It's been well over two years since the UK's data protection watchdog warned the behavioural advertising industry it's wildly out of control.
The ICO hasn't done anything to stop the systematic unlawfulness of the tracking and targeting industry abusing Internet users' personal data to try to manipulate their attention -- not in terms of actually enforcing the law against offenders and stopping what digital rights campaigners have described as the biggest data breach in history.
Indeed, it's being sued over inaction against real-time-bidding's misuse of personal data by complainants who filed a petition on the issue all the way back in September 2018.
But today the UK's (outgoing) information commissioner, Elizabeth Denham, published an opinion -- in which she warns the industry that its old unlawful tricks simply won't do in the future.
New methods of advertising must be compliant with a set of what she describes as "clear data protection standards" in order to safeguard people’s privacy online, she writes.
Among the data protection and privacy "expectations" Denham suggests she wants to see from the next wave of online ad technologies are:
• engineer data protection requirements by default into the design of the initiative;
• offer users the choice of receiving adverts without tracking, profiling or targeting based on personal data;
• be transparent about how and why personal data is processed across the ecosystem and who is responsible for that processing;
• articulate the specific purposes for processing personal data and demonstrate how this is fair, lawful and transparent;
• address existing privacy risks and mitigate any new privacy risks that their proposal introduces
Denham says the goal of the opinion is to provide "further regulatory clarity" as new ad technologies are developed, further specifying that she welcomes efforts that propose to:
• move away from the current methods of online tracking and profiling practices;
• improve transparency for individuals and organisations;
• reduce existing frictions in the online experience;
• provide individuals with meaningful control and choice over the processing of device information and personal data;
• ensure valid consent is obtained where required;
• ensure there is demonstrable accountability across the supply chain;
The timing of the opinion is interesting -- given an impending decision by Belgium's data protection agency on a flagship ad industry consent gathering tool. (And current UK data protection rules share the same foundation as the rest of the EU, as the country transposed the General Data Protection Regulation into national law prior to Brexit.)
Earlier this month the IAB Europe warned that it expects to be found in breach of the EU's General Data Protection Regulation, and that its so-called 'transparency and consent' framework (TCF) hasn't managed to achieve either of the things claimed on the tin.
But this is also just the latest 'reform' missive from the ICO to rule-breaking adtech.
And Denham is merely restating requirements that are derived from standards that already exist in UK law -- and wouldn't need reiterating had her office actually enforced the law against adtech breache(r)s. But this is the regulatory dance she has preferred.
This latest ICO salvo looks more like an attempt by the outgoing commissioner to claim credit for wider industry shifts as she prepares to leave office -- such as Google's slow-mo shift toward phasing out support for third party cookies (aka, it's 'Privacy Sandbox' proposal, which is actually a response to evolving web standards such as competing browsers baking in privacy protections; rising consumer concern about online tracking and data breaches; and a big rise in attention on digital matters from lawmakers) -- than it is about actually moving the needle on unlawful tracking.
If Denham wanted to do that she could have taken actual enforcement action long ago.
Instead the ICO has opted for -- at best -- a partial commentary on embedded adtech's systematic compliance problem. And, essentially, to stand by as the breach continues; and wait/hope for future compliance.
This, from the UK ICO, is good.
(However, ICO enforcement would convince the industry far more effectively than today's restating of data protection principles that have applied for 17 years). https://t.co/zZKVGRPpKF pic.twitter.com/NhCHhgRvhF
— Johnny Ryan (@johnnyryan) November 25, 2021
Change may be coming regardless of regulatory inaction, however.
And, notably, Google's 'Privacy Sandbox' proposal (which claims 'privacy safe' ad targeting of cohorts of users, rather than microtargeting of individual web users) gets a significant call-out in the ICO's remarks -- with Denham's office writing in a press release that it is: "Currently, one of the most significant proposals in the online advertising space is the Google Privacy Sandbox, which aims to replace the use of third party cookies with alternative technologies that still enable targeted digital advertising."
The opinion heavily references @w3c work, also the "Self-Review Questionnaire: Security and Privacy" which I had the honor to maintain :) It is me who included the recommendation to make a "privacy impact assessment". So, very happy, and very good! pic.twitter.com/ZEVnAh6Nyw
— Lukasz Olejnik (@lukOlejnik) November 25, 2021
"The ICO has been working with the Competition and Markets Authority (CMA) to review how Google’s plans will safeguard people’s personal data while, at the same time, supporting the CMA’s mission of ensuring competition in digital markets," the ICO goes on, giving a nod to ongoing regulatory oversight, led by the UK's competition watchdog, which has the power to prevent Google's Privacy Sandbox ever being implemented -- and therefore to stop Google phasing out support for tracking cookies in Chrome -- if the CMA decides the tech giant can't do it in a way that meets competition and privacy criteria.
So this reference is also a nod to a dilution of the ICO's own regulatory influence in a core adtech-related arena -- one that's of market-reforming scale and import.
The backstory here is that the UK government has been working on a competition reform that will bring in bespoke rules for platform giants considered to have 'strategic market status' (and therefore the power to damage digital competition); with a dedicated Digital Markets Unit already established and up and running within the CMA to lead the work (but which is still pending being empowered by incoming UK legislation).
So the question of what happens to 'old school' regulatory silos (and narrowly-focused regulatory specialisms) is a key one for our data-driven digital era.
Increased cooperation between regulators like the ICO and the CMA may give way to oversight that's even more converged or even merged -- to ensure powerful digital technologies don't fall between regulatory cracks -- and therefore that the ball isn't so spectacularly dropped on vital issues like ad tracking in the future.
Intersectional digital oversight FTW?
As for the ICO itself, there is a further sizeable caveat in that Denham is not only on the way out (ergo her "opinion" naturally has a short shelf life) but the UK government is busy consulting on 'reforms' to the UK's data protection rules.
Said reforms could see a major downgrading of domestic privacy and data protections; and even legitimize abusive ad tracking -- if ministers, who seem more interested in vacuous soundbites (about removing barriers to "innovation"), end up ditching legal requirements to ask Internet users for consent to do stuff like track and profile them in the first place, per some of the proposals.
So the UK's next information commissioner, John Edwards, may have a very different set of 'data rules' to apply.
And -- if that's the case -- Denham will, in her roundabout way, have helped make sliding standards happen.