ICO publishes new data protection standards for the adtech industry

"Privacy" written atop a circuit board

The Information Commissioner's Office (ICO) unveiled new mandatory data protection standards for the advertising technology (adtech) industry on Thursday.

New rules apply to companies designing new methods of online advertising and stipulate data protection laws must be followed and excessive data collection must cease, in line with the UK's Data Protection Act 2018.

The ICO published a Commissioner's Opinion which states data protection of users must be placed at the forefront of any advertising strategy designed by adtech firms.

“Ultimately, new online advertising proposals should improve trust and confidence in the digital economy, instead of weakening it,” the Opinion reads. “Solutions should be privacy-respectful while ensuring they give due consideration to other relevant laws.”

Users will have to be given clear opportunities to receive ads without tracking, profiling, or targeting based on excessive collection of personal data, the ICO said.

Accountability throughout the entire data collection and processing lifecycle is also now mandatory, with companies having to prove who is responsible for what task at each stage of the advertising strategy.

Each strategy must clearly identify the purposeful processing of personal data and consider ways to reduce harm and mitigate risks to individual users before any processing takes place.

Adtech companies must be fair and transparent about the benefits of data collection, articulating this to the users explicitly, and afford users ‘meaningful control’ over processing where possible.

The standard data collection and processing rules as set out by the Data Protection Act 2018 will also apply, such as the principle of data minimisation.


The Okta digital trust index

Exploring the human edge of trust


"What we found during our ongoing adtech work is that companies are collecting and sharing a person’s information with hundreds, if not thousands of companies, about what that person is doing and looking at online in order to show targeted ads or content," said Elizabeth Denham, information commissioner at the ICO. "Most of the time, individuals are not aware that this is happening or have not given their explicit consent. This must change.

"I am looking for solutions that eliminate intrusive online tracking and profiling practices, and give people meaningful choice over the use of their personal data," she added. "My office will not accept proposals based on underlying adtech concepts that replicate or seek to maintain the status quo."

It said Google's Privacy Sandbox is currently one of the leading proposals in the industry and that the ICO is currently working with the Competition and Markets Authority (CMA) to review how the model can be applied in the UK.

Google's Privacy Sandbox aims to replace the use of third-party cookies with other technologies to enable digital advertising. The project is currently subject to antitrust allegations in the US and EU as it forces advertisers to work with Google on ads.

The ICO drew attention to failings in the adtech industry in 2019 saying it found massive illegality in the space with numerous violations of data protection laws, particularly with real-time bidding.

Despite this, the data regulator was threatened with legal action from the Open Rights Group alleging it had failed to enforce data laws against adtech firms falling foul to data laws.

The threat of legal proceedings prompted the ICO to restart its probe into the industry after it was initially paused, saying it didn’t want to put undue pressure on the industry as the COVID-19 pandemic started to take hold in the UK.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.