.
Its probe into the UK’s £13bn a year online advertising industry will particularly look into widespread non-compliance with GDPR, the EU data regulations which were incorporated into UK law in 2018.
Under GDPR people must unambiguously opt-in to receive marketing communications and to share their personal data. GDPR states that marketers and publishers must also abide by strict rules around the storage of data and how it is shared with other companies.
Breaches of GDPR can lead to fines of up to 4% of annual turnover.
Simon McDougall, ICO Deputy Commissioner – Regulatory Innovation and Technology, said: “In May 2020, we paused our investigation into real-time bidding (RTB) and the adtech industry, as we prioritised activities responding to the Covid-19 pandemic. We have now resumed our investigation.
“Enabling transparency and protecting vulnerable citizens are priorities for the ICO. The complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now.
“Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data.
“Our work will continue with a series of audits focusing on digital market platforms and we will be issuing assessment notices to specific companies in the coming months. The outcome of these audits will give us a clearer picture of the state of the industry.
“Data broking also plays a large part in RTB and following our data broking investigation into offline direct marketing services and enforcement action for Experian in October 2020, we will be reviewing the role of data brokers in this adtech eco-system.
“The investigation is vast and complex and, because of the sensitivity of the work, there will be times where it won’t be possible to provide regular updates. However, we are committed to publishing our final findings, once the investigation is concluded.
“All organisations operating in the adtech space should be assessing how they use personal data as a matter of urgency. We already have existing, comprehensive guidance in this area, which applies to RTB and adtech in the same way it does to other types of processing – particularly in respect of consent, legitimate interests, data protection by design and data protection impact assessments (DPIAs).
“We are also continuing to work with the Competition and Markets Authority (CMA) in considering Google’s Privacy Sandbox proposals to phase out support for third-party cookies on Chrome.”
The ICO has powers to mount investigations and prosecutions under the Data Protection Act, the UK General Data Protection Regulation and the Network Information Systems regulations.
Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- “fairly and lawfully processed
- “processed for limited purposes
- “adequate, relevant and not excessive
- “accurate and up to date
- “not kept for longer than is necessary
- “processed in line with subjects’ rights
- “and not transferred to other countries without adequate protection.”