Mission Impossible? ICO gives adtech six months to sort it out

Published on Tuesday, June 25, 2019 - 18:43 by Camilla Winlo

The ICO has issued its update report into adtech and real time bidding (RTB) and the message is clear: you lot are too clever for your own good.

In many ways, RTB is really, truly brilliant. It is a type of programmatic advertising that promises to help organisations maximise their marketing budgets and reduce the number of irrelevant adverts people see as they browse the internet.

In the time it takes for a page to load, an advertiser can identify a qualified target, make a winning bid for space and place their advert. It’s almost magical – especially for those of us who are old enough to remember what the internet was like when it first took off in the 1990s.

This is a huge industry.

A 2017 report by IHS Markit[1] found that “86% of programmatic advertising in Europe uses behavioural data” and “behavioural data is also used by 24% of non-programmatic advertising”.

“In 2016, 90% of the digital display advertising market growth came from formats and processes that use behavioural data”. A 2019 report estimates that by 2020, behavioural targeting will inform €21.4bn of advertising spend[2].

The ICO makes it clear that it has no issue with RTB and adtech in principle. They “understand that advertisements fund much of what we enjoy online” and there is a need for a system “that allows revenue for publishers and audiences for advertisers” along with a need “for the process to happen in a heartbeat.”

But, there are problems.

If you’re not in digital marketing, the chances are you have no idea that any of this is happening – what the ICO calls ‘invisible processing’ – or how it all works.

The decisions around who is a qualified target and what is a relevant advert are made with relatively little control from either the advertiser or the data subject. The decisions are made on the basis of audience profiling – and these profiles are likely to be pretty ropey.

A 2017 Deloitte survey showed that, in over two thirds of cases, the data held by data brokers is less that 50% correct overall.[3]

And so far, research shows that when you start explaining all this to data subjects, they don’t like it. Which? research found that 81% of consumers would be concerned if organisations are selling anonymised data about them to third parties and “significant proportions” were concerned about the possibility of organisations inferring information that they did not wish to share. “Overall, however, it was felt that targeted adverts and recommendations were innocuous, and if a person didn’t like them, they could just be ignored.” [4]

Against this backdrop, it makes sense that the ICO is particularly concerned around failures with transparency and consent.

Examples of particular challenges cited in the ICO’s update report include:

  • “Identifying a lawful basis for the processing of personal data in RTB remains challenging, as the scenarios where legitimate interests could apply are limited, and methods of obtaining consent are often insufficient in respect of data protection law requirements;
  • The privacy notices provided to individuals lack clarity and do not give them full visibility of what happens to their data;
  • The scale of the creation and sharing of personal data profiles in RTB appears disproportionate, intrusive and unfair, particularly when in many cases data subjects are unaware that this processing is taking place; and
  • It is unclear whether RTB participants have fully established what data needs to be processed in order to achieve the intended outcome of targeted advertising to individuals. The complex nature of the ecosystem means that in our view participants are engaging with it without fully understanding the privacy and ethical issues involved.”[5]

The ICO is also concerned about the data supply chain, and the “reliance on contractual agreements to protect how bid request data is shared, secured and deleted. This does not seem appropriate given the type of personal data sharing and the number of intermediaries involved.”[6]

It is essential that the adtech market engages with its regulatory requirements to protect revenue. The 2019 Marotta et al report estimates that regulatory action in respect of GDPR and ePrivacy could have significant impacts on advertising spend, and the best way to protect against that is to plan for it and ensure it is designed into all processes.


So, what action should organisations take today to prepare themselves for the ICO’s next review of adtech in six months’ time?


First, publishers should consider whether the risks of knowingly operating in a non-compliant space are worth it. The 2019 Marotta et al research found that “when a user’s cookie is available, publishers’ revenue increases by only about 4%. This corresponds to an average increase of $0.00008 per advertisement”[8]. We would recommend publishers review the relative difference between advertising revenues to audiences who allow marketing and advertising cookies and to those that do not. Completing a data protection impact assessment (DPIA) would help establish whether the risks are justified for your organisation.  

Second, publishers should review the effectiveness of their privacy policies and the information provided when asking for consent to marketing and advertising cookies and consider how well they are currently explaining how RTB and adtech work on their website.

Data supply chain

The ICO has outlined some key actions for data brokers, adtech suppliers and other intermediaries.

First, organisations should consider training their development, innovation and privacy teams in Data Protection by Design and Default to ensure that the requirements and obligations facing them are fully understood.

Second, organisations should consider carrying out third party audits to assure compliance with the terms of their contracts in respect of data sharing and data protection.

Third, organisations should ensure they have a documented lawful basis of processing for their processing, supported by evidence such as a contract, consent statement or legitimate interest assessment. It would also be advisable to ensure that data protection impact assessments (DPIAs) have been completed wherever necessary and that a plan is in place to address any actions arising from them. Based on the report, likely actions will include action to ensure that the principles of purpose limitation and data minimisation are respected.

Fourth, the supply chain has a key role in ensuring that publishers are able to communicate effectively with data subjects. Organisations should consider what information they should provide to publishers in order to support them to do this.


Advertisers should also consider whether the risks of knowingly participating in a non-compliant market are justified, and how they can operate in a way that protects the rights and freedoms of those they target.

First, advertisers should work with their adtech intermediaries to ensure they understand the “privacy and ethical issues” involved.

Second, they should update their privacy notices to accurately describe how information is collected by marketing and advertising cookies and other methods and how this information is used to identify individuals and target them with advertising.

Third, they should carry out third party assessments of their data supply chains to ensure that data is being used and protected as they expect and intend.

The critical thing for all parties involved in RTB and adtech is to ensure that what you do is designed to deliver confidence. Protecting the future potential of the adtech industry means publishers need to ensure that data subjects are confident to allow marketing and advertising cookies to be placed on their devices; that adtech ensures that publishers are confident to allow RTB advertising on their platforms; and that advertisers are confident that they can reach their target markets in a way that is compliant and aligned to their organisational values and objectives.

Find out more?

Leave your contact details below and one of our expert team will be in touch

We will only use the contact details you supply on the basis of our legitimate interest to respond to your query and contact you about DQM GRC. You will always be given the opportunity to opt-out from future communications. Please read our privacy policy for more details.


Find out more..

If you are interested in any of our services then please either use the contact form or contact us via of the methods below:

  •   Telephone
  •   E-mail

  •   +44 (0)1494 442900
  •   sales@dqmgrc.com