ICO News

25 Nov 2021

ICO calls on Google and other companies to eliminate existing privacy risks posed by adtech industry

The Information Commissioner’s Office (ICO) has today set out clear data protection standards that companies must meet to safeguard people’s privacy online when developing new advertising technologies (adtech).

The privacy standards published in a Commissioner’s Opinion come as a warning to companies that are designing new methods of online advertising, that they must comply with data protection law and stop the excessive collection and use of people’s data.

Currently, one of the most significant proposals in the online advertising space is the Google Privacy Sandbox, which aims to replace the use of third party cookies with alternative technologies that still enable targeted digital advertising.

The ICO has been working with the Competition and Markets Authority (CMA) to review how Google’s plans will safeguard people’s personal data while, at the same time, supporting the CMA’s mission of ensuring competition in digital markets.

Other industry players have also been developing different initiatives so people’s preferences are taken into account. We welcome proposals that respect people’s privacy rights and can demonstrate how they comply with the law. The Commissioner’s Opinion provides clear data protection expectations for any developers in this area.

Information Commissioner Elizabeth Denham said:

“Digital advertising is a complex ecosystem that grew quickly with the e-commerce boom and without people’s privacy in mind.

“What we found during our ongoing adtech work is that companies are collecting and sharing a person’s information with hundreds, if not thousands of companies, about what that person is doing and looking at online in order to show targeted ads or content. Most of the time, individuals are not aware that this is happening or have not given their explicit consent. This must change.

“That is why we want to influence current and future commercial proposals on methods for online advertising early on, so that the changes made are not just window dressing, but actually give people meaningful control over their personal data.”

The Opinion makes it clear that companies designing new digital advertising technologies should offer people the ability to receive ads without tracking, profiling or targeting based on excessive collection of personal information. Where people choose to share their data, all companies within the adtech supply chain must ensure there is meaningful accountability, and give people control over their data and the ability to exercise their information rights.

Additionally, companies should be able to justify that the use of personal data for online advertising is fair, necessary and proportionate, as well as be clear with people about how and why their information is being used.

Ms Denham said:

“I am looking for solutions that eliminate intrusive online tracking and profiling practices, and give people meaningful choice over the use of their personal data. My office will not accept proposals based on underlying adtech concepts that replicate or seek to maintain the status quo.”

The ICO began intervening in the adtech industry in 2019, when we identified key privacy issues on real time bidding and on the use of cookies and similar technologies. We asked the industry to assess how they used personal data and to start changing their practices. Since then, companies have been developing solutions to address our concerns and are moving towards less intrusive tracking practices. The Opinion published today will help companies shape their proposals.

The ICO will continue to work with organisations, industry bodies and other regulators to ensure that the use of personal data for online advertising is lawful.

Contact Information

ICO Press Office
Information Commissioner's Office

Notes to editors

  1. The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  3. Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.
  4. The DPA2018 and UK GDPR gave the ICO new strengthened powers.
  5. The data protection principles in the UK GDPR evolved from the original DPA, and set out the main responsibilities for organisations.
  6. To report a concern to the ICO, go to org.uk/concerns.