Data protection standards for adtech have been outlined by the ICO in order to ensure that companies safeguard people’s privacy online.
The ICO has called on various companies to address and eliminate the existing privacy risks associated with the adtech industry. The Information Commissioner recently published an opinion warning companies that are designing novel methods of online advertising, that compliance with data protection laws is paramount, and that the excessive collection and use of personal data needs to be curbed. While online advertising has developed to the point of being very targeted and therefore much more successful, this has been made possible by the availability and use of lots of personal data, allowing ads to be customized to the audience. Personal data must remain protected and therefore compliance to laws and standards relating to the protection of personal data is imperative.
The UK’s Information Commissioner believes that market participants should aim for solutions that are focused on individuals’ rights, freedoms and interests.
The ICO, in its recently issued opinion, calls for a move away from intrusive tracking technologies as these are likely to continue to pose risks and test compliance. The opinion asks companies to “embody the core concepts of data protection by design and by default, and not reinforce or replicate intrusive practices.” The Information Commissioner lists five key principles upon which any solution, proposal or initiative should be built in order to support the key considerations for design, documentation, accountability and auditability. These principles include data protection by design, user choice, accountability, purpose, and reducing harm. These principles are to be considered holistically, and any proposals should demonstrate clearly how they are being applied.
In order to uphold the data protection standards for adtech, the ICO provided recommendations for more specific guidance.
The ICO has provided several specific recommendations for companies who use adtech, to ensure that they not only remain in compliance but also keep the rights and freedoms of individuals as a priority. The UK watchdog recommends, explaining and demonstrating design choices in the architectural design decisions for solutions, ensuring the organizations that implement these solutions are sufficiently enabled to integrate the necessary safeguards. The ICO also makes it clear that the benefits and outcomes of these solutions need to be fair and transparent. Data minimization remains important as a general rule, as well as maintaining the need to protect users. The ICO recommends giving users meaningful control, and provides, in this recent opinion, steps to ensure that user control is strengthened and takes significance over processing in solution design.
The principles of proportionality and necessity must be considered and organisations should be able to demonstrate that they cannot reasonably achieve the required purpose in any less intrusive way, in order to justify the impact on individuals. Solutions must allow organizations to easily identify and meet the requirements of appropriate lawful basis, identifying where PECR requires consent, and where consent meets the GDPR standard. In addition, solutions must particularly address the potential for processing special category data, and allow organisations to identify the appropriate condition under which it is being processed. The aim is to allow new online advertising proposals to improve trust and confidence in the digital economy, rather than threaten that.
The Information Commissioner welcomes further input, and reserves the right to revise the views therein, based on further findings.
The information commissioner reserves the right to form a different view based on further findings, changes in circumstance and engagement with stakeholders. That said, the ICO is open to receiving further input that may help in understanding these developments from the perspective of data protection, or help market participants understand the broader data protection impacts of their proposals or how they may better incorporate data protection by design and default into their services.