ORG response to ICO call for views on our approach to regulating online advertising

6 Targeting

What features within targeting are the minimum requirements for a commercially viable advertising model, and why?:

Commercial viability of targeting practices is not a static definition, but is ultimately determined by what practices are tolerated and allowed to be offered withing the online advertising market.

With this in mind, real-time-bidding and behavioural advertising are currently underscored by a free-for-all model where, once consent is given (and oftentimes, even when it’s not) adtech intermediaries process, share and repurpose this data at will. This is illegal under the UK GDPR, which requires data not to be processed beyond the specific, granular purpose for which consent was given.

It follows that the true value and commercial viability of advertising practices cannot be measured, insofar prices are distorted and the market is impacted by the unfair competition of non-compliant advertising practices. In turn, any serious assessment regarding the extent necessary of employing targeting features to attain a “commercially viable advertising model” should be preceded by an effective regulatory sweep to remove illegal advertising from the market, and restore a level playing-field for law-abiding businesses.

7 How significant are the changes in ICO regulatory posture towards PECR regulation 6 consent requirements that would be required to enable delivery of a commercially viable advertising model?

Change needed – Targeting: No change

Please explain your answer:

Firstly, the ability to target individuals based on personal data is the main enabler of harms, discrimination and predatory practices that plague online advertising. Targeting based on personal data exposes women to unjust prosecutions for their attempt to exercise reproductive health rights; problem gamblers to being targeted with gambling ads that are meant to exploit their addiction; anyone to be excluded on the basis of their gender, sexual preferences, ethnicity or other sensitive characteristics; children and those in a more vulnerable status to be targeted and taken advantage of.

These are not unfortunate outcomes, but inherent to the technolopgy being used: behaviour is the only personal data that can be observed and captured by storage and access technologies; however, behaviour is never a reliable proxy for an individuals’ characteristics, preferences or inner desires, but is a reliable mean to identify addiction, health statuses and other syndromes—all of which are, indeed, recognisable by “typical”, “compulsive” behaviours and clearly discernible patterns of behaviour. A system that is inherently bad at guessing your commercial preferences but inherently good at identifying weak spots that can be exploited does, not surprisingly, serve the purpose of exploiting individuals better than it does serve the purpose of delivering legitimate advertising. Advertising systems that target individuals on the basis of personal data should never be considered low-risk or exempted from consent requirements.

For the avoidance of the doubt, contextual advertising may not be considered as targeting on the basis of personal data, insofar targeting is based purely on the context of the website where the ad is being shown. The inclusion of information that either directly or indirectly relates to an individual—for instance, where the IP address was used to guess the geolocation of an individual— should never be considered contextual and thus be treated as targeted advertising.

Finally, we would draw attention to the fact that the call for views includes the following statement:
“We will continue to enforce consent requirements for collecting personal information for ad targeting and personalisation.”

Therefore, we consider a relaxation of consent requirement for ad targeting based on any amount of personal data to be outside of the scope of this call for view, and we expect the ICO to honour this statement.

Impacts of our approach

8 How far do you agree that the approach outlined in our call for views can identify commercially viable solutions that can also safeguard people’s privacy and improve user experience?

Strongly disagree

Please explain your answer::

As mentioned in response to question 6, tolerance toward non-compliant advertising practices prevent a meaningful measurement of the true value and commercial viability of advertising practices “that can also safeguard people’s privacy and improve user experience”.

Adding to those considerations, the approach of the call for views turns the relationships between commercial viability and “safeguarding people’s privacy and improving user experience” on its head: it is for advertising market players to commercialise their services withing the boundaries and in compliance with the norms that have been established by legislation. The UK GDPR and PECR already require advertising to be done in a manner that safeguards privacy and our agency. The role of the ICO is to enforce these boundaries, not to adapt them to meet the needs of non-compliant advertising firms.

Finally, it is worth underscoring that, in the event of exemptions to cookie consent requirements being adopted, “safeguarding people’s privacy” would ultimately depend on the limits and safeguards in place that underpins those exemptions. The call for views provides some, welcome clarifications over what will not be exempted, but does not at any point clarify what practices may or are being considered to be covered by those exemptions. This does not allow to appreciate the approach, and if and in which manner the ICO is managing to “safeguard people’s privacy” while conducting this call for views.

10 Would you anticipate any of the following negative impacts if any of the capabilities referenced were permitted without PECR consent in circumstances where the ICO considers them to be low risk to people? Please select all that apply:

Increased risk of privacy harm

Please provide any evidence on the likely scale of these negative impacts:

This questionnaire give adtech providers ample freedom to argue in favour of removing consent requirements for a range of purposes, as listed in questions 1-6. From the perspective of civil society and independent experts, instead, the call for views does not provide any proposal whose impact on people’s privacy can be commented upon. Further, the call for views allows industry players to keep their responses as confidential, which could prevent evidence in favour of deregulation to be scrutinised publicly.

Notwithstanding that the “scale of these negative impacts“ can only be measured when a proposal will be presented, it is clear that the design of this call for views presents a very high likelihood to over-represent the views of the adtech industry and, in turn, to underweight the increased risk of privacy harm that could result.

Technical safeguards

12 Are you aware of any technical safeguards to reduce data protection and privacy risks of storage and access of information for the advertising purposes listed above?

Giving legal enforceability to technical signals would allow individuals to express consent for online advertising targeting via browser settings and communicate them persistently as they browse the Internet, thus ensuring that meaningful choices can be made and communicated to adtech providers. This solution would also constitute an effective way to allow individuals to object and opt-out of processing, thus ensuring that they retain choice and agency in an opt-out model of online advertising. Finally, such a system could also be relied upon by parents to set consent preferences via parental controls and thus protect their kids from online tracking.

According to Schedule 12(2) of the Data (Use and Access) Act:

(3) […] the means by which the subscriber or user may signify consent include—
10(a) amending or setting controls on the internet browser which the subscriber or user uses; (b) using another application or programme.

Therefore, powers to amend exemptions to Regulation 6 PECR could be used to give legal enforceability to technical signals.

22 We may wish to contact you for further information on your responses. If you are happy to be contacted, please provide your name and an email address below.

Please provide your name: Mariano delli Santi

Please provide your email address: mariano@openrightsgroup.org