The Information Commission Officer (ICO) has been busy in the last few months on reviewing data protection and GDPR compliance within the digital advertising sector, with the body issuing out significant fines to some of the UK’s top leading brands. 

In response to the ICO’s recent report into ad tech and real-time bidding (RTB), which criticised the handling of personal data within programmatic advertising on the open exchange, the IAB UK has set out a series of actions designed to help companies engaged in RTB to understand and meet their data protection and privacy compliance obligations in practice.

Following the ICO’s report, the regulator announced a six month period for further industry engagement and for the ad tech industry to respond to its findings.

This process has been led by IAB UK and its members, along with IAB Europe and IAB Tech Lab where appropriate. As a result, IAB UK has committed to a series of actions on six key issues raised in the report to help improve standards of compliance. These include:

  • Data security: IAB UK will develop good practice guidance covering security, data minimisation and data retention, and work with IAB Europe to explore how the requirements in the Transparency and Consent Framework (TCF) policies could be enhanced to support such good practice.
  • Special category data: A range of actions to be taken, including developing UK-focused guidance on the Content Taxonomy, education for the industry on special category data restrictions and requirements (developed with other relevant trade bodies, particularly on the buy-side), and work to identify potential controls to minimise risks arising from the content of referred URLs in bid requests.
  • Reliance on legitimate interests for cookies: IAB UK is committed to educating its members on the consent requirements of UK ePrivacy regulations, with reference to the ICO’s current cookie guidance, and promoting the use of the TCF, where appropriate, for obtaining this consent in a compliant way.
  • Legitimate interests assessments (LIAs): IAB UK will educate its members on LIA requirements, taking into account the outcomes of a joint (ICO/IAB Europe/IAB UK) review of anonymised example LIAs, and work with IAB Europe to develop resources to support companies to meet these requirements in practice.
  • Data Protection Impact Assessment (DPIAs): IAB UK will educate members on DPIA requirements and encourage them to review their processing operations in light of the ICO’s existing guidance. It will also identify whether additional guidance is needed for the industry, and work with other relevant trade bodies as they develop their own DPIA approaches and guidance.
  • Transparency and fairness of information provided to consumers: IAB UK will engage with IAB Europe on the outcomes of ongoing discussions about potential changes to TCF policies with respect to Consent Management Provider user interfaces, and then decide on any further action.

In addition to its response and actions outlined above, IAB UK also identified areas where further discussion is needed before a clearer position and consensus can be reached. The ICO is expected to provide a further update on its position in the coming weeks, once it has reviewed all relevant responses. 

“Our ‘Update report’  documented our concerns with how personal data is processed using RTB, and our subsequent engagement work with the ad tech industry has largely validated these concerns. We’re very pleased with the engagement we’ve had so far and, while we still have a long way to go, we’re optimistic that an industry-led solution is possible. We look forward to continuing our constructive discussions with the IAB and the industry as it implements the proposals made,” said Simon McDougall, the ICO’s executive director for technology and innovation.

“It’s now critical that we work together with our members to implement change. This needs everyone – advertisers, intermediaries and media owners – to work with us, and to be willing to take action and invest in making changes where necessary,” added Christie Dennehy-Neil, IAB UK’s head of policy and regulatory affairs.