November 20, 2019 | Amy Shepherd & Mike Morel

The AdTech showdown is coming but will the ICO bite?

The 2018 General Data Protection Regulation (GDPR) was meant to be a Good Thing - a strong law that would make businesses act responsibly and give ordinary people control over our personal data. But it's been around for more than a year now and we're still being stalked online by creepy ads that seem to follow us around the web and know exactly what we're thinking and doing. So how, exactly, has anything been made better?

Looking at the scale at which online companies grab and hoard our private information, it might be thought that GDPR just gives corporate data thieves a thin veneer of legitimacy. How else to explain the advertising technology (AdTech) industry’s continued use of the same user profiling methods employed by the likes of Cambridge Analytica? 

Is GDPR a joke, or can it break AdTech’s vice grip on our personal data? The jury is out, but a verdict is coming.

In September last year, Open Rights Group’s Executive Director, Jim Killock, complained to the UK's Information Commissioner's Office (ICO) against the seismic unlawfulness of AdTech’s ubiquitous real time bidding (RTB) systems. This complaint was made together with Dr. Johnny Ryan of the privacy-focused web browser Brave and Dr. Michael Veale, Lecturer at University College London. Since then, we've worked with a network of privacy activists to spread the complaint to data protection authorities across the EU. 

This is the biggest GDPR complaint so far, and might be the biggest that ever happens.

RTB systems are used virtually everywhere on the Internet to show personalised ads. They broadcast intimate personal data - including everything we've been looking at or searching for online, our exact GPS location coordinates and indicators about our religion, sexuality and ethnicity - billions (yes billions) of times every day to legions of data companies that keep and use this data whether they enter the bid to serve an ad or not.

GDPR gives us the right to demand that companies tell us everything they know about us and delete our data on request. How is that even remotely possible when endless RTB bid requests routinely blast our data out to hundreds of faceless entities? RTB makes GDPR look like a sham.

The ICO offered a glimmer of hope in June this year when it agreed that RTB as currently configured is indeed unlawful under GDPR. Disappointingly, however, despite having the power to issue staggering fines for GDPR violations, the ICO instead gave the industry time to clean up their act while they continue to investigate further.

So what has the industry done with the time? Almost precisely nothing. Google this week announced that it will take a tiny amount of content data out of its bid requests. It heralded this as a big step forward in protecting privacy, but in fact the change does nothing extra to protect individuals, since the vast quantities of other information broadcast continue to be able to identify, profile and target people with stunning invasiveness. 

Tokenistic though it is, however, perhaps this change could still be a sign that RTB players are starting to recognise the status quo is no longer sustainable. 

The ICO said in June that they would review RTB in six months' time. That deadline is coming up fast and the world is watching. It’s the moment of truth not just for GDPR but for the ICO as well. While the Irish Data Protection Commission remains underfunded, the ICO has been adding hundreds of staff, signalling an intent to get serious about enforcement.

What will the ICO do? We don't know. But the AdTech showdown will tell us whether their bark is worse than their bite.