Adtech told to keep calm and fix its ‘lawfulness’ problem

Six months after warning that the real-time bidding (RTB) component of programmatic online advertising is wildly out of control — i.e. in a breaking the law sense — the U.K.’s data protection watchdog has marked half a year’s regulatory inaction with a blog post that entreats the adtech industry to come up with a solution to an “industry problem.” 

Casual readers of the ICO’s pre-Christmas message for European law-flouting adtech might be forgiven for thinking it looks a lot like the regulator telling the industry to “keep calm and carry on regulating yourselves.”

More informed readers, who understand that RTB is a process which (currently) entails systematic, privacy eviscerating high-velocity trading of people’s personal data for the purpose of targeting them with ads, might feel moved to point out that self-regulation is a core part of why adtech is in the abject mess it’s in.

Ergo, a data protection regulator calling for more of the same systemic failure does look rather, uh, uninspiring.

In the mildly worded blog post, Simon McDougall, the ICO’s executive director for technology and innovation — who does not appear to work anywhere near an enforcement department — includes such grand suggestions for adtech law-breakers as: “keep engaging with your trade associations.”

You’ll have to forgive us for not being overly convinced such a step will lead to any paradigm tilts to privacy — or “solutions that combine innovation and privacy,” as McDougall puts it — given episodes like this.

Another of the big ideas he has for the industry to get with the legal program is to suggest people working in adtech “challenge” senior management to “review their approach.”

Now we know employee activism is rather in vogue right now — at least at certain monopolistic tech giants who’ve scaled so big, and employ such large armies of lawyers, they’re essentially immune to moral and societal operational norms — but we’re not sure it’s the greatest look for the U.K.’s data watchdog to be encouraging adtech professionals to put their own jobs on the line instead of, y’know, doing its job and enforcing the law.

It’s possible that McDougall, a relatively recent recruit to the regulator, may not yet know it from his perch in the “technology and innovation” unit, but the ICO does have a powerful toolbox at its disposal these days. Including the ability, under the pan-EU General Data Protection Regulation framework, to levy fines of up to 4% of global turnover on entities it finds seriously violating the law.

It also can order a stop to law-violating data processing. And what better way to end the mass-scale privacy violations attached to programmatic advertising than by ordering personal data be stripped out of RTB requests, you might wonder?

It wouldn’t mean an end to being able to target ads online. Contextual targeting doesn’t require personal data — and has been used successfully by the likes of non-tracking search engine DuckDuckGo for years (and profitably so). It would just mean an end to the really creepy, stalkerish stuff. The stuff consumers hate — which also serves up horribly damaging societal effects, given that the mass profiling of internet users enables push-button discrimination and exploitation of the vulnerable at vast scale.

Microtargeted ads are also, as we now know all too well, a pre-greased electronic conduit for attacks on democracy and society — enabling the spread of malicious disinformation.

The societal stakes couldn’t be higher. Yet the ICO appears content to keep calm and let the adtech industry carry on — no enforcement, just biannual reminders of “concerns” about “lawfulness.”

To wit: “We have significant concerns about the lawfulness of the processing of special category data which we’ve seen in the industry, and the lack of explicit consent for that processing,” as McDougall admits in the post.

“We also have concerns about whether reliance on contractual clauses to justify onward data sharing is sufficient to comply with the law. We have not seen case studies that appear to adequately justify this.”

Set tone to: “Oopsy.”

The title of the ICO’s blog post — Adtech and the data protection debate – where next? — also incorporates contradictory framing as if to imply there is “debate” as to whether the industry needs to comply with data protection law. (Given the ICO’s own findings of “concern” that framing is itself concerning.)

So what can the adtech industry expect the ICO to actually do if it continues to fail to embed a “privacy by design approach in its use of RTB” (another of the blog post’s big suggestions) — and therefore keeps on, er, breaking the law?

Well, the ICO plans to make like a sponge over the “coming weeks,” per McDougall, who says it will spend time “absorbing all the information gathered and the rich conversations we’ve had throughout the year” and then shift into first gear — where it will be “evaluating all of the options available to us.”

No rush, eh.

A “further update” will then be put out in “early 2020” which will set out the ICO’s position — third time lucky perhaps?!

This update, we are informed, will also include “any action we’re taking.” So possibly still nothing, then.

“The future of RTB is both in the balance and in the hands of all the organisations involved,” McDougall writes — as if regulatory enforcement requires industry buy-in.

U.K. taxpayers should be forgiven for wondering what exactly their data protection regulator is for at this point. Hopefully they’ll find out in a few months’ time.