A quick background: When the EU GDPR came into force, many thought its rules on processing personal data would put a sizeable dent in the adtech industry's playbook. But in response to concerns, IAB Europe, the adtech industry's membership group, has firmly held to the argument that its practices comply with the EU GDPR. It built a framework, crafted by its industry members, to help all parties in the digital advertising chain ensure legal compliance.
But in 2019, U.K. privacy regulator Elizabeth Denham released a report that the adtech sector's use of personal data was a real big problem. She said if the industry didn't address issues like getting explicit consent to process sensitive data or provide clarity in privacy notices, it would face investigations and enforcement action.
It's a minute since then, and there have been plenty of headlines crying out: Where's that enforcement, Denham?
Last week, Denham spoke up again by releasing an "opinion," which media outlets are calling a "warning.”
She said, "Digital advertising is a complex ecosystem that grew quickly with the e-commerce boom and without people's privacy in mind. What we found during our ongoing adtech work is that companies are collecting and sharing a person's information with hundreds, if not thousands of companies, about what that person is doing and looking at online in order to show targeted ads or content. Most of the time, individuals are not aware that this is happening or have not given their explicit consent. This must change."
Let’s just level set for a second on what the actual problem is. Adtech is the term for the tools and software advertisers use to sell digital advertising to consumers. When you visit a website and see an ad that's relevant to you, that's because that website sent a signal to some advertisers that your eyeballs were up for grabs. There was an invisible, digital auction behind the scenes, and a bunch of advertisers bid on the chance to put an ad in front of you. You saw the winner's ad. If you saw an ad for anti-stink spray, it's because you recently spent some time looking for boy's sneakers. (If you want a visual explanation of this convoluted process, this is a good one.)
All of that, called real-time bidding, happens within 100 milliseconds and inside our computers. Consumers know little to nothing about it, unless they've made a painstaking effort to sit down with an expert or your average adtech nerd and have them explain it to you slowly. Because of that, there's not a huge consumer push to regulate the adtech space.
Advocates have been complaining for years that real-time bidding is wildly problematic from a data privacy perspective. Without getting too into the weeds: Within those bidding wars, many parties are privy to the personal data they'd be bidding on, and it's unclear how much of that data gets leaked beyond the transaction.
Between Denham's warning on Nov. 25 and IAB Europe's admission recently that it expects the Belgian data protection authority to deem its TCF framework illegal under the GDPR, it seemed like things were about to shift in the adtech landscape. Maybe earthquake-style?
One second, though: To be clear and super real with y'all, there is way too much money to be made within the current model for it to go away entirely or quietly, no matter the risk to personal data. Companies spent $356 billion on digital advertising in 2020, and digital advertising revenue will amount to about 460 billion in the U.S. by 2023. That’s big money, that’s lots of jobs, that’s lots of kids fed and that’s lots of Christmas presents under the tree. Money matters, and it would be foolish to simply shutter an entire industry before there were workable alternatives. In fact, Google is working on this alternative in its Privacy Sandbox initiative. In addition, everyone enjoys the content they receive by paying with their data. In a perfect world, we’d find a way to serve users relevant ads without undermining their privacy.
We’re not there yet.
And for anyone thinking adtech was about to undergo a total makeover as Denham pointed her finger at the industry, there’s another catch, too. The regulator that's leading the charge, however gingerly, is about to close her laptop and shut out the lights. That is, her term as the U.K.'s privacy authority is over. New Zealand's data privacy authority, John Edwards, will take her place on Jan. 3. Edwards has been vocal about his beef with Facebook, and some say that's indicative he'll be a tough regulator on tech. For now, it's impossible to say. In New Zealand, he had weak fining powers until a recent amendment to the country's privacy law. So we can't look at this record.
It's also worth noting that Edwards joins the ICO as the government reviews its role and autonomy under post-Brexit rule. There are murmurs, from Denham herself, that the office's integrity could be undermined if the government decides to take away its independence.
For now, nothing's changed. It's more warnings and lip service. But I think Edwards may come in swinging. He's a fair-minded person with a great sense of humor, so I'm not saying he's going to obliterate the adtech sector for sport. But Edwards is charged with holding powerful companies to task, and advocates are wondering, "Is this new guy up for it?" while adtech stakeholders wonder, “Will he consider our needs to uphold this billion-dollar industry?”
We’re soon to find out.
For now, enjoy this roundup of the big privacy news. See you next week!
After a long pause, UK privacy regulator puts ad tech industry on warning
It's been two years in the making, but the U.K.'s data privacy authority published privacy standards to warn online advertisers they must comply with data protection law and stop collecting user data excessively, according to a press release. "I am looking for solutions that eliminate intrusive online tracking and profiling practices and give people meaningful choice over the use of their personal data." The rules outline what the ICO expects companies to implement.
Biden administration is taking its first steps toward addressing consumer data privacy, Axios reports. That's significant because it could jumpstart stalled Congressional efforts for a federal privacy bill. The National Telecommunication and Information Administration, housed beneath the Department of Commerce, will hold "listening sessions" to examine the way data collection can facilitate discrimination, especially for marginalized communities.
UK privacy regulator fines Clearview AI $22.6M
On Nov. 29, Britain's data privacy authority fined facial recognition company Clearview AI £17 million — $22.6 million — for failing to comply with the country's privacy laws, The New York Times reports. The U.K. Information Commissioner's Office said Clearview failed to inform British residents that it was collecting billions of photos from sites like Facebook, Instagram and LinkedIn to build its facial recognition software.
In a new policy effective immediately, Twitter says it'll remove private photos and videos posted to its platform without a person's consent. It already removes posts that include certain kinds of information, like a person's location or cell phone number. But the update aims to "help curb the misuse of media to harass, intimidate, and reveal the identities of private individuals, which disproportionately impacts women, activists, dissidents and members of minority communities."