Menu

adtech-blog-imageIn the past month the Information Commissioner’s Office (ICO) issued both a report on the AdTech industry and a new guidance on cookies that have far-reaching consequences for all organisations.

First, on 20th June 2019, the ICO published their updated report into AdTech and real time bidding, with findings that may affect the whole online advertising industry. The ICO focused specifically on the processing of special categories of data, and the widespread data sharing across the AdTech sector. They will continue to investigate the industry in the next six months, and online advertisers are strongly encouraged to review their practices in light of this report.

Simon McDougall, ICO, said: ‘If you operate in the AdTech space, it’s time to look at what you’re doing now, and to assess how you use personal data. We already have existing, comprehensive guidance in this area, which applies to RTB and AdTech in the same way it does to other types of processing – particularly in respect of consent, data protection by design and data protection impact assessments (DPIAs).’ (https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/06/blog-ico-adtech-update-report-published-following-industry-engagement/)

The French Data Protection Authority (CNIL) adopted a similar action plan for 2019-2020 on 28th June 2019, making investigating online targeting practices in the industry a priority.

This does not only target ad brokers and advertisers, but also any publisher (i.e. website editor) relying on such providers. As a website editor (publisher), you determine the means and purposes of the processing for the personal data of users visiting your website, and you will be considered as a controller under the data protection legislation.

Any organisation involved in digital advertising is accountable for the online targeting solution they use. Today, most organisations have some form of digital advertising activities and work, to some extent, with advertisers. Very few organisations are able to conduct their own digital advertising campaigns from A to Z.

Second, the ICO published their new guidance on cookies and collection of consent, especially referring to the practices to adopt when conducting digital advertising.

While the developments in this area are not new, it brought an important clarification where some deceitful advisers or sellers used to argue otherwise.

Ali Shah, ICO, stated: ‘Our updated guidance is based on the basic information rights principles of fairness, transparency and accountability. Being fairer, more transparent and accountable to the people who use your website will increase their trust and confidence in you, and that benefits everyone. Cookie compliance will be an increasing regulatory priority for the ICO in the future.’ (https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like/)

In this regard, it is important to note that:

 

  • You cannot rely on implied consent for the use of cookies, you need express opt-in as per General Data Protection Regulation (GDPR) standards.
  • Analytics cookies cannot be considered as strictly necessary and you must seek consent for such cookies as well.
  • You cannot use a cookie wall to restrict access to your site until users’ consent.
  • You cannot rely on legitimate interests to set cookies, consent is always required for non-essential cookies, such as those used for the purposes of marketing and advertising.

 

As a website publisher, you have to determine how your cookie banner will collect consent from your visitors, meaning that you are responsible for this technical solution.

It is equally important to note that such regulatory movement is not happening only in the UK, but in other EU countries where Data Protection Authorities have issued similar statements. The French CNIL has followed with a similar updated cookies guidance, and the Irish Data Protection Commission is currently investigating Google and Quantcast on their digital advertising practices.

Let’s not forget that Google has been fined €50 million in January 2019 by the CNIL expressly because the giant was not properly capturing consent to deliver digital advertising to their users.

This should now be a wake-up call for many advertisers and publishers in the EU.

To understand how this will affect your organisation, we are happy to provide support and review your current practices where necessary.

 

Article Author.

Samuel Plantie

Principal Data Protection Consultant
Samuel is a Principal Data Protection Consultant in the Data Protection Team at Gemserv. He has a PhD in Law... Read More From Samuel Plantie

Our Latest Insights.

Our work means different things to different clients and we wanted to share some details of the projects we have managed to give you an insight into our capabilities and the impact we have delivered as a business.

 

View All Insights

Say Hi.

Did you like what you read? Did you want to find out more about the subject? Or did you simply want to get in touch with us? Either way if you would like to get in touch with us you can do so using the form on the right.

Gemserv will use your details to get in touch with you and to send you information about our products and services that you have requested, in accordance with our privacy policy. You can, of course, opt out of these communications at any time!

Get In Touch

Want to find out more?

Follow the links below find out more about the services we provide, our insight into the industries we serve or the opportunities available with us.
Sectors Capabilities Our Insights Careers