Data Privacy

A battle over adtech is finally looming

It has taken longer than many expected, but the battle over adtech – the digital tools and companies that help brands target us with adverts online – is finally looming.

In theory, the introduction of GDPR in May last year was supposed to spell the end of the blizzard of unwanted advertising we all face, as individuals were give vastly more rights over their personal data and how it was used.

But in reality, many companies simply changed tactics, and the trading and use of personal data has continued largely unchecked.

That, however, now seems set to change, with the UK set to become the first to take on the $200bn adtech industry, which is dominated by Google. The UK’s Information Commissioner’s Office (ICO) has made it clear that it has adtech in its sights, and is getting tired of waiting.

Two months ago, it published a damning report which found that the adtech industry, as a whole, is operating illegally. It gave companies until the end of this year to clean up their act, after which it promised to start investigating and fining individual companies who remained in breach of the law.

With only months of that deadline remaining, the regulator’s investigation lead Simon McDougall told the Financial Times that “absolutely nothing has been solved or resolved at this point”, and that the industry has so far given “vague, immature and short answers” when asked about how it safeguards personal information.

He added that the ICO was “digging and digging, [and] we’re still not happy”.

The ICO has two areas of concern – firstly, how online advertisers use so-called “special category” data – which requires explicit consent under GDPR – without permission, processing sensitive details about health, sexuality, religious belief and political views to target ads.

The second is how the adtech industry indiscriminately transfers personal data through an ecosystem of thousands of companies, with no checks on whether consent has been obtained, or oversight on security.

Ultimately, any company found guilty of illegally using personal data could be fined up to four per cent of its global revenue, under GDPR, setting the start for a large-scale showdown next year.