PerformanceININside Performance Marketing
JOIN THE PERFORMANCEIN Join the PerformanceIN Partner Network
ICO Issues GDPR Warning to Ad Tech Companies

ICO Issues GDPR Warning to Ad Tech Companies


The Information Commissioner's Office has issued a fresh warning to ad tech companies to get to grips with their compliance.

With rules surrounding the General Data Protection Regulations (GDPR) tightening up by the minute, the UK’s data protection authority, the Information Commissioner's Office (ICO) has issued a fresh warning to ad tech companies to get to grips with their compliance. 

The announcement follows the ICO’s recent statement around how personal data is used within programmatic advertising on the open exchange, via real-time bidding, which the authority stated that it was not compliant. Ad tech companies have since been given a six-month period to address any issues around GPDR compliance with the clock now ticking as there are four months to go to get things right.

At the time of its investigation, the ICO insisted that real-time bidding presented a number of challenges to “good data protection” in its current form while the ad tech industry “appears immature in its understanding of data protection requirements”. Furthermore, a key outcome from the research was that ad tech firms should not be relying on legitimate interest when handling personal data within programmatic ad trading on the open exchange.

Speaking at ExchangeWire’s ATS event in London yesterday (September 9), Ali Shah, head of technology and policy at the ICO encouraged ad tech companies who continue to use legitimate interest to come forward within the next four months to avoid facing financial penalties.

“I’d be remiss if I didn’t say that if we don’t see meaningful change [within the next four-month window] we’ll have to leverage our full powers of enforcement,” said Shah at ATS as he expressed that businesses should make a case if they continue to stand by using legitimate interest.

July saw the ICO issue huge fines to UK airline British Airways and international hotel chain Marriott for £183 million and £99 million respectively on data breaches. Under GDPR, companies can be fined a maximum of €20 million ($22 million) or 4% of global revenue, whichever is higher.

In a recent interview with the Financial Times, Simon McDougall, who’s leading the investigation currently commented that the ICO has been “unsatisfied” with the ad tech industry’s responses even before it issued a warning in June and that it is “still not happy” after “digging and digging”.

He also stated that the ad tech industry has so far given “vague, immature and short answers” when asked about how it processes personal information and reminded tech firms that any misuse of special category data will contravene with the rules set by GPDR.

“This is not an arcane or small point over here. This is fundamental stuff – if you are processing special category data, then you need explicit consent,” he said.

Continue the conversation

Have something to say about this article? Comment above, share it with the author @Mos210890 or directly on Facebook, Twitter or our LinkedIn Group.

Mustafa Mirreh

Mustafa Mirreh

Mustafa is a senior journalist at PerformanceIN. Reporting on the latest day-to-day news and updates from the world of performance marketing, while also doing social media promotion, live reporting of events, article features and interviewing key industry players.


Read more from Mustafa

You may also like…