It’s been well over two years since the UK data protection watchdog warned the behavioral advertising industry that it was out of control.
The ICO has done nothing to stop the systematic illegality of the tracking and targeting industry that abuses internet users’ personal data in an attempt to manipulate their attention – not in terms of law enforcement against violators and stop what digital rights activists have described as the biggest data breach in history.
Indeed, he is being prosecuted for inaction against the misuse of personal data by real-time auctions by complainants who filed a petition on the issue in September 2018.
But today (outgoing) UK Information Commissioner Elizabeth Denham issued a notice – in which she warns the industry that her old illegal tricks simply won’t work in the future.
New advertising methods must comply with a set of what she calls “clear data protection standards” in order to protect the privacy of people online, she writes.
Among the “expectations” for data protection and privacy, Denham suggests that she wants to see the next wave of online ad technology:
• Incorporate default data protection requirements into the design of the initiative;
• offer users the choice of receiving advertisements without tracking, profiling or targeting based on personal data;
• be transparent about how and why personal data is processed across the ecosystem and who is responsible for this processing;
• state the specific purposes of the processing of personal data and demonstrate how this is fair, lawful and transparent;
• address existing privacy risks and mitigate any new privacy risks that their proposal introduces
Denham says the aim of the notice is to provide “greater regulatory clarity” as new advertising technologies are developed, further adding that she welcomes efforts that propose to:
• move away from current online tracking methods and profiling practices;
• improve transparency for individuals and organizations;
• reduce existing friction in the online experience;
• provide individuals with meaningful control and choice over the handling of device information and personal data;
• ensure that valid consent is obtained when required;
• ensure that there is demonstrable accountability throughout the supply chain;
The timing of the notice is interesting, given the imminent decision of the Belgian data protection agency on a flagship tool for collecting consent from the advertising industry. (And the current UK data protection rules share the same foundation as the rest of the EU, as the country transposed the General Data Protection Regulation into its national law before Brexit.)
Earlier this month, IAB Europe warned that it expects to be found in violation of the EU’s General Data Protection Regulation and that its framework says “transparency and consent” (TCF ) failed to reach any of the things claimed on the tin.
But it’s also just the latest ICO “reform” missive to adtech that breaks the rules.
And Denham is only rephrasing requirements derived from standards that already exist in UK law – and would not need to be reiterated if his office had effectively enforced the law against adtech violations. But it is the regulating dance that she preferred.
This latest ICO salvo looks more like an attempt by the outgoing commissioner to claim credit for broader changes in the industry as she prepares to step down – like Google’s slowing down towards phasing out the support for third-party cookies (i.e. ‘Privacy Sandbox’ proposal, which is actually a response to evolving web standards such as competing browsers incorporating privacy protections; the growing concern consumers regarding online tracking and data breaches; and a sharp increase in lawmakers’ attention to digital issues) – that it is not really about moving the needle on illegal tracking.
If Denham had wanted to do this, she could have taken enforcement action long ago.
Instead, the ICO opted for – at best – a partial commentary on the systematic compliance issue of integrated adtech. And, essentially, to sit idly by while the breach continues; and wait / hope for future compliance.
However, changes can occur regardless of regulatory inaction.
And, most notably, Google’s “Privacy Sandbox” proposal (which claims “privacy-protected” ad targeting of cohorts of users, rather than micro-targeting of individual web users) receives significant appeal in the remarks. of the ICO – with the Denham office writing in a press “Currently, one of the most important proposals in the online advertising space is the Google Privacy Sandbox, which aims to replace the use of third-party cookies with alternative technologies that still allow targeted digital advertising. “
“The ICO worked with the Autorité de la concurrence et des marchés (CMA) to examine how Google’s plans will protect people’s personal data while supporting the CMA’s mission to ensure competition in digital markets.” , continues the ICO, giving a nod to the ongoing regulatory oversight, led by the UK’s competition watchdog, which has the power to prevent the implementation of Google’s Privacy Sandbox – and therefore prevent Google from phasing out support for cookie tracking in Chrome – if the CMA decides the tech giant can’t do it in a way that meets competition and privacy criteria.
This reference is therefore also a nod to a dilution of the ICO’s own regulatory influence into a main arena related to ad technology – an arena that is of reforming scale and import of the market.
The backstory here is that the UK government has been working on a competition reform that will introduce tailor-made rules for platform giants seen as having ‘strategic market status’ (and therefore the power to undermine digital competition. ); with a dedicated digital markets unit already established and operational within the CMA to lead the work (but still awaiting empowerment by future UK legislation).
So the question of what happens to “old-fashioned” regulatory silos (and narrowly focused regulatory specialties) is a key question for our data-driven digital age.
Increased cooperation between regulators like the ICO and CMA can give way to even more convergent or even merged oversight – to ensure that powerful digital technologies don’t fall between regulatory cracks – and therefore the ball doesn’t get caught. so dramatically dropped on vital issues like ad tracking in the future.
Digital intersectional surveillance FTW?
As for the ICO itself, there is another important caveat in the fact that Denham is not only on the verge of extinction (his “opinion” naturally has a short lifespan), but the government UK is consulting on UK data “reforms”. protection rules.
These reforms could lead to a major degradation of privacy and data protection at the national level; and even legitimize abusive advertising monitoring – if the ministers, who seem more interested in meaningless sound clips (on the removal of obstacles to “innovation”), end up abandoning the legal obligations to ask Internet users for consent to do things like follow and profile them in the first place, depending on some of the proposals.
So the next UK Information Commissioner, John Edwards, might have a very different set of ‘data rules’ to apply.
And – if this is the case – Denham will have, in his roundabout way, helped to change standards.