November 25, 2021
ICO Issues Opinion on Data Protection Expectations for AdTech Proposals
5 Min Read
On November 25, 2021, the UK Information Commissioner’s Office (ICO) released its opinion on Data Protection and Privacy Expectations for Online Advertising Proposals. The opinion sets out standards for the protection of personal data when developing new online advertising technologies and is in line with the work that the ICO has been undertaking alongside the Competition and Markets Authority (CMA).
Speaking on the opinion Elizabeth Denham, UK Information Commissioner, said: “What we found during our ongoing AdTech work is that companies are collecting and sharing a person’s information with hundreds, if not thousands of companies, about what that person is doing and looking at online in order to show targeted ads or content. Most of the time, individuals are not aware that this is happening or have not given their explicit consent. This must change. That is why we want to influence current and future commercial proposals on methods for online advertising early on, so that the changes made are not just window dressing, but actually give people meaningful control over their personal data.”
The opinion issued by the ICO provides guidance to players in the AdTech market on how they can demonstrate the application of data protection by design and by default. The opinion also calls for organizations to bring forward their proposals addressing the data protection risks associated with existing approaches to online advertising technology, as outlined by the ICO in their 2019 report.
What Does the ICO Opinion Say?
The ICO’s opinion sets out several aims for regulating the use of personal data in the AdTech space and provides areas of data protection that it expects organizations to consider in proposals for new online advertising technologies. Furthermore, the ICO includes advice for developers to evaluate their approaches against the expectations of the ICO and reinforces the need to address the issues observed in the ICO’s 2019 report.
Some of the key initiatives highlighted by the ICO include creating a transparent and user-centric approach to building new advertising technologies that empower individuals. Additionally, the ICO is working towards addressing the imbalance of power between individuals and key organizations in the AdTech space through their work with other data protection authorities from the G7.
What are the Data Protection Expectations in the ICO’s Guidance?
The ICO guidance recognizes that plans such as Google’s Privacy Sandbox are still in their infancy and that this presents an opportunity to embed correct and legally compliant approaches to the development of these technologies. As a result, the ICO has developed several data protection expectations that it requires organizations to address in their proposals. According to the ICO, “new initiatives must address the risks that AdTech poses and take account of data protection requirements from the outset. Any proposal that has the effect of maintaining or replicating existing tracking practices (such as those described in the 2019 Report) is not an acceptable response to the significant data protection risks that the Commissioner has already described.”
The ICO highlighted that the following data protection expectations must be met by new initiatives in the AdTech space and proposals on new online advertising technologies:
- Data protection by design: Implement data protection by default and by design into the fabric of the initiative
- User choice: Offer users the choice of receiving advertisements without tracking, profiling, or targeting based on their personal data
- Accountability: New initiatives must be transparent about how and why personal data is being processed and who is responsible for that processing
- Purpose: Make the specific purposes for processing personal data easily available and demonstrate how the processing scenario is fair, lawful, and transparent
- Reduce harm: Address existing privacy risks and mitigate any new privacy risks that the proposal introduces
Recommendations & Next Steps
According to the ICO, whilst the above principles should be considered holistically, it also outlined recommendations that aim to provide further guidance and include:
- Demonstrating and explaining the design choices
- Being fair and transparent about the benefits
- Minimizing data collection and further processing
- Protecting users and giving them meaningful control
- Evaluating necessity and proportionality
- Assessing lawfulness, risk assessments, and information rights
- Processing special category data
The ICO state: “Ultimately, new online advertising proposals should improve trust and confidence in the digital economy, instead of weakening it. Solutions should be privacy respectful while ensuring they give due consideration to other relevant laws
In conclusion, the ICO has said that it welcomes proposals from within the AdTech space to remove the use of intrusive technologies that increase risks to the individuals and recognizes the efforts already underway that address the data protection issues within cookies and similar technologies.
Ready to see how OneTrust can help you operationalize your consent and preference management initiatives? Request a demo with our experts to learn more today.
Further reading on the ICO opinion on AdTech proposals:
- ICO Press Release: ICO calls on Google and other companies to eliminate existing privacy risks posed by adtech industry
- ICO Opinion: Data protection and privacy expectations for online advertising proposals
- ICO News: G7 data protection and privacy authorities’ meeting: communiqué