On 6 March 2019, the Information Commissioner’s Office (ICO) will host a fact-finding forum in central London. The aim of this forum is to facilitate a dialogue between ad-tech stakeholders. The ICO wants to understand the complexities of ad-tech practices.

Why ad-tech?

‘Ad-tech’ is the product of technology’s transformation of the advertising industry. It uses personal data to compile a personal profile, which is then used to decide whether or not to target an individual with a particular advert. Publishers sell advertising spaces by a process of real-time bidding. Ad-tech practices heavily rely on the use of personal data and artificial intelligence.

The ICO is interested in learning more about ad-tech practices for a number of reasons. Firstly, ad-tech falls within the ICO’s priority areas of ‘online tracking’ and ‘artificial intelligence’, identified in the ICO’s Tech Strategy. Secondly, the ICO recognises that while there are benefits arising from ad-tech, there is also a cause for concern, in particular in relation to real-time bidding. Thirdly, the ICO has received complaints about ad-tech firms’ non-compliance with the General Data Protection Regulation (GDPR).

The ICO acknowledges that there are many diverging views on the overlap between ad-tech practices and GDPR-compliant personal data processing.

Three key themes

The forum will focus on three key themes. These themes have been identified by the ICO through ongoing conversations with the industry.

  1. Transparency and personal data. The ICO wants to ensure that the GDPR’s requirements for notice and transparency are complied with. The ICO wants to find out more about: what individuals are told about the use of their personal data; how individuals are given this information; and how accurate this information is.
  2. Lawful basis for processing personal data. Ad-tech practices currently rely on inconsistent legal bases for processing personal data. The ICO believes that this is because of different schools of thought around the applicability of available GDPR processing bases. The ICO wants to understand why these inconsistencies exist.
  3. Security. The ICO wants to understand how organisations protect personal data when they share it. The ICO notes that personal data is being rapidly shared, “very widely and quickly amongst hundreds of organisations”.

Comment

The forum will enable the ICO to gain a better, and more practical, understanding of the overlap between ad-tech practices and GDPR compliance. Presumably, this understanding will feed into the ICO’s regulation of ad-tech practices in the future, although the ICO has not identified this as a specific aim.