Rowly Bourne: What does the ICO really think about adtech?

Rowly Bourne the founder of Rezonence, is NDA’s latest monthly columnist.

“We are concerned about this industry because of the nature and the scale of the processing that goes on.”

It’s fair to say that Simon McDougall, Executive Director – Technology Policy and Innovation, the ICO’s assessment of why it has taken a specific interest in our industry was pretty unequivocal.  This was just one of the key topics covered in a fascinating interview at our recent event.

I got straight down to business with a question that many are keen to get an answer to.

“The RTB report cites ‘In our view, the only lawful basis for business as usual RTB processing of personal data is consent.  Core functionality in RTB systems that enables this profiling, processing and use of personal data is the audience segment’.  So, would you say that consent must be demonstrated for every user in every audience segment?”

Simon started by going back to basics, and what the GDPR is essentially looking to regulate:

“The key question is are you processing data that relates to living individuals, including things like device IDs? If data is being aggregated it no longer relates to people, then that’s not within our scope and we’re not worried.  What we are worried about is when data is linked to the individual, and where information is being inferred and causes are being assigned to that person; because that’s a personal data profile and we are worried about that.”

This led to the first audience question, from none other than our good friend Rob Webster:

“You talk about aggregated data, but a segment of aggregated users is a collection of individual IDs effectively, so is that still aggregated data?”

And it was Simon’s answer to this question that brought the clarity we were hoping for:

“If it’s still a collection of individual IDs, if the individual identifiers are still there, then that’s still personal data. So yes, we are worried about that.”

The conversation continued and after an admittedly “very equivocal” answer to his first question on fines, Amir Malik of Accenture Interactive was keen to ask a second:

“There’s been a wave of investment by brands partnering with companies who are advising them on how to use their first party data.  And there’s been drastic action by some of these brands — especially in the financial service industry — to stop sharing data with Facebook until they are fully clear how that data is being used. Would you say they are doing the right thing? 

And Simon’s answer here was much clearer:

“A lot of our focus right now isn’t with the brands, because we’re starting with the where the data is, and that’s with adtech primarily. But the money bank rolling this is coming from the brands, so that is the message we are giving over to that community.”

Up to this point, the discussion had understandably been focused on the headline issues of consent — specifically opting in — and responsibility when it comes to data breaches.  The conversation then took an interesting turn, with a question on cookie matching, a hot topic at the moment with the actions of the browsers and crumbling of the third-party cookie.

“Would you consider cookie matching as re-identification of de-identified data?”

Simon was clear that the team was looking into cookie matching.

“When we look at this, we’re going back to basics. Can this data be related to a living individual? If so, it’s personal data, if no, it’s not.  If it’s not personal data, the GDPR doesn’t apply, if it is, it does.”   

Next, we had a very direct question from Julia Smith, PR Director at Channel Factory:

“At what point does the ICO step in and name and shame? Can we expect to see some of these names in the headlines, and brands’ names in the headlines?

While he took a far slightly less direct approach than his colleague, Ali Shah, did at the recent ExchangeWire ATS event, the underlying message was very much the same. 

“As we get towards mid-December, we’re going to be assessing whether we’ve seen movement in the industry.

If the ICO is comfortable with the way market is moving, what happens with the ones that aren’t compliant?  Because there are maybe bad actors out there who are not engaged and are hoping to just keep doing whatever they’ve been doing for the last 2 years —it’s going to be incumbent on the ICO to be prepared to take action against those actors.”

Simon was also clear on the ICO’s position in monitoring the success of different approaches to the issue.

“It’s not for us, as a regulator, to be saying ‘we’ve built a new way to do all of this’, because it would be crap; because we’re regulators, we’re not professionals, you guys are the experts.

I do think something we can do as a regulator is to say what we think good practice is. As we’ve engaged along the way, we have absolutely seen really interesting examples of good practice and we’ve seen different organisations doing interesting things — including Rezonence.

We do want to call out good practice, but we shouldn’t be dictating exactly how it should work.

To close the show, perhaps the most direct question of the day:

“To paraphrase — hopefully correctly — the central crux of Johnny Ryan’s argument; broadcasting user IDs is a breach, so consent doesn’t really matter at that point, you can’t consent for a data breach…and given that context…this time next year, will there be open RTB based on user IDs, or do we as an industry have to totally refocus — is there a GDPR-compliant way of broadcasting a user identifier in a bid request and response?”

Simon’s response was clear, that no final solution or position had yet been identified but that continued industry action was neccessary:

“That’s getting to the real root of this, that’s what we’re trying to understand and we’re looking to the industry to work this out over this period.  We’re not advocating the Johnny Ryan position at all, and not dispelling it either. We believe there are a range of ideas for how to address many of these issues and we are encouraged by this.  At the same time, we haven’t seen anything which is fully mature and thought through. 

There is lots of stuff bubbling away and we don’t have a position on what the end result looks like.  But we do know that something has to change from how we’re doing it now.”

In conclusion, although Simon was not able to go into the detail that perhaps the audience was looking for, it’s undeniable that he shed significant light on exactly how the ICO is looking to approach the GDPR in adtech.

And importantly for the industry, whilst they are clearly not afraid to wield their punitive powers as and when the situation calls for it, they are fully aware of the complexity of adtech and that most players are simply trying to provide a better advertising service.

The industry clearly needs to change and doing nothing is not an option.  The ICO are keen to work with us to find a sensible and compliant route forward, and it’s fundamental that we all engage as much as we can to help shape that route. 

Pin It on Pinterest