With rules surrounding the General Data Protection Regulations (GDPR) tightening up by the minute, the UK’s data protection authority, the Information Commissioner’s Office (ICO) has issued a fresh warning to ad tech companies to get to grips with their compliance.
The announcement follows the ICO’s recent statement around how personal data is used within programmatic advertising on the open exchange, via real-time bidding, which the authority stated that it was not compliant. Ad tech companies have since been given a six-month period to address any issues around GPDR compliance with the clock now ticking as there are four months to go to get things right.
At the time of its investigation, the ICO insisted that real-time bidding presented a number of challenges to “good data protection” in its current form while the ad tech industry “appears immature in its understanding of data protection requirements”. Furthermore, a key outcome from the research was that ad tech firms should not be relying on legitimate interest when handling personal data within programmatic ad trading on the open exchange.
Speaking at ExchangeWire’s ATS event in London yesterday (September 9), Ali Shah, head of technology and policy at the ICO encouraged ad tech companies who continue to use legitimate interest to come forward within the next four months to avoid facing financial penalties.
“I’d be remiss if I didn’t say that if we don’t see meaningful change [within the next four-month window] we’ll have to leverage our full powers of enforcement,” said Shah at ATS as he expressed that businesses should make a case if they continue to stand by using legitimate interest.
July saw the ICO issue huge fines to UK airline British Airways and international hotel chain Marriott for £183 million and £99 million respectively on data breaches. Under GDPR, companies can be fined a maximum of €20 million ($22 million) or 4% of global revenue, whichever is higher.
In a recent interview with the Financial Times, Simon McDougall, who’s leading the investigation currently commented that the ICO has been “unsatisfied” with the ad tech industry’s responses even before it issued a warning in June and that it is “still not happy” after “digging and digging”.
He also stated that the ad tech industry has so far given “vague, immature and short answers” when asked about how it processes personal information and reminded tech firms that any misuse of special category data will contravene with the rules set by GPDR.
“This is not an arcane or small point over here. This is fundamental stuff – if you are processing special category data, then you need explicit consent,” he said.