ICO adtech update: what steps should you take?

February 2021

What should advertisers & other players in the adtech eco system be doing?

In late January, the ICO announced it was re-starting its investigations into real time bidding (RTB) and the adtech industry. Work had been paused in May 2020 whilst the ICO prioritised other activities relating to the response to the Covid pandemic.

The ICO’s investigations started in 2019 when it highlighted a number of concerns about the ways in which personal data was processed as part of delivering advertising using Real Time Bidding (RTB).

As background for the uninitiated, the majority of digital advertising is delivered programmatically (through automation) via a variety of methods including RTB.

RTB is defined as the delivery of programmatic advertising by a real-time auction method. To support this process, there are a myriad of technology solutions (adtech) providers who enable advertisers to identify and target recipients of advertising delivered in real time.

The ICO’s interests cover the following areas:

  • Methods for gaining consent are not transparent
  • Opportunities to use legitimate interest are limited
  • Special category data requires explicit consent for processing
  • Widespread profiling is disproportionate and intrusive
  • Solely relying on contracts for assurance is insufficient
  • Lack of adequately developed DPIAs is a concern
  • Appropriate and responsible data protection practices are crucial
  • Queried whether data processing achieves the advertising outcome
  • Collaboration with key players, such as Google and IAB Europe, is encouraged

On announcing the resumption of its investigations, the ICO says;

“Enabling transparency and protecting vulnerable citizens are priorities for the ICO. The complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now.

Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data.”

Over the coming months, the ICO says it plans to:

  • Conduct a series of audits focusing on digital market platforms
  • Issue assessment notices to specific companies
  • Review the role of data brokers in the adtech eco-system

The statement concludes by saying, even if you don’t hear much from the ICO, the investigations will be concluded, and findings published. You have been warned!

So, as an advertiser or a provider in adtech what should you do?

In May 2020, a guide was launched by DMA and ISBA for marketers and advertisers to help navigate through the complexity of handling personal data in adtech.

The guide written in collaboration with the DPN and PwC UK, aims to support UK businesses actively engaged in the programmatic delivery of digital advertising to ensure they protect the rights of data subjects.

This guide consists of seven practical steps you should take:

  1. Education and understanding – do you have a good understanding about how adtech works? The guide provides a comprehensive introduction to cookies and programmatic advertising with a detailed glossary of terms.
  2. Special Category Data – special care needs to be taken with personal data relating to matters such as health, sexual orientation or political views. This can often be, perhaps unintentionally, derived from the data you have.
  3. Understanding the data journey – a key challenge is tracking how data is captured and who in the eco-system processes it. The ICO would expect you to know this and the guide provides methods and tools that would help.
  4. Conduct a DPIA (Data Protection Impact Assessment) – the ICO noted the limited use of DPIAs in adtech. If you haven’t done it already, this step is recommended and can help you to identify and mitigate risks. This section explains what it is, when to use it as well as pointers to what questions to ask.
  5. Audit the supply chain – the ICO has highlighted you cannot rely on contracts to provide assurance around the use of personal data. Although audit checklists are unique to your organisation the guide provides check lists and questions which will help when auditing suppliers.
  6. Measure advertising effectiveness – the ICO have queried whether it’s necessary to use all the data collected through adtech platforms. How have you interrogated advertising effectiveness and is your approach proportionate? This section provides a variety of reference materials for improving those insights into advertising effectiveness.
  7. Alternatives to third party cookies – what does a post third-party cookie world look like? The guide considers alternative methods for targeting including the adoption of contextual advertising and the solutions provided in the Google Privacy Sandbox. Targeting can be less intrusive and can be just as effective.

The guidance has a wide range of checklists and examples to support you. Now is a good time to review progress and consider what additional measures should be put in place to address the ICO’s concerns.

The full 7 Step Ad Tech Guide can be found on the DMA website.


Do you need support with privacy and adtech? Are you wondering how to fill the gap that will be left by third party cookies? Are your cookie notices up to date and compliant? The DPN team can work with you on individual projects or through our Privacy Manager service. If you’d like a chat about how we can support youget in touch.