Earlier this week, ExchangeWire covered the latest developments from the Information Commissioner's Office (ICO), which included dramatic fines, updated cookie guidance and the Update Report into Adtech and Real Time Bidding. The combination of massive potential fines, and the fact that the UK DPA is openly questioning the legality of the fundamental processes underpinning the programmatic industry, has raised no small amount of concern within the sector.

In this exclusive article, Prash Naidu (pictured below), founder & CEO of Rezonence, delves further into the ICO's update report and why the industry, in all its complexity and financial opportunity, is not impervious to strict penalty.

The ICO’s report on ad tech and RTB was damning to say the least. Any firm operating in ad tech, particularly in the programmatic space, needs to really take stock of their activities as clearly instructed by the ICO. Clients making use of ad tech for marketing purposes are also equally exposed and potentially run a greater risk of large fines due to their proportionate size.

Although the ICO have been very specific about what they deem is not acceptable, they have not provided any clear guidelines on how ad tech firms and their clients should go about ensuring they are on the right side of the law. However, there are a few things that can be done to make sure that one will be on the right size of the law when 'judgement day' comes. Given the ICO’s recent dishing out of fines, it would be foolish to assume that the ICO is going to turn a blind eye to a problem they’ve specifically identified. On this they’ve provided clear guidance in the report: “In the meantime, we expect data controllers in the ad tech industry to re-evaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the RTB ecosystem.”

Prash Naidu, founder & CEO, Rezonence

For full clarification, the core capability that allows RTB and programmatic systems to provide users with targeted and personalised marketing messages or content is the audience segment. A segment is essentially a list of user IDs typically held within a DMP. DSPs and SSPs also provide this functionality although without the ability to do advanced analytics or modelling of these users. These IDs are also stored on user’s devices by means of third-party cookies and due to how third-party cookies work in browsers, it enables ad tech systems to track users across websites which is why ads follow you around the web.

Understanding how segments are created and used will provide clear insight into whether one is being GDPR compliant or not. An advertiser will usually embed segment pixels on their product webpages, when these pixels are downloaded by the user’s browser (without the user’s knowledge), the user is added to a predefined segment within the clients DMP or DSP; a third-party cookie is also stored within the user’s browser. For example, browsing to the product page of a camera might add me to the “Camera Buyer” segment as setup by the advertiser or their ad tech partner.

The algorithm is trivial but it’s important to note that the user has essentially been profiled as a potential camera buyer without their knowledge or explicit consent. The ICO has made it clear that profiling users is not covered by legitimate interests which means that explicit consent must be sought from a fully informed user. The user must know that they are being profiled, they must know the consequences of being profiled, and must explicitly accept being profiled.

To make matters worse, this profiling of users is commonly performed by firms operating data marketplaces which means that these profiles are being sold to hundreds of advertisers and ad tech firms for them to track and execute targeted advertising campaigns. It is also possible to combine and enrich audience segments to create disturbingly accurate and deeply personal audience segments such as race, health, sexual orientation, etc. which fall under special categories as far as GDPR is concerned. All this is happening without the user’s consent or knowledge. Even if these audience segments are not being traded, the very nature of programmatic systems means that unless carefully managed, audience profiles can also be leaked to other participants of RTB auctions. The ICO has again specifically stated that this uncontrolled distribution of audience profile information is far from satisfactory.

Therefore, if your marketing activities rely on the creation of audience segments, it’s vitally important that you as a data controller can demonstrate that you have consent from every user in every segment you own. If you are unable to do so, you’re not compliant.

I’ve come across several people who have stated that the ICO could never possibly expect this level of compliance as users are typically in thousands of segments and that they would never consent at this scale. If the ICO insisted on compliance, they would essentially force an entire sector into oblivion. My answer to this is that the ICO has no option but to follow the law, it is not their job to worry about the sustainability of the ad tech sector which certainly isn’t “too big to fail”; it would be very foolish to bank on the ICO turning a blind towards illegal activity.

The bottom line, the industry has six months to get compliant, those who don’t can expect the ICO to come knocking and as we’ve seen recently, they’re not afraid to dish out large penalties. On a positive note, it is entirely possible to operate in a fully compliant manner, so there’s only one option, get compliant!