In the past month the Information Commissioner’s Office (ICO) issued both a report on the AdTech industry and a new guidance on cookies that have far-reaching consequences for all organisations.
First, on 20th June 2019, the ICO published their updated report into AdTech and real time bidding, with findings that may affect the whole online advertising industry. The ICO focused specifically on the processing of special categories of data, and the widespread data sharing across the AdTech sector. They will continue to investigate the industry in the next six months, and online advertisers are strongly encouraged to review their practices in light of this report.
Simon McDougall, ICO, said: ‘If you operate in the AdTech space, it’s time to look at what you’re doing now, and to assess how you use personal data. We already have existing, comprehensive guidance in this area, which applies to RTB and AdTech in the same way it does to other types of processing – particularly in respect of consent, data protection by design and data protection impact assessments (DPIAs).’ (https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/06/blog-ico-adtech-update-report-published-following-industry-engagement/)
The French Data Protection Authority (CNIL) adopted a similar action plan for 2019-2020 on 28th June 2019, making investigating online targeting practices in the industry a priority.
This does not only target ad brokers and advertisers, but also any publisher (i.e. website editor) relying on such providers. As a website editor (publisher), you determine the means and purposes of the processing for the personal data of users visiting your website, and you will be considered as a controller under the data protection legislation.
Any organisation involved in digital advertising is accountable for the online targeting solution they use. Today, most organisations have some form of digital advertising activities and work, to some extent, with advertisers. Very few organisations are able to conduct their own digital advertising campaigns from A to Z.
Second, the ICO published their new guidance on cookies and collection of consent, especially referring to the practices to adopt when conducting digital advertising.
While the developments in this area are not new, it brought an important clarification where some deceitful advisers or sellers used to argue otherwise.
Ali Shah, ICO, stated: ‘Our updated guidance is based on the basic information rights principles of fairness, transparency and accountability. Being fairer, more transparent and accountable to the people who use your website will increase their trust and confidence in you, and that benefits everyone. Cookie compliance will be an increasing regulatory priority for the ICO in the future.’ (https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like/)
In this regard, it is important to note that:
- Analytics cookies cannot be considered as strictly necessary and you must seek consent for such cookies as well.
- You cannot use a cookie wall to restrict access to your site until users’ consent.
- You cannot rely on legitimate interests to set cookies, consent is always required for non-essential cookies, such as those used for the purposes of marketing and advertising.
As a website publisher, you have to determine how your cookie banner will collect consent from your visitors, meaning that you are responsible for this technical solution.
It is equally important to note that such regulatory movement is not happening only in the UK, but in other EU countries where Data Protection Authorities have issued similar statements. The French CNIL has followed with a similar updated cookies guidance, and the Irish Data Protection Commission is currently investigating Googleand Quantcast on their digital advertising practices.
Let’s not forget that Google has been fined €50 million in January 2019 by the CNIL expressly because the giant was not properly capturing consent to deliver digital advertising to their users.
This should now be a wake-up call for many advertisers and publishers in the EU.
To understand how this will affect your organisation, we are happy to provide support and review your current practices where necessary.
Hear Samuel Plantie, Data Privacy Consultant at Gemserv speak on “Data Protection, AdTech Industry and Digital Advertising: The Challenges to Come” at PrivSec Dublin. For more information visit the PrivSec Dublin website.
Written by Samuel Plantie, Principal Data Protection Consultant, Gemserv.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.