IAB UK’s initial response to ICO Report and call to industry to take action
Posted on: Friday 19 July 2019 | by IAB UK
The ICO’s ‘Update report into adtech and real time bidding’ is clear that there are issues that both individual companies and the UK industry collectively need to address in order to meet the standards of the GDPR and ePrivacy legislation.
How IAB UK is responding
IAB UK is working with the ICO, together with IAB Europe, to review how the Transparency and Consent Framework (TCF) can best support companies to comply with the law in the UK. We are also putting in place plans to respond to the other issues identified in the report and will be confirming our plans very shortly about how we intend to work with and support our members to address those.
What you need to do
In the meantime, there are clear messages in the ICO’s report to any company engaged in RTB and we recommend that you take action now to read and understand the ICO’s recommendations and existing guidance, and how they relate to your data processing activities. Specifically this includes:
Reviewing the legal bases you rely on for data processing, particularly any data that is subject to PECR, and ensure you understand their associated requirements. The ICO’s view is that ‘the only lawful basis for ‘business as usual’ RTB processing of personal data is consent (i.e. processing relating to the placing and reading of the cookie and the onward transfer of the bid request).’ There are limited scenarios where legitimate interest may be available but even in these cases, there are specific tests an organisation must meet in order to use it: ‘Reliance on legitimate interests for marketing activities is possible only if organisations don’t need consent under PECR and are also able to show that their use of personal data is proportionate, has a minimal privacy impact, and individuals would not be surprised or likely to object.’
Ensure you’ve carried out a Data Protection Impact Assessment (DPIA). Under the GDPR provisions relating to DPIAs, the ICO has published a list of types of data processing for which a DPIA is mandatory. This includes the types of processing involved in RTB, such as profiling on a large scale and tracking geolocation or behaviour.
The ICO has a comprehensive range of guidance on its website and the IAB’s GDPR hub contains industry guidance and resources.
The ICO has given the industry the opportunity to make changes to the way in which it operates in order to address its concerns, and to take action to correct any non-compliance that is a result of a lack of understanding or knowledge about GDPR and ePrivacy. They are, however, also very clear that they will not hesitate to take enforcement action if they do not see companies and the wider industry responding appropriately.
It is in all our interests and essential to building a sustainable future for our industry that we take seriously the conclusions of the ICO’s report and demonstrate that we want to be – and are – operating in line with the law that is designed to protect people’s personal data.
Read the press release here.
The Broken Privacy Shield: What to do now
Any company that has been relying on the EU-U.S. Privacy Shield Framework to transfer personal data from the UK to the U.S. will no longer be able to do...Learn more
Webinar: Update on IAB UK’s response to the ICO reportLearn more
June 2020 update on our Special Category Data work
As we launch our guide to special category data under the GDPR, find out what else we’re doing in this area to help members understand and minimise...Learn more
IAB UK comment: ICO pauses RTB work
With the Information Commissioners Office announcing that it will be passing its RTB investigation, IAB UK’s Head of Policy & Regulatory Affairs Christie...Learn more