Following my last post on the data protection challenges associated with adtech, the Information Commissioner’s Office (ICO) announced that it is prioritising its review of the adtech sector. Its stern warning to industry participants came in the form of a report published on 20 June, in which Commissioner Elizabeth Denham wrote: “We are clear about the areas where we have initial concerns, and we expect to see change.”

Some key areas of focus for the ICO’s scrutiny are:

1. Legitimate interests: Adtech publishers, advertisers and platforms often rely on their legitimate interests in processing personal data, rather than seeking consent from internet users. The ICO makes clear in its report that participants in open, real-time advertising auctions are unlikely to have carried out the balancing exercise required to demonstrate those legitimate interests, and that consent must be obtained.

2. Special category data: The ICO warns that adtech participants are breaching the GDPR by processing sensitive types of personal data (including information relating to religion, ethnicity, political views and health) without the explicit consent of the data subject.

3. Industry initiatives: There have been attempts to create standard mechanisms for obtaining consent to adtech-related processing of personal data, most notably the Industry Advertising Bureau’s “Transparency and Consent Framework”. The ICO remains unconvinced by these initiatives, which are “insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent.”

4. Contractual protections: Adtech participants frequently count on contractual controls to safeguard the security of the personal data exchanged during the bidding process. The ICO emphasises that contract terms alone are insufficient to ensure GDPR compliance, and that publishers, advertisers and platforms are responsible for assessing the suitability of third parties with whom they share personal data.

In the first instance, the ICO has allowed adtech industry participants six months to begin addressing these issues. The Commissioner’s call to action was echoed last week by Simon McDougall, the ICO’s Executive Director for Technology Policy and Innovation: “If we do not see fundamental changes being made, we are ready to respond and consider the full range of enforcement actions available to us.”

The gauntlet has been thrown down; it is now up to the adtech sector to respond.

Just one visit to a website can trigger an auction among advertisers which involves our personal data and hundreds of interested bidders. It’s impressive; it’s hard to imagine the speed, scale and complexity of this real-time bidding. It’s also the stuff of data protection nightmares.