The UK’s data protection authority has been warning the behavioural advertising sector for well over two years that it is out of control. The ICO has done nothing to stop the tracking and targeting industry from abusing Internet users’ personal data in order to manipulate their attention — at least not in terms of actually enforcing the law against offenders and preventing what digital rights campaigners have dubbed the “biggest data breach in history.” Indeed, complainants who filed a petition on the subject in September 2018 are suing it for its inactivity against real-time-exploitation bidding’s of personal data.
However, today, Elizabeth Denham, the UK’s (outgoing) information commissioner, released an opinion in which she cautions the sector that its old illegal tactics will not work in the future. In order to preserve people’s privacy online, new forms of advertising must adhere to a set of “clear data protection criteria,” she argues.
Given an anticipated judgment by Belgium’s data protection authorities on a key sector permission collection tool, the timing of the opinion is intriguing. (In addition, because the UK transferred the General Data Protection Regulation into national law before Brexit, existing UK data protection standards are based on the same principles as the rest of the EU.) The IAB Europe warned earlier this month that it expects to be found in violation of the EU’s General Data Protection Regulation, and that its so-called “transparency and consent” framework (TCF) has failed to deliver on either of its promises.
However, this is the ICO’s latest’reform’ missive to rule-breaking adtech. Denham is just restating requirements derived from standards already in place in UK law – requirements that would not need to reiterate if her agency actively enforced the law against adtech violators. However, she has always liked the regulatory dance.
As she prepares to leave office, this latest ICO salvo appears to be more of an attempt by the outgoing commissioner to claim credit for broader industry shifts, such as Google’s slow-motion shift toward phasing out support for third-party cookies (aka, its ‘Privacy Sandbox’ proposal. Which is actually a response to evolving web standards such as competing browsers baking in privacy protections); rising consumer concern about online tracking and data breaches; and a big rise in the use of blockchain technology.
Denham could have taken meaningful enforcement action long ago if she had wanted to. Instead, the ICO has chosen to make only a cursory statement on embedded adtech’s systemic compliance issue. In addition, ultimately, to wait and hope for future compliance whiles the breach continues.