Reflection of surrounding buildings on RPC's building.
  1. Home >
  2. Snapshots >
  3. Data protection >
  4. >
  5. ICO opinion on the importance of data protection standards when developing new online advertising technologies

SHARE:

ICO opinion on the importance of data protection standards when developing new online advertising technologies

Published on 08 June 2022

What steps are being proposed by the UK’s ICO to ensure that new online advertising technologies are designed with the protection of consumers’ personal data in mind?

The key takeaway

In a 48-page Opinion published on 25 November 2021, the UK’s Information Commissioner’s Office (ICO) (then under the former commissioner, Elizabeth Denham) has set out its expectations (along with some words of advice) in connection with privacy standards for new advertising technologies. All organisations involved in the development of ad-tech solutions should pay attention to this opinion to ensure that their future projects are not adversely affected by any regulatory change.

The background

In 2019, the ICO published a report exploring the relationship between digital cookies (and similar advertising technologies such as Real Time Bidding (RTB)) and the processing of personal data. The report revealed that a significant portion of these technologies contained inherent design flaws stemming from, amongst other things, cookie consent mechanisms being unable to collect “explicit consent” for special category data, whilst simultaneously over relying on the “legitimate interest” exemption under the e-Privacy Regulations (PECR).

The report also highlighted other systemic failures such as a lack of comprehensive information about the purposes for which the technologies are used, the unethical exploitation of personal data for profiling purposes and a general lack of clarity regarding the entity responsible for processing personal data across the different stages of the technology supply chain itself.

Since the report was published the ad-tech industry has developed a number of initiatives (such as the Google Privacy Sandbox and Apple’s Identifier for Advertising) aimed at creating and proliferating less intrusive forms of tracking/profiling.

The development

In November 2021 the former Commissioner, Elizabeth Denham, published her opinion on ad-tech developments, in which she stated that she expected that ad-tech solutions should meet the following expectations:

  • Data protection by design – individuals’ interests, rights and freedoms should sit behind any design proposal.
  • User choice – individuals must be offered the ability to receive adverts without tracking, profiling, or targeting based on personal data. In circumstances where individuals choose to share their data, they must have meaningful control over this process as well as the ability to be fully autonomous when it comes to availing themselves of their information rights.
  • Accountability – there must be accountability across the full lifecycle of the processing and supply chain, with transparency about how and why personal data is processed (which must also be transparent to the user, and clearly evidenced to regulators).
  • Purpose – adtech proposals must clearly articulate the specific purposes for processing personal data and demonstrate how this is fair, lawful, and transparent.
  • Reducing harm – adtech proposals must address existing privacy risks and also consider any new risks they introduce, and how they will mitigate them before any processing takes place.

In addition to the above, the Commissioner made a number of further recommendations providing additional guidance regarding compliance as well as factors that regulators are likely to take into account when undertaking data protection impact assessments (DPIA’s). These include:

  • Demonstrate and explain the design choices – clearly describe the adtech solution’s architectural design decisions, how these were made, and the data for those concerned.
  • Be fair and transparent about the benefits – explain the benefits and outcomes the solution seeks to achieve, including from the user’s perspective.
  • Minimise data collection and further processing – ensure the solution processes the minimum amount of data necessary to achieve its purposes. 
  • Protect users and give them meaningful control – the solution should demonstrate how it reduces the profiling of end-consumers.
  • Necessity and proportionality – the solution must enable organisations that use it to demonstrate that i) it is a targeted and effective way of achieving their purpose, ii) the benefits of its utilization are not disproportionate to any privacy risks, and iii) they cannot reasonably achieve the purpose using a less intrusive method.
  • Lawfulness, risk assessments and information rights – the solution must allow organisations that use it to identify the appropriate lawful basis and meet its requirements.
  • Special category data – the solution should be designed in such a way to address the potential for the processing of special category data.
    It is also important to note that the Commissioner, throughout this wide-ranging opinion repeatedly warns developers not to “repackage” current ad-tech solutions and relabel them as new ones without materially changing their flawed designs.

Why is this important?

Although this opinion is not legally binding, it lays down the ICO’s stance on this issue and gives an indication of the future direction of any regulatory change impacting the ad-tech space. Put another way, it gives an insight which organisations involved in the creation of online advertising technologies would do well to observe. 

Any practical tips?

The opinion emphasizes the importance of being able to demonstrate compliance with, or attempts to comply with, the guidance/expectations described. Organisations should therefore evidence and leave an audit trail highlighting how they have considered privacy related concerns and proactively addressed such issues at every stage of the adtech solution’s development.