Six months ago, the ICO declared that a lot of current activity "appears to be unlawful". But talk is cheap. Time went by. As their six-month deadline for the AdTech industry to straighten things out came and went, we waited. For what? A stern blog post that said much of the same as before.
The ICO has “received commitments” from trade bodies “to produce guidance”. That’s still a long way from obeying the law, and it seems the ICO is willing to keep waiting. How’s that for law enforcement, from the industry enforcer? Imagine if the police force worked like this! If robbers received a six-month warning not to rob people, and then a further extension to consider changing - during which time, they’re allowed to carry on robbing you.
Look out – danger ahead
For those of us who support the ICO, it is disappointing. Has the early promise of leadership fizzled out? The Open Rights Group have lost patience -- and are now threatening to take legal action against the regulator itself.
Not only has the ICO’s inadequate response raised questions about the entire UK data protection framework, but it has left the regulator looking dangerously slow.
Why dangerously so? Because if their failure to enforce the law around existing data mishandling in the Real-Time Bidding (RTB) process isn’t bad enough, there’s also the Wild-West of data harvested by apps -- plus a whole lot worse coming down the line that the ICO has to get to grips with: surveillance tech is going to mutate, and they absolutely need to get ahead of that.
Until now, the ICO’s version of ‘enforcement’ has been to encourage self-regulation. And it hasn’t worked, evidently. For those who hope the AdTech giants do have it in themselves to act in our interests, we should ask Google to do more. Their recent action against cross-site cookies is welcome but too limited. It will continue to allow tracking by, for example, Google. They should join Mozilla and Apple in properly stopping cross-site tracking, plus acting now to stop browser fingerprinting (the sneakier alternative to tracking cookies).
Google is planning to phase out cookies -- but worryingly, that’s only to replace them with an approach, called “FLoC”, where the Chrome browser would monitor you directly. That's one step forward, two steps back. Back in December, the Electronic Frontier Foundation (EFF) described these plans as Google wanting to create: "A tattoo on your digital forehead that gives a succinct summary of who you are, what you like, where you go, what you buy, and with whom you associate."
Privacy as a cross-industry issue
This would build a surveillance monopoly, right into the software and hardware you use. The proposals are intelligent, and they would fix some issues -- but they seem to start from the assumption that Google should be able to monitor and monetise everything you do. Not only would this be bad for personal privacy -- the monopoly effect would be bad for any industry that uses advertising that is, which is all of them.
Google is not completely deaf to outside concerns though. In a promising move, one of Google’s monitoring proposals (which they called “Pigin”) has been replaced after criticism with a better suggestion for browser-based ad auctions (which they call “Turtle-Dove”). With a strong and forward-looking attitude, the ICO could help steer this conversation further towards being in the public interest.
Whether the ICO can get its act together remains to be seen. Let’s hope so because they have a crucial role to play in making a better internet. Fortunately, there are other channels for change. Advertisers, journalists, policymakers, and concerned consumers can all do their bit to disrupt the somewhat toxic status quo and better protect our digital rights.