With rules tightening up by the minute around the General Data Protection Regulations (GDPR), the UK data protection authority, the Information Commissioner’s Office (ICO) issued a fresh warning to ad tech companies to get to grips with their compliance.
The announcement follows the recent statement made by the ICO about how personal data is used on the open exchange in programmatic advertising, via real-time bidding, which the authority said is not compliant. Since then, ad tech firms have been given a six-month period to address any issues surrounding GPDR compliance with the ticking clock as there are four months to go to get things right.
At the time of its investigation, the ICO argued that real-time bidding presented a number of challenges to “good data protection” in its current form, while the ad tech industry “appears immature in its understanding of data protection requirements.” In addition, a key result of the research was that ad tech firms should not rely on legitimate interest when dealing with personal data on the open exchange in programmatic ad trading.
Speaking yesterday (September 9) at ExchangeWire’s ATS event in London, ICO Technology and Policy Head Ali Shah encouraged ad tech companies that continue to use legitimate interest to come forward within the next four months to avoid financial penalties.
“I’d be reluctant if I didn’t say that if we don’t see any meaningful change [ within the next four-month window ] we’re going to have to take full advantage of our enforcement powers,” Shah said at ATS, saying businesses should make a case if they keep using legitimate interests.
The ICO issued huge fines on data breaches for £ 183 million and £ 99 million respectively to UK airline British Airways and international hotel chain Marriott in July. Under GDPR, corporations may be fined up to € 20 million ($22 million) or 4% of global revenue, whichever is higher.
Simon McDougall, who is the leader of the investigation, said in a recent interview with the Financial Times that the ICO was “unsatisfied” with the responses of the ad tech industry even before it issued a warning in June and that it is “not happy” after “digging and digging.”
He also stated that the ad tech industry has so far provided “vague, immature and short answers” when asked how it processes personal information and reminded tech firms that any misuse of special category data would be contrary to GPDR’s rules.
“This isn’t a small or arcane point here. This is essential–if you process specific category data, you need explicit consent, “he said.