The UK’s Information Commissioner’s Office has issued an Opinion entitled ‘Data Protection and Privacy Expectations for Online Advertising Proposals’ (the ‘Proposals’), which sets out the ICO’s expectations around privacy standards for new advertising technologies.
Following the ICO’s ‘Update Report into adtech and real time bidding’ in 2019, stakeholders and advertisers within the industry have been working to find new ways of advertising which removes the need for third party cookies or other cross-site tracking mechanisms. Currently, one of the most significant initiatives is the Google Privacy Sandbox, which aims to replace the use of third party cookies with alternative technologies that still enable targeted digital advertising. In an effort to remain ahead of the curve, the Proposals aim to give advanced warning to organisations that their obligations under data protection law must remain at the forefront of their minds when developing any new advertising technology (‘AdTech’), with a clear message that should not assume that just removing third party or indeed any cookies from an advertising solution will circumvent privacy concerns.
The Proposals contribute to a constant and growing tension between the regulator and the AdTech industry over the use of tracking technologies, with the ICO voicing on a number of occasions that it does not view many of the practices adopted in the industry as complying with data protection law. The Proposals not only repeat this position, but clearly outline to companies that these practices will not be tolerated, with the Information Commissioner noting 'I am looking for solutions that eliminate intrusive online tracking and profiling practices, and give people meaningful choice over the use of their personal data. My office will not accept proposals based on underlying adtech concepts that replicate or seek to maintain the status quo'. This comes after similar discussions at supranational level, with many critics calling on the EU to amend its draft Digital Services Act to increase regulation for targeted advertising technologies.
Key points and recommendations
The ICO has made it clear that attempts by the industry to ‘re-package’ the existing technologies will not be acceptable and that it expects all new AdTech initiatives to:
- embed data protection requirements by default into the design of the initiative;
- offer users the choice of receiving adverts without tracking, profiling or targeting based on personal data;
- be transparent with users about how and why their personal data is being processed and who is responsible for that processing;
- articulate the specific purposes for processing personal data and demonstrate how this is fair lawful and transparent; and
- address and mitigate associated privacy risks.
The Proposals outline a series of ‘recommendations’ for organisations:
1. Demonstrate and explain design choices: Companies should be able to clearly demonstrate and explain their design choices and how data protection implications were considered during this process;
2. Be fair and transparent about the benefits: Companies should outline what the AdTech is seeking to achieve and the benefit it intends to provide (including transparency around processing activities and their purpose);
3. Minimising data collection and further processing: This is intended to address the ICO’s concerns over ‘function creep’ and the sharing of data across multiple services within large platforms, noting that personal data is often used for purposes outside of what it was originally collected for. Companies must ensure they are only collecting the data necessary to achieve their purpose, as well as ensuring that the data can be tied back to that original purpose throughout its processing;
4. Protect users and give them control: This reinforces the ICO’s message that data subjects must be given the opportunity to opt-out of tracking where preferred, as well as exercise their rights in respect of their data;
5. Lawfulness, risk assessments and information rights: The ICO has been clear to reiterate the need for data protection impact assessments as a mechanism for demonstrating compliance. It has also noted that any AdTech should enable organisations to identify their lawful basis e.g. if the lawful basis is consent, ensuring that this consent meets the UK GDPR standard;
6. Special Category Data: The ICO has again reiterated the need for additional protections where special category data may be involved, including embedding processes within the AdTech to allow companies using it to identify the appropriate conditions under Article 9 UK GDPR and protect the data accordingly.
Analysis
Whilst the Proposals do not constitute a decision or official guidance, the document does provide a useful insight into the regulator’s expectations. In large part, the Proposals do not offer up anything by way of surprise, but they do provide a clear statement from the ICO that stakeholder’s need to consider data protection and user privacy issues now during the development stages to ensure new AdTech will be compliant. With a clear concern that any new AdTech will replicate the issues identified in their 2019 Report, the Proposals urge organisations to consider these issues early and incorporate them accordingly, as well as firing a warning shot that the ICO will be monitoring AdTech closely.