Information Commissioner's Office
Blog: Advancing the adtech debate from a data protection perspective
Simon McDougall, Executive Director for Technology Policy and Innovation, invites adtech industry stakeholders to a fact-finding forum.
Advertising is as old as commerce itself. Companies have always innovated to access new markets, and people are often happy to learn of new products and services. But in recent years, technology has completely transformed the way advertising is bought, sold and delivered.
Many advertising techniques use people’s personal information, in the form of a personal profile, to decide which advert is delivered to them. Publishers then utilise real-time advertising methods to sell the advertising space.
While many aspects of adtech are of interest to the ICO, as the data protection regulator, we are currently concentrating on the world of programmatic advertising and real-time bidding. This aligns with our Tech Strategy, where both online tracking and artificial intelligence are priority areas. The adtech industry and its handling of personal data has also recently been in the spotlight, when the ICO and other regulators received complaints suggesting that some adtech firms were breaching the General Data Protection Regulation (GDPR).
What we can say is it’s an extremely complicated area, with a large number of intermediaries and service providers sitting in between the advertisers buying advertising space, and the publishers selling it.
The speed, scale and complexity of real-time bidding is both technologically impressive and a cause for concern, but we understand that at the same time, this technology facilitates the sale of advertising space that generates a certain level of income for publishers, and value for advertisers.
Our initial conversations with the industry have led to us to identify three key areas of interest to us:
Transparency and personal data
The GDPR has clear requirements around notice and transparency. We are interested in how people are told, and what people are told, about the use of their personal data for online advertising purposes when they visit websites or access apps, as well as how accurate this information is.
Lawful basis for processing personal data
The lawful bases for processing personal data that different organisations operating in the adtech ecosystem currently rely upon are apparently inconsistent. There seem to be several schools of thought around the suitability of various bases for processing personal data - we would like to understand why the differences exist.
Programmatic advertising depends on the rapid sharing of website or app users’ personal data, with varying levels of detail in the information being associated with the space for sale. This data may be shared very widely and quickly amongst hundreds of organisations. We are interested in how organisations can have confidence and provide assurances that any onward transfers of data will be secure.
Our focus is on the challenges where personal data may be processed, and where we have regulatory oversight, that they comply with the GDPR and Data Protection Act 2018. In these areas alone, there is already a substantial amount of commentary, but also many diverging views.
In order to develop our understanding of all aspects of this complex ecosystem, our next step is to convene a fact-finding forum on 6 March 2019 in central London. We aim to bring together a range of representatives from across the adtech industry to explore each of our key themes.
We will shortly be sending out invites to people and organisations that we know are already engaged in this debate. However, we would also welcome requests from other interested parties – please contact us on firstname.lastname@example.org if you would like to attend.
The latest programmatic revolution in advertising is far from over and we can expect change and innovation for many years to come. We hope that by supporting a structured dialogue between different stakeholders, we can deepen our understanding, and perhaps advance some aspects of this debate.
Simon McDougall is Executive Director for Technology Policy and Innovation at the ICO where he is developing an approach to addressing new technological and online harms. He is particularly focused on artificial intelligence and data ethics.
He is also responsible for the development of a framework for auditing the use of personal data in machine learning algorithms.
Latest News from
Information Commissioner's Office
ICO fines Vote Leave £40,000 for sending unlawful text messages20/03/2019 09:10:00
The Information Commissioner’s Office (ICO) has fined Vote Leave Limited £40,000 for sending out thousands of unsolicited text messages in the run up to the 2016 EU referendum.
A call for participation: Building the ICO’s auditing framework for Artificial Intelligence19/03/2019 16:10:00
Blog posted by: Simon McDougall, 18 March 2019.
Two Birmingham workers fined for data protection breaches19/03/2019 12:20:00
Employees could face a criminal prosecution if they access or share personal data without a valid reason, the Information Commissioner’s Office has warned.
ICO raids businesses in Brighton and Birmingham suspected of making millions of nuisance calls13/03/2019 09:10:00
The Information Commissioner’s Office (ICO) has searched two addresses as part of an investigation into businesses suspected of making live and automated nuisance calls.
International Conference of Information Commissioners 201912/03/2019 09:10:00
Elizabeth Denham's opening address given yesterday to the International Conference of Information Commissioners.
Blog: Adtech fact finding forum shows consensus on need for change08/03/2019 16:20:00
There’s a well-quoted line from Steve Jobs, that as Apple CEO he didn’t employ smart people to tell them what to do, but so that they could tell him what to do.
Blog: Why the right of access to patient data needn’t be a headache for GPs08/03/2019 13:20:00
Blog posted by: Jovian Smalley, Group Manager – Engagement (Public Services), 07 March 2019.
Organisations should be doing more to achieve privacy accountability06/03/2019 09:10:00
The Global Privacy Enforcement Network's (GPEN) annual intelligence gathering operation looked at how well organisations have implemented the core concepts of accountability into their own internal privacy policies and programmes.