Man with megaphone and technology related icons showing data protection standards for adtech by UK ICO

New Data Protection Standards for Adtech Companies Proposed by UK ICO, But Actual Changes Remain Questionable as Leadership Changes Hands

A new Commissioner’s Opinion issued by the UK’s Information Commissioner’s Office (ICO) reiterates the country’s data protection standards and lays out its vision of future regulation plans for adtech companies, calling for solutions that are more privacy-focused and worthy of user trust.

The actual impact of this opinion on the country’s data protection standards is questionable given that it does not clearly indicate any new regulations for adtech; it simply implies that previously lax enforcement by ICO may be stepped up. This could depend greatly on the organization’s leadership, however, which is presently in flux. The opinion was issued by Elizabeth Denham, whose term as Information Commissioner comes to an end November 30 and whose replacement does not step in until January 2022.

Information commissioner calls for more robust enforcement of data protection standards

The Commissioner’s Opinion leads off by noting alternative privacy-enhanced systems that adtech companies are building, the main example being Google’s cookieless “Privacy Sandbox” project. The Competition and Markets Authority (CMA) has been tasked with evaluating these various projects and ensure that they meet data protection standards.

The paper lays out some expectations for adtech’s programs. These include engineering in data protection standards by default, full opt-out of advertising for end users, transparency in personal data processing, and anticipation/mitigation of potential new privacy risks created by these new approaches.

It also refers back to some problems enumerated in the 2019 edition of the Commissioner’s Opinion, many of which have yet to be addressed. The report cites the onset of the pandemic as the reason for halting regulatory pursuit of these issues in 2020, but the ICO did wield the Data Protection Act 2018 terms to conduct six audits of adtech firms in 2021. However, the report notes that the outcomes of these audits are “still being assessed.”

The report also notes that the Commissioner’s Opinion does not constitute a pre-approval or binding view of any actions; therefore, it serves as more of a road map for what adtech can expect from future regulatory intentions. What complicates that picture is the imminent end of Denham’s current term (already extended several times), to be replaced by former New Zealand privacy commissioner John Edwards on January 3.

Adtech expected to end personally identifiable ad tracking, but how serious will regulation be?

ICO’s 2019 opinion was also strongly worded and promised tougher enforcement of data protection standards in the immediate future, but translated into little impact to the adtech industry. The agency even faced a lawsuit over closing a 2018 General Data Protection Regulation (GDPR) complaint involving real-time-bidding (RTB) auction systems without issuing a decision.

Given that ICO opted to do little actual enforcement of data protection standards in the wake of publishing the 2019 opinion, there is room to wonder exactly what the purpose of this more recent opinion is. There is the possibility that it is intended more as resume material for Denham than as an actual statement of intent going into 2022.

In addition to the leadership shift for ICO, all of this comes amidst plans to reform data protection standards with a focus on “simplifying” them; critics contend this means weakening them in favor of adtech businesses. The proposal could entirely overhaul ICO itself, and could grant broad exemptions to certain industries (such as health care) that are said to be “beneficial” to citizens. Digital minister Oliver Dowden has also come out against the GDPR-rooted tracking notification pop-ups that are now common on websites, advocating for reducing consent requirements in the name of combating “cookie fatigue.” He has also told the press that he sees “great opportunity” for the UK economy in data mining now that the country is no longer subject to the EU’s GDPR terms.

It remains to be seen what Edwards plans to do, with ICO having a presumably uneventful December before the new commissioner steps into his role. During his time in New Zealand, Edwards became a very public and vociferous opponent of Facebook’s data handling practices in the wake of the 2018 Cambridge Analytica scandal. However, when it comes to actual regulation his record does not have many strong highlights, though to be fair his New Zealand office did not even have the power to issue fines to adtech firms until late 2020. The country settled on a fine cap of NZD 10,000, but Edwards published an opinion calling for it to go up to NZD 1 million in the case of serious breaches of data protection standards. But even if Edwards should remain a staunch crusader for privacy in his new ICO role, he would seem to be in the midst of an entrenched political environment that is leaning in the opposite direction.