Ad Tech and Privacy Compliance: Interview with Simon McDougall, ICO

Private Gate

In June this year, The Information Commissioner’s Office (ICO) released its Update Report into Adtech and Real-Time Bidding, which highlighted “systemic concerns” surrounding the compliance of RTB in upholding consumer privacy.

Ahead of the fact-finding briefing to be held today, Tuesday 19th November, as the six-month window of engagement with the DPA draws to a close, ExchangeWire spoke with Simon McDougall (pictured below), executive director for technology and innovation at the ICO, to discuss where progress has been made from the industry in addressing the body’s concerns, as well as where more work needs to be done to ensure a privacy-compliant programmatic industry.

Since the publication of the update report, in what areas has the ICO seen improvement from RTB participants? Where is further action required?
Simon McDougall

Simon McDougall, Executive Director for Technology and Innovation, ICO

Overall, we have had a positive response to our June ‘Adtech Update Report’ and many in the industry have heard our call for change.

Following publication of our report, we’ve prioritised our engagement with industry groups, including both the IAB and Google, and had a number of substantial discussions. We’re five months into our six month period of engagement and while it is too soon to make any firm statements, we’re hopeful that change is achievable and progress is being made.

During this time, I’ve been struck by the openness of many in the industry to change – the vast majority of market players accept that the status quo cannot remain. We’ve also seen emerging solutions to some of our concerns that make me optimistic for the potential of innovation in this sector. The market is in a different place to five months ago.

However, we still have areas of concern. There continues to be confusion and misunderstandings around legitimate interests (LI) and consent and how they can be applied. Our report is clear on both. LI can’t be used to set cookies on devices, as this requires consent. We’re open to seeing examples of where use of LI is possible elsewhere in the ad serving process, but we have yet to see compelling examples of where this works.

No one understands this business better than your readers, and there is now a real opportunity for them to develop new practices and business models that address our concerns as regulator and ensure compliance with the law.

With reference to the findings in the update report that many firms operating within the ad tech space have not completed data protection impact assessments (DPIAs), have the ICO seen an improvement here?

I still think this is a weak area in the industry, and reflects the varied levels of awareness and governance across different players. Our guidance is clear on when DPIAs should be used, and plenty of aspects of real time bidding tick that box. If we engage in discussions with a firm about their compliance in this area, we will often ask to see and discuss their DPIA(s).

How can adtech companies best engage with the ICO? Is this best performed through industry bodies, or will there be opportunities for direct engagement?

Right from the start, we were keen to listen to and learn from the experts operating in this field. To achieve this we’ve engaged with industry by speaking with publishers, advertisers, civil society, start-ups, adtech firms and legal specialists. We’ve learned a lot, and I’m sure we will continue to learn.

Earlier this year, we brought together more than a hundred people for a full-day fact-finding forum where we explored the challenges of transparency, lawful basis and security in greater detail and later this month we’re holding a second forum. We also invited interested parties, who were unable to attend the event to submit comments.

On 19th November, we’ll be hosting the follow-up to our fact finding event and are looking forward to sharing our more developed thoughts and hearing from those we’ve engaged with.

We’ve been out on the road throughout the summer, hitting the conference circuit speaking directly to and meeting people working in this field to explain our position. We’ve been keen to get our messages out to everyone in the industry and attended many events to help us do this.

Most of all, what we want to achieve through our engagement is the right way forward for all interested parties having worked together.

What is your reaction to Google’s recent announcement to exclude content categories in bid requests?

Our update report on the real time bidding system outlined a range of concerns, including the use of sensitive personal information and the security controls used by the organisations involved.

Google’s announcement is an important statement of intent and we look forward to seeing what practical impact it will have on Google’s operating model and the industry more widely.

Our dialogue with IAB UK and IAB Europe has also been productive and we are continuing to discuss a range of initiatives and changes.

Our engagement with the adtech sector is ongoing. We wanted to give the industry six months to address our concerns. We are pleased with the progress, but will be assessing the situation when the six month period expires in December, and will then be considering whether we need to take further action.

Is the ICO planning on widening its scope to include ad tech practices outside of the RTB framework?

We were clear from the start that our concerns were not limited to real time bidding, but that we were prioritising that area given our understanding of current practice. So, whilst we have only focused on real time bidding so far, this doesn’t mean that we won’t consider looking into other areas in the future.

What actions are currently being considered for companies within the industry which have not examined their approaches to privacy notices, uses of personal data, and the lawful bases they apply within the RTB ecosystem?

These problems are very much industry issues for which a sustainable industry-developed and industry-led solution is needed. Our role has been facilitatory in nature. We are still very much focused on engaging with industry to bring about the changes that need to be made.

We understand this is a complex technology but industry needs to realise “It’s complicated” is no longer an excuse. People expect players across the advertising industry to use their information in a way that is respectful, lawful, transparent and secure.

Our Regulatory Action Policy outlines our selective approach to action and how we decide to respond to infringements of information rights obligations. So far, we have taken an iterative approach and worked with adtech firms with the view that this approach gives the best chance of encouraging substantial and sustainable industry change. Our Update Report explained that we wanted to see change over the next six months – ie by mid-December. We will then look at where we’ve got to, and consider next steps.

What work is the ICO doing with the Competition & Markets Authority (CMA) and other data protection authorities to ensure necessary privacy initiatives do not have a deleterious effect on publisher revenue, nor an increased relative market share for the likes of Google and Facebook to the detriment of independent providers?

We are aware that this sector is also of interest to other regulators, including the CMA and other DPAs. We are liaising with the CMA to discuss their ongoing market study, and also continue to discuss this area with our colleagues on other Data Protection Authorities.

There’s no doubt that the technology used in RTB is truly impressive and the revenue generated for players across this industry is substantial. We know that it is complex and we understand that many smaller publishers rely on this business model and would be vulnerable without it. We also understand that programmatic advertising and real-time bidding can offer enormous value but this must not be at the expense of privacy laws. The same is true for every sector – illegal data processing can’t continue just because it’s profitable.

Let me be clear: Changes have to be made. This complex system lacks data protection maturity in its current form and it must change to ensure that it is compliant with the law.