It’s been over two years since the UK’s data protection watchdog warned the behavioral advertising industry that it was getting completely out of hand.
The ICO has done nothing to stop the systematic illegality of the tracking and targeting industry misusing Internet users’ personal data to try to manipulate their attention – not in terms of actually enforcing the law against violators and stopping what digital rights campaigners have described it as the biggest data breach in history.
It is even being sued for inaction against the misuse of personal data through real-time bidding by complainants who filed a petition on the matter as early as September 2018.
But today Britain’s (outgoing) Information Commissioner, Elizabeth Denham, released an op-ed warning the industry that its old illegitimate tricks simply won’t work in the future.
New advertising methods must adhere to a range of what she describes as “clear data protection standards” to protect people’s privacy online, she writes.
Among the data protection and privacy “expectations” Denham suggests she wants to see from the next wave of online advertising technologies are:
• include standard data protection requirements in the design of the initiative;
• give users the choice to receive ads without tracking, profiling or targeting based on personal data;
• be transparent about how and why personal data is processed throughout the ecosystem and who is responsible for that processing;
• articulate the specific purposes for the processing of personal data and demonstrate how this is fair, lawful and transparent;
• address existing privacy risks and mitigate any new privacy risks associated with their proposal
Denham says the aim of the advisory is to provide “further regulatory clarity” as new advertising technologies are developed, further specifying that it welcomes efforts that propose to:
• moving away from current methods of online tracking and profiling;
• improve transparency for individuals and organizations;
• reduce existing frictions in the online experience;
• provide individuals with meaningful control and choices over the processing of device information and personal data;
• ensure that valid consent is obtained where necessary;
• ensure demonstrable accountability throughout the supply chain;
The timing of the advice is interesting, given an imminent decision by the Belgian data protection agency on a flagship consent collection for the advertising industry. (And current UK data protection rules share the same basis as the rest of the EU, as the country transposed the General Data Protection Regulation into national law before Brexit.)
Earlier this month, the IAB warned Europe that it expects to violate the EU’s General Data Protection Regulation, and that its so-called ‘transparency and consent’ (TCF) framework has failed to do any of the things. to achieve those on the tin.
But this is also just the ICO’s latest “reform” mission to rule-breaking adtech.
And Denham is merely repeating requirements derived from standards already in place in UK law — and wouldn’t need to be repeated if her office had actually enforced the law against adtech violations. But this is the regulative dance she prefers.
This latest ICO salvo looks more like an attempt by the outgoing commissioner to claim credit for broader shifts in the industry as she prepares to leave — such as Google’s slow-mo shift to phasing out support for cookies from third parties (also known as ‘Privacy Sandbox’ proposal, which is basically a response to evolving web standards such as competing browsers that encourage privacy protections; increasing consumer concerns about online tracking and data breaches; and a large increase in focus on digital matters from lawmakers) – then it’s about actually moving the needle on illegal tracking.
If Denham had wanted that, she could have taken enforcement action long ago.
Instead, the ICO has opted for — at best — a partial commentary on embedded adtech’s systematic compliance problem. And, essentially, watch as the rift continues; and wait/hope for future compliance.
However, change can happen regardless of regulatory inaction.
And in particular, Google’s “Privacy Sandbox” proposal (which claims “privacy safe” ad targeting of cohorts of users, rather than microtargeting of individual web users) gets a major call in the ICO’s comments — with Denham’s office in a press release that it is: “Currently, one of the main proposals in the online advertising space is the Google Privacy Sandbox, which aims to replace the use of third-party cookies with alternative technologies that still enable targeted digital advertising.”
“The ICO has been working with the Competition and Markets Authority (CMA) to review how Google’s plans will protect people’s personal data while supporting the CMA’s mission to ensure competition in digital markets,” the ICO continues. . a nod to ongoing regulatory oversight, led by Britain’s competition watchdog, which has the power to prevent Google’s Privacy Sandbox from ever being implemented — and therefore stop Google from phasing out support for tracking cookies in Chrome — if the CMA decides the tech giant won’t. can’t do it in a way that meets competition and privacy criteria.
So this reference is also a nod to a dilution of the ICO’s own regulatory leverage in a core adtech area – an arena that is market-reshaping and of interest.
The backstory here is that the UK government has been working on a competition reform that will introduce tailor-made rules for platform giants deemed to have ‘strategic market status’ (and thus the power to hurt digital competition); with a dedicated Digital Markets Unit already established and operating within the CMA to lead the work (but has yet to be empowered by incoming UK law).
So the question of what happens to “old school” regulatory silos (and narrowly focused regulatory specialties) is an important question for our data-driven digital age.
Increased cooperation between regulators such as the ICO and the CMA could give way to oversight that has become even more converged or even merged – to ensure that powerful digital technologies do not fall between the regulatory cracks – and therefore the ball is not dropped as spectacularly at essential issues such as ad tracking in the future.
Intersectional digital supervision FTW?
As for the ICO itself, there is one more important caveat, which is that not only is Denham disappearing (ergo, her “opinion” has a short shelf life of course), but the UK government is busy consulting ‘reforms’ of UK data protection rules.
Said reforms could lead to a major reduction in domestic privacy and data protection; and even legitimize the pursuit of abusive advertisements – if ministers, who seem more interested in pointless sound bites (about removing barriers to “innovation”), eventually pass the legal requirements to ask internet users for permission, to do things the way they do in the first, follow and profile, drop , according to some of the proposals.
So the next British information commissioner, John Edwards, may have a very different set of ‘data rules’ to apply.
And – if that’s the case – Denham, in her roundabout way, will have helped make sliding standards a reality.