The ICO warned the industry in June that it “appears immature in its understanding of data protection requirements” and that real-time bidding uses people’s data unlawfully.
The regulator expressed strong concern about how companies were illegally collecting and trading special category data, which requires explicit consent from the user, and gave the industry until the end of the year to clean up its act.
However, with just four months to go, Simon McDougall, who is leading the ICO’s investigation, told the Financial Times in an interview that “absolutely nothing has been solved or resolved at this point”.
He said the ICO had been “unsatisfied” with the adtech industry’s responses even before it issued a warning in June and that it is “still not happy” after “digging and digging”.
He added that the industry has so far given “vague, immature and short answers” when asked about how it safeguards personal information and reminded tech firms that any misuse of special category data – such as targeting ads based on personal and sensitive details obtained without permission – would contravene the EU’s General Data Protection Regulation (GDPR).
“This is not an arcane or small point over here. This is fundamental stuff – if you are processing special category data, then you need explicit consent,” he said.
By way of example, McDougall imagined a young man visiting a site related to gay life and who made a few clicks along the way.
“Am I really aware that as the site is loading up, a bid request with my device identifiers and some points around that site including [categories relating to] gay life … are potentially being pinged around to possibly hundreds of organisations?” he asked.
The ICO’s second line of inquiry is into the complexity of the data supply chain, which can involve data transfers to thousands of companies with few checks and little oversight on the security of the data.
“What we’re seeing is a blind reliance on contracts and no real attempt to assess whether the counterparty you’re using is likely to have controls in place around security, retention. That’s just not how the rest of the world works,” McDougall said.
With the GDPR entitling regulators to issue fines of up to 4 per cent of global revenue, he warned the industry to “pay attention” before the end of the year.
“If there’s casualties at the end of the six months, then those organisations are organisations that haven’t been paying attention,” he said.
Sourced from Financial Times; additional content by WARC staff