ICO claims AdTech industry 'violating data protection laws'

Privacy group welcomes the ICO report but accuses the regulator of proceeding slowly on "massive illegality"

A graphic of individuals engaging with online ads

The online advertising industry is operating unlawfully with respect to strict data protection regulations and has an "immature" understanding of its obligations, the Information Commissioner's Office (ICO) has claimed.

The multi-billion pound AdTech industry, which is overwhelmingly dominated by Google and Facebook, is not gaining consent from users when processing personal data that includes information on sexuality, political leaning, or race, among others.

Advertisement - Article continues below

This represents a violation of standards set under the General Data Protection Regulation (GDPR), and the UK's Data Protection Act (DPA) 2018, according to a report published by the UK data regulator.

The companies are doing this through a mechanism known as real-time bidding (RTB). This set of technologies allow advertisers to compete for available digital space by automatically placing billions of ads on webpages and apps in the UK every day.

Processing non-special category data, too, risks violating the Privacy and Electronic Communications Regulations (PECR). Although handling this sort of data doesn't normally require consent, the industry's use of cookies to process information means consent is still needed at the initial point of processing.

"Under data protection law, using people's sensitive personal data to serve adverts requires their explicit consent, which is not happening right now," said the ICO's executive director for technology policy and innovation Simon McDougall.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Sharing people's data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, raises questions around the security and retention of this data."

The privacy-centric organisation Open Rights Group (ORG), which initially co-authored the complaint that spurred the ICO to investigate the issue, welcomed the report. But the group added the regulator is proceeding slowly and not insisting on immediate changes "despite the massive scale of the data breach".

"The ICO's conclusions are strong and very welcome but we are worried about the slow pace of action and investigation," said the ORG's executive director Jim Killock. "The ICO has confirmed massive illegality on behalf of the adtech industry. They should be insisting on remedies and fast."

The data regulator highlighted a number of additional concerns around data protection laws and RTB. For example, the ICO has seen no evidence that requirements under GDPR to conduct data protection impact assessments (DPIA) are being recognised by companies involved in this mechanism.

Advertisement - Article continues below

This means the personal data risks associated with RTB have not likely been understood and mitigated. Moreover, the profiles created about individuals are highly details and repeatedly shared among hundreds of organisations without their knowledge or consent.

The ICO will continue to gather more information and engage with the AdTech industry, McDougall added, to enhance its knowledge, and share this with European regulators.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Recommended

Visit/policy-legislation/data-protection/355250/health-sites-sharing-users-medical-data-with-major-tech
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Visit/policy-legislation/data-protection/355184/supreme-court-finds-morrisons-was-not-liable-for-2014
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020
Visit/security/privacy/355048/government-may-trace-covid-19-patients-using-mobile-phone-data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354842/irish-data-regulator-racks-up
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020