Information Commissioner's Office
Blog: Advancing the adtech debate from a data protection perspective
Simon McDougall, Executive Director for Technology Policy and Innovation, invites adtech industry stakeholders to a fact-finding forum.
Advertising is as old as commerce itself. Companies have always innovated to access new markets, and people are often happy to learn of new products and services. But in recent years, technology has completely transformed the way advertising is bought, sold and delivered.
Many advertising techniques use people’s personal information, in the form of a personal profile, to decide which advert is delivered to them. Publishers then utilise real-time advertising methods to sell the advertising space.
While many aspects of adtech are of interest to the ICO, as the data protection regulator, we are currently concentrating on the world of programmatic advertising and real-time bidding. This aligns with our Tech Strategy, where both online tracking and artificial intelligence are priority areas. The adtech industry and its handling of personal data has also recently been in the spotlight, when the ICO and other regulators received complaints suggesting that some adtech firms were breaching the General Data Protection Regulation (GDPR).
What we can say is it’s an extremely complicated area, with a large number of intermediaries and service providers sitting in between the advertisers buying advertising space, and the publishers selling it.
The speed, scale and complexity of real-time bidding is both technologically impressive and a cause for concern, but we understand that at the same time, this technology facilitates the sale of advertising space that generates a certain level of income for publishers, and value for advertisers.
Our initial conversations with the industry have led to us to identify three key areas of interest to us:
Transparency and personal data
The GDPR has clear requirements around notice and transparency. We are interested in how people are told, and what people are told, about the use of their personal data for online advertising purposes when they visit websites or access apps, as well as how accurate this information is.
Lawful basis for processing personal data
The lawful bases for processing personal data that different organisations operating in the adtech ecosystem currently rely upon are apparently inconsistent. There seem to be several schools of thought around the suitability of various bases for processing personal data - we would like to understand why the differences exist.
Programmatic advertising depends on the rapid sharing of website or app users’ personal data, with varying levels of detail in the information being associated with the space for sale. This data may be shared very widely and quickly amongst hundreds of organisations. We are interested in how organisations can have confidence and provide assurances that any onward transfers of data will be secure.
Our focus is on the challenges where personal data may be processed, and where we have regulatory oversight, that they comply with the GDPR and Data Protection Act 2018. In these areas alone, there is already a substantial amount of commentary, but also many diverging views.
In order to develop our understanding of all aspects of this complex ecosystem, our next step is to convene a fact-finding forum on 6 March 2019 in central London. We aim to bring together a range of representatives from across the adtech industry to explore each of our key themes.
We will shortly be sending out invites to people and organisations that we know are already engaged in this debate. However, we would also welcome requests from other interested parties – please contact us on firstname.lastname@example.org if you would like to attend.
The latest programmatic revolution in advertising is far from over and we can expect change and innovation for many years to come. We hope that by supporting a structured dialogue between different stakeholders, we can deepen our understanding, and perhaps advance some aspects of this debate.
Simon McDougall is Executive Director for Technology Policy and Innovation at the ICO where he is developing an approach to addressing new technological and online harms. He is particularly focused on artificial intelligence and data ethics.
He is also responsible for the development of a framework for auditing the use of personal data in machine learning algorithms.
Latest News from
Information Commissioner's Office
ICO fines home security company for making thousands of nuisance calls14/06/2019 09:10:00
The Information Commissioner’s Office (ICO) has fined Smart Home Protection Ltd £90,000 for making nuisance calls to people registered with the Telephone Preference Service (TPS).
Former customer services officer fined after unlawfully accessing personal data10/06/2019 17:20:00
A former customer services officer at Stockport Homes Limited (SHL) has been found guilty of unlawfully accessing personal data without a legitimate reason to do so.
G20 Side Event - International Seminar on Personal Data05/06/2019 12:25:00
Speach given yesterday by the ICO at the G20 Side Event – International Seminar on Personal Data.
Blog: Counting the cost of accessing environmental information04/06/2019 11:10:00
Blog posted by: Gill Bull, Director of Freedom of Information, 03 June 2019.
When it comes to explaining AI decisions, context matters03/06/2019 12:25:00
Alex Hubbard, Senior Policy Officer at the ICO, looks at some of the key themes identified in the ICO and The Alan Turing Institute’s interim report about explanations of AI decisions.
Blog: GDPR – One Year on31/05/2019 09:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 30 May 2019.
Blog: ICO regulatory sandbox29/05/2019 12:25:00
Work begins on creating ICO Sandbox short list as application period closes.
Known security risks exacerbated by AI24/05/2019 09:25:00
As part of our AI auditing framework blog series, Reuben Binns, our Research Fellow in Artificial Intelligence (AI), Peter Brown, Technology Policy Group Manager, and Valeria Gallo, Technology Policy Adviser, look at how AI can exacerbate known security risks and make them more difficult to manage.