Blog: Advancing the adtech debate from a data protection perspective
Simon McDougall, Executive Director for Technology Policy and Innovation, invites adtech industry stakeholders to a fact-finding forum.
Advertising is as old as commerce itself. Companies have always innovated to access new markets, and people are often happy to learn of new products and services. But in recent years, technology has completely transformed the way advertising is bought, sold and delivered.
Many advertising techniques use people’s personal information, in the form of a personal profile, to decide which advert is delivered to them. Publishers then utilise real-time advertising methods to sell the advertising space.
While many aspects of adtech are of interest to the ICO, as the data protection regulator, we are currently concentrating on the world of programmatic advertising and real-time bidding. This aligns with our Tech Strategy, where both online tracking and artificial intelligence are priority areas. The adtech industry and its handling of personal data has also recently been in the spotlight, when the ICO and other regulators received complaints suggesting that some adtech firms were breaching the General Data Protection Regulation (GDPR).
What we can say is it’s an extremely complicated area, with a large number of intermediaries and service providers sitting in between the advertisers buying advertising space, and the publishers selling it.
The speed, scale and complexity of real-time bidding is both technologically impressive and a cause for concern, but we understand that at the same time, this technology facilitates the sale of advertising space that generates a certain level of income for publishers, and value for advertisers.
Our initial conversations with the industry have led to us to identify three key areas of interest to us:
Transparency and personal data
The GDPR has clear requirements around notice and transparency. We are interested in how people are told, and what people are told, about the use of their personal data for online advertising purposes when they visit websites or access apps, as well as how accurate this information is.
Lawful basis for processing personal data
The lawful bases for processing personal data that different organisations operating in the adtech ecosystem currently rely upon are apparently inconsistent. There seem to be several schools of thought around the suitability of various bases for processing personal data – we would like to understand why the differences exist.
Programmatic advertising depends on the rapid sharing of website or app users’ personal data, with varying levels of detail in the information being associated with the space for sale. This data may be shared very widely and quickly amongst hundreds of organisations. We are interested in how organisations can have confidence and provide assurances that any onward transfers of data will be secure.
Our focus is on the challenges where personal data may be processed, and where we have regulatory oversight, that they comply with the GDPR and Data Protection Act 2018. In these areas alone, there is already a substantial amount of commentary, but also many diverging views.
In order to develop our understanding of all aspects of this complex ecosystem, our next step is to convene a fact-finding forum on 6 March 2019 in central London. We aim to bring together a range of representatives from across the adtech industry to explore each of our key themes.
We will shortly be sending out invites to people and organisations that we know are already engaged in this debate. However, we would also welcome requests from other interested parties – please contact us on firstname.lastname@example.org if you would like to attend.
The latest programmatic revolution in advertising is far from over and we can expect change and innovation for many years to come. We hope that by supporting a structured dialogue between different stakeholders, we can deepen our understanding, and perhaps advance some aspects of this debate.
Simon McDougall is Executive Director for Technology Policy and Innovation at the ICO where he is developing an approach to addressing new technological and online harms. He is particularly focused on artificial intelligence and data ethics.
He is also responsible for the development of a framework for auditing the use of personal data in machine learning algorithms.