ICO fires off new warning to adtech industry

The UK Information Commissioner (ICO) has issued an Opinion on the development of new proposals for online advertising. There are currently a range of initiatives being worked on which are seeking to find new ways to allow some form of targeted or personalised online advertising in an environment in which third party cookies and other forms of cross site tracking are phased out. 

The ICO is warning those designing this next generation of adtech that it will not look favourably on proposals which seek to maintain the status quo in terms of tracking, profiling and targeting, and that it expects all proposals to: 

• Embed data protection requirements by default into their design;
• Give users a clear choice of receiving adverts without any form of tracking, profiling or targeting;
• Allow users to see clearly how and why their personal data is being processed across the ecosystem, and who is doing the processing; 
• Clearly articulate the purposes of the processing, and demonstrate that this is fair, lawful and transparent; and
• Address and mitigate associated privacy risks.

Given that the industry's proposals for replacing third party cookies are still generally under development, the ICO has clearly decided to take a proactive approach in setting out its expectations now, rather than waiting to react to the technology which is ultimately deployed. 

The Opinion must also be seen in the context of recent developments in the EU. For example, it is understood that the Belgian Data Protection Authority is close to issuing a potentially very significant draft ruling that will conclude that the IAB's Transparency and Consent Framework ("TCF"), which is widely used across the industry, does not meet the requirements of the GDPR in several respects. In addition, regulators and EU Parliamentarians are currently scrutinising the EU's draft Digital Services Act, and are strongly recommending that online targeted advertising is regulated much more strictly in favour of less intrusive technologies. 

These developments, together with some very hefty enforcement action (e.g. Amazon's €746m fine from the Luxemburg DPA for advertising related GDPR breaches), suggest that regulators and policy makers are losing patience with the current state of play in the industry.

The fact the ICO has merely issued another written Opinion is likely to frustrate privacy campaigners, who have been calling for speedier enforcement action in the UK. But for the industry, it is becoming clearer that current practices will have to adapt in the fairly short term if fines are to be avoided.