Change is afoot at the U.K.’s data protection watchdog, responsible for enforcing the General Data Protection Regulation.
Top execs from the Information Commissioner’s Office have been on a PR push of late, appearing on stage at industry events, agreeing to interviews with the press to deliver a simple message, again and again: Take GDPR more seriously because the industry’s initial attempts to comply have come up short.
It’s a somewhat unprecedented, open approach for a data protection authority. Before the tour, ICO execs like executive director for technology policy and innovation Simon McDougall were arguably unknown to anyone who sat outside of a corporate policy team. Now, whether it’s through Q&As at conferences or private meetings with advertisers, McDougall is becoming one of the more high-profile voices in ad tech in the U.K. In just the past month, McDougall has warned of “vague answers” in an interview with the Financial Times and spoken of “big issues”in Marketing Week, and expressed “concern about this industry” at an an event hosted by media monetization firm Rezonence.
“Ad tech is unique in terms of the sheer volume of data which is massive, and the type that’s used is troubling at the same time,” he said at this week’s Rezonence event.
The rationale behind the conference appearances and interviews is simple: When the ICO rapped the knuckles of ad tech vendors in June for their misuse of personal data to target ads,it gave them a six-month deadline to make changes. With three months to go, the regulator wants to ensure there is no lack of clarity around that grace period.
These are unusual steps for a regulator to take. Typically regulators enforce rather than seek to educate after all. In its warning report aimed at the ad tech sector, the ICO acknowledged the complex structural underpinnings of buying and selling ads on the open exchange via real-time bidding. The regulator isn’t gunning to cripple ad tech and, by extension, the publishers reliant on programmatic advertising revenue, with its enforcement, said McDougall at the event. Nor does it want to further stifle competition in what’s already an ad market dominated by a few major players, aka Google and Facebook.
But that’s not to say the regulator is a soft touch. As recently as ExchangeWire’s ATS event earlier this month, the ICO’s head of technology and policy Ali Shah warned ad tech vendors not to take its light-touch approach to enforcing GDPR on real-time bidding as a sign it would go easy on the industry. In fact, he said there would be casualties among the ad tech community if vendors continued to breach the law.
Shah’s tough stance ahead of the December deadline is part of a strategy to exert maximum pressure without slamming the door shut.
In the 16 months since the GDPR came into effect, the ICO has played good cop to the bad cop approach taken by some of its counterparts across Europe, gently nudging the ad tech industry to get its house in order.
“Despite the grace period provided by the ICO, I have seen no indication of any sort that the RTB industry will reform itself,” said Johnny Ryan, chief policy and industry relations officer at browser Brave. “RTB continues to be the largest data breach yet recorded. This is not an abstract problem of legal theory: I fear that every voter in the next U.K. election will have been profiled using data about them leaked out of the RTB system,” said Ryan. He believes it’s essential that the ICO steps in and enforces the law once its grace period ends. “It would have been far better if it had acted far sooner. The industry must be forced to reform.”
When the ICO started to scrutinize Google in February, it said it had received complaints over Google’s heavy-handed data collection for ad targeting, but stopped short of launching a full probe of those practices.But when the Irish Data Protection Commission launched its own investigation into Google three months later it did so with a statutory inquiry into how the company’s ad exchange uses personal data to target people online. Regulators don’t do that unless there’s a problem they need to confirm and subsequently take action on. The ICO, however, has refrained from making similar moves on ad tech to date in part because the Irish DPA is the lead privacy regulator for Google and Facebook in Europe. The U.K. regulator has alsoarguably had bigger fish to fry.
Hefty fines have already been dished out to…