From the ICO to DPO, it’s time publishers tackled industry acronyms

By Rhys Denny, VP of Sales at Sourcepoint

After the chaos of Covid and the Brexit withdrawal agreement having finally been struck, it’s been tempting to want to ignore one of our industry’s biggest issues – or at least kick the can down the road.

Publishers beware: the UK’s Information Commissioner’s Office is back on the industry’s heels having resumed its investigation into real time bidding (RTB) and the adtech industry. Not that you’d know it from the scant coverage it has incurred following the announcement in late January.

Eighteen months ago it was a different story, with the industry effectively “put on notice” for data practices. Then along came the pandemic and the ICO paused activity in May in order to prioritise activities responding to COVID-19.

A matter of urgency

All organisations operating in the adtech space should be assessing how they use personal data “as a matter of urgency”, says ICO Deputy Commissioner Simon McDougall now.

I couldn’t agree more. The ad industry is again in the ICO’s crosshairs and cannot afford to not give this issue its full attention. Be in no doubt: from the staunch language used it is clear that the ICO is putting its weight behind this investigation.

It warns that the industry is already failing, saying sensitive personal data continues to be used to serve adverts without explicit consent, which is a requirement.

Those hoping that Britain’s split from the European Union will cause the constraints of the General Data Protection Regulation (GDPR) to reduce will be disappointed – the GDPR has been incorporated into UK data protection law as the UK GDPR. In practice there is little change to the core data protection principles, rights and obligations for those operating inside the UK. The EU GDPR may also still apply directly to you if you operate in the European Economic Area (EEA) and will still apply to any organisations in Europe which send data to the UK.

Action is inevitable

The ICO is already taking action. It issued enforcement action against Experian in October last year following its data broking investigation into offline direct marketing services and is now reviewing the role of data brokers in the adtech ecosystem.

Its warnings now come off the back of a raft of investigation and fines by various Data Protection Agencies (DPAs) across Europe for a number of breaches relating to GDPR. Some €17m of fines were served in January alone, with €270m over the last 18 months.

Not all of these relate to advertising, but it shows that this is being taken seriously at the highest of levels. The onus is particularly on publishers, perhaps unfairly so. A publisher will do all the right things in terms of data infrastructure, despite aggressive revenue constraints and the big players taking all of the money out of the industry, but with so many balls in the air some may drop.

Ignorance is no excuse

Publishers own the consumer relationship and have a duty of care to keep their data legal and safe: they are responsible for any lapses in third party breaches and must, ultimately, carry the can.

And ignorance or plausible deniability is no excuse. As the ICO points out: “Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data.”

This comes when publishers are already losing revenues from the loss of audience from third-party tracking cookies and at a time when they face increased pressure from Google and Facebook, who they believe are not giving them a fair deal – as is evidenced by the situation in Australia right now, where Google is threatening to shut down search if forced by lawmakers to pay publishers for content links in search results. Similar moves have been mooted by the European Union, according to a report in the Financial Times this week.

Solutions for today – and for the tomorrow we do not yet know

It’s why they require privacy solutions that work now and are future-proofed against other changes. The reality is, premium publishers are needed more than ever, but they face being squeezed from all sides. Without the ability for publishers to reliably monetise content, or if fines are levied on those publishers, then the quality content ecosystem we know, trust and respect is at risk of extinction.

It’s why publishers should look to partner with companies that help them know what is going on behind the scenes and give them a fighting chance to protect themselves not just against non-compliance and the so-called bad actors but fundamentally the lack of transparency that has been built into the ecosystem as it evolved.

Make no mistake: changes are coming, and fast, but it is anyone’s guess as to how exactly this will play out.

The ICO’s grace period is over, Google is committed to phasing out cookies over the next year and the privacy debate is only going in one direction. The Data Protection Officer (DPO) has become a key figure in any company in a short space of time. It’s time for our industry to get its house in order and help lead the debate rather than be pulled along by the actions of others.

Let’s not wait for the ICO to make an example of the industry or scapegoats of its players. Let’s instead look to the future and the spirit as well as the letter of the existing and mooted laws.

It might not seem fair that publishers are bearing the brunt of the heavy lifting, but they hold the keys to the consumer and that trusted relationship. It is incumbent on us to uphold that whatever the cost. Publishers and advertisers must work hand in hand to align incentives that allow the entire ecosystem to raise the bar on privacy practices and data ethics. Because failing to do so could cost us so much more.