Skip to main content

The Information Commissioner’s Officer (ICO), the UK regulator for data protection, is giving 6 months to adtech companies for adjusting the process of data sharing in real time biding (RTB), programmatic advertising.

The analysis from ICO shows that sensitive personal information is shared by some advertising players, without securing approval by users, and with few appropriate security mechanisms.

Advertising online is often allocated in a few milliseconds matching out multiple campaigns with the most relevant targeted users (the highest bid gets to show the advertising to the targeted users). In this bidding process, the details of the user profile are shared across the bidders.

This is a very big part of the advertising market for the UK. Bill Fisher, the senior analyst at eMarketer calculates that in 2019, RTB will account for 5.69 billion GBP ( $ 7.59 billion), almost 90% of online advertising is programmatic media.

The first comment from ICO regards the “special category” of data. This is a category of data that touches sensitive information such as political views, health information, sexual orientation. According to the data protection law special category data requires a specific authorisation from the user itself to be collected and shared. Often data is shared across hundreds of companies for one single request.

In practice, this is not a common event. The adtech platforms that we have reached have all confirmed that they are already compliant with GDPR regulation: they do not offer these categories.  Hence, problem seems to be limited  – after all not many advertising campaigns would even require this type of information. However, the fact that some are not following the rules is cause of concern: no exchange of data should be present, no matter how limited the campaigns or how few these bad players might be. A few bad players might spoil the consumer trust in the entire medium.

The second part of ICO’s complaint regards the methods used to secure and store this data across the different parties. ICO will work with the industry over the next six months to guide the process. These would be an important clarifications on the what is to be considered a secure connection in the UK market.

However, it brings an important concern to the attention of the industry. After the unregulated global Internet of the early 2000s, are we now  going to see fragmentation of processes and requirements across each country and region? This would be detrimental to the development: international harmonisation of requirements will provide a consistent, easy to monitor, plain field. An international and consistent approach is required.

The regulator has pointed out that these two issues, might be followed by other requests. RTB is under close scrutiny, and it is not just the UK that is looking at RTB. The Irish data protection watchdog is also opening an inquiry into Google display advertising practice.

The topic is also under investigation in another 11 other countries including Belgium, Luxembourg, the Netherlands, Poland  and Spain. The following months will important for designing the future shape of adtech across Europe.

MEF is collating views form the personal data ecosystem participant in our Personal Data Program regarding this topic, reach In addition, our Global Tracking on Consumer Trust  and our GDPR implication for the TMT markets will see an update later in the year. Join the debate now.

Dario Betti