The Information Commissioner’s Office is warning adtech companies that the investigation into widespread non-compliance with data protection regulations is resuming

The Information Commissioner’s Office (ICO) announced that it is due to resume its £ 13 billion investigation into the UK advertising technology sector after an eight month suspension due to the pandemic.

The investigation was announced in January last year after the ICO found evidence of widespread non-compliance with the EU’s General Data Protection Regulation (GDPR), which is also enforced in UK law.

The probe was then put on hold in May, with regulators saying it was unwilling to “put undue pressure on an industry at this point” due to Covid-19.

At the time, he added that “concerns remain about Adtech and we plan to resume our operations in the coming months.”

Offer real time

One of the elements the ICO is expected to focus on is real-time bidding (RTB), which is the real-time buying and selling of ad inventory and personal data is traded for ad targeting purposes.

The ICO said companies involved in RTB appear to be failing to comply with GDPR protections when making commercial use of personal data.

“RTB’s complex system can use people’s sensitive personal data to serve ads and requires people’s express consent, which is not currently done,” said Simon McDougall, ICO deputy commissioner.

“Sharing personal data with potentially hundreds of companies without properly assessing and addressing the risk posed by these counterparties also raises questions about the security and retention of that data.”

He said the ICO will conduct a series of audits focused on digital marketing platforms, with assessment notices being issued to specific companies “in the coming months”.

The ICO believes the audits will give it a clearer picture of the current state of the industry.

Data broker

The regulator should also investigate the role of data brokers.

This aspect of the investigation follows an investigation into offline direct marketing services that resulted in an enforcement action against credit reporting agency Experian and others in October 2020.

“All organizations in the adtech space should urgently review how they use personal information,” said McDougall.

“We already have comprehensive guidelines in place in this area that apply to RTB and Adtech as well as other types of processing – particularly with regard to consent, legitimate interests, data protection by design and data protection impact assessments.”

McDougall said the ICO is working with the competition and market regulator to review Google’s proposals to protect the privacy sandbox that would expire support for third-party cookies in the Chrome browser.

Enforcement risk

The plan announced by Google in January 2020 would oblige advertisers to access user data via the Google Privacy Sandbox browser technology.

Mark Thompson, global head of the privacy advisory practice at KPMG, said the ICO’s statement was intended to alert companies that dealing with users’ personal information could put them at risk.

“Companies now need to understand the extent to which they are exposed to the issues identified by the ICO – whether they know what personal data they are sharing with the ecosystem and what data protection laws apply, how transparent they have been to their users and whether they are reviewing their understanding of their supply chain risk.” said Thompson.

He advised organizations to look at the actions taken following recent ICO audits, as this can turn into enforcement cues that require costly changes to fix issues in the short term.