Posted on

Is the ICO going soft on the ‘out of control’ adtech industry?

On Friday the Information Commissioner’s Office’s lead investigator on real-time bidding, executive director for technology and innovation Simon McDougall, signalled that the body would not bring enforcement action against Google and the Interactive Advertising Bureau. 

The ICO warned it would use its regulatory powers against those in the adtech industry that “ignored the window of opportunity to engage and transform”, but he accepted moves by the IAB to educate the industry on special category data (which contains sensitive information about internet users), and that Google will remove content categories and improve its auditing process. 

This is despite the ICO confirming last November that special category data, which includes information about users such as their sexual orientation or political affiliation, was being directly processed without explicit consent. 

Google and the IAB are responsible for the standards that underpin RTB, the programmatic ad tech market in which ad impressions are sold within nanoseconds based on the data held about web users. Sensitive category data, such as political beliefs and reproductive health, are tracked and broadcast via RTB, but Google and the IAB say these categories are not tracked against individual people. 

The ICO is the UK’s watchdog for Europe’s General Data Protection Regulation and has the power to fine companies up to 4% of their global turnover for serious data breaches. However, such sanctions are normally imposed on individual companies. Taking action against the entire system of open-market bidding for ad impressions is a much larger and complicated undertaking.  

McDougall’s article last week prompted outcry from the privacy experts that lodged complaints about RTB well over a year ago, such as the Brave browser’s chief product officer Johnny Ryan and UCL lecturer Michael Veale, who said: “When an industry is premised and profiting from clear and entrenched illegality that breaches individuals’ fundamental rights, engagement is not a suitable remedy. The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now.”

Privately, industry sources have suggested that the ICO has opted for the “middle of the road” option. This is despite industry warnings last May that the regulator would start to show its teeth as the GDPR had then been in force for one year. 

Ryan tells Campaign that the industry has been aware of these issues for years and it is no excuse for the ICO to continue dragging its feet on enforcement, given that it received formal evidence of “incontrovertible wrongdoing” 16 months ago. 

“The [ICO] blog post says ‘we’re seeing genuine engagement from the industry, the IAB and Google’. That’s patently a misinterpretation of what we’re seeing… this is the biggest data breach the UK has ever had. 

“We expected when they announced what they were doing [in their report findings update in November] – that step would be banning processes and maybe fines (although fines are less important than the processes themselves). We thought they would go into ad exchanges and demand management platforms and demand the deletion of data. They have the power to do that.” 

Ryan warns that Brave and its fellow complainants are now considering legal action, as well as other options that would “compel the regulator to enforce the law”. 

“This industry has known about this for so long. I used to be a member of IAB Tech Lab and was saying this from the inside,” he adds.

He also rejects the idea that the ICO is compromising because the harm associated with such a widespread data breach is massive and the ad tech players involved are operating without proper checks and balances. 

“We’re at this moment that is similar to other industries: it’s like the medical industry was in the Middle Ages – there was nothing, people in barber shops with rusty blades. Then the enlightenment happens and in the 1800s there are standards and guilds, you have sanitation and electricity. Now if you want to operate on someone, you have to do it in a hospital – if haven’t got a hospital you can go away – tough. It’s called professionalisation.”

The ICO’s response to these criticisms, meanwhile, is framed as a reminder that this is a complex issue.

McDougall tells Campaign: “There are thousands of companies involved in the adtech eco-system and at this stage the issues raised involve the entire industry. We stand ready to deal with the problems but it is a hugely complex area. As a pragmatic regulator, we have a duty to build a thorough and robust case for any regulatory action we may decide to take, and all of this takes time. 

“We are using the intelligence gathered throughout last year to develop an appropriate regulatory response and we continue to investigate real-time bidding. It may be necessary to take formal regulatory action and we will continue to progress our work on that basis.”

Meanwhile the IAB UK says it is “pleased” that the ICO is recognising the work that the industry had done to date and the further work to which it has committed.

Christie Dennehy-Neil, head of policy and regulatory affairs at the IAB UK, says: “We have made good progress, but what matters now is the outcome. Implementing the actions outlined in our response to the ICO needs our members and the wider industry to work with us and be willing to take action where necessary to deliver meaningful change. We look forward to continuing to engage with the ICO as this process develops.” 

The apparent change in tone from the ICO also surprises Damon Reeve, chief executive of the Ozone Project, the digital publishing joint venture representing major UK news publishers Reach, News UK, The Guardian and Telegraph Media Group. 

Reeve tells Campaign: “We expected a slightly firmer position from the ICO… What was missing from Simon’s blog post was anything of real substance. There’s been a lot of discussion and maybe they’re looking to see more action off the back of that.

“It doesn’t really change anything that we’re already on the path to doing. At Ozone we are being fairly proactive in the decisions we’re making to reduce the risks around the processing of data.”

Reeve agrees about the need for a balanced approach: “The right thing for them to do is facilitate change through those organisations. If everyone is in good faith doing the right thing, that must be the best way for them to move in the right direction. Unless individual companies are being fraudulent and going against the industry grain, it makes sense to support competition through that process.”

However, there may be events going on behind the scenes of the ICO that are having an impact on this investigation. 

Last week the law firm Mishcon de Reya spotted that the watchdog had effectively decided to delay imposing £282m worth of fines on Marriott and British Airways. The US hotel chain and UK airline had both been found to have committed significant data breaches in 2018 under the GDPR and had been fined £99m and £183m respectively.

Mishcon’s data protection adviser, Jon Baines, told The Register that he suspected both companies had deployed similar legal arguments to Facebook when it fought back against a Cambridge Analytica-linked fine and ended up being fined £500,000

The suspicion is that the ICO’s internal procedures are being challenged and it could be that the watchdog is not feeling as confident as it was last June, or is simply too stretched in terms of its resources to fight so many battles at the same time.

Source: Ico Search Results
Continue reading Is the ICO going soft on the ‘out of control’ adtech industry?

Posted on

CountingWorks PRO Announces the 2019 TaxBuzz Top 100 Tax Professionals & CountingWorks Top 100 Cloud Accounting Experts


CountingWorks PRO Announces the 2019 TaxBuzz Top 100 Tax Professionals & CountingWorks Top 100 Cloud Accounting Experts – Global Investing Today – EIN News

























Trusted News Since 1995

A service for investment professionals
·
Tuesday, January 21, 2020

·
507,734,718
Articles


·
3+ Million Readers

News Monitoring and Press Release Distribution Tools

News Topics

Newsletters

Press Releases

Events & Conferences

RSS Feeds

Other Services

Questions?




Source: Ico Search Results
Continue reading CountingWorks PRO Announces the 2019 TaxBuzz Top 100 Tax Professionals & CountingWorks Top 100 Cloud Accounting Experts

Posted on

Venmo woos retailers with branded, animated stickers for its newsfeed

Venmo’s newsfeed is about to get more interesting. Historically, the PayPal-owned app’s users would comment on their transactions using text, or as is more common, emoji. But now the company is planning to add support for custom, animated stickers, as well.

These animations were designed in partnership with Holler so they’re unique to the Venmo app and tailored to the sorts of transactions that take place there. For example, one is of a hoagie sandwich broken in half with text that reads “split the bill.” Another features a spinning pizza. One includes two characters pushing an IKEA shopping cart. And so on.

IKEA isn’t the only brand to be included in the new stickers, as it turns out — Subway and others are also participating, Venmo says. (Keurig was initially listed as a sticker partner, then pulled out at the last minute. Other news sites have still included the brand’s mention, but to be clear — it isn’t launching now.)

The move to introduce stickers — and particularly those featuring select retailers — comes at a time when Venmo is looking for ways to establish itself as a payment method of choice at brick-and-mortar stores. On that front, the company this past fall launched a rewards program tied to its physical Venmo card to offer users 5% back at stores like Target, Sephora, Dunkin’ Donuts, and Wendy’s, among others.

Though Venmo parent company PayPal had already tried to establish itself as an optional at checkout through point-of-sale integrations in years past, it never really took off. In more recent months, PayPal instead chose to partner instead of competing with payment rivals like Apple, Google, Visa, Mastercard, and others. Venmo, however, still has a shot at becoming at establishing a foothold in the physical retail space, thanks to its Venmo account-linked card and its forthcoming credit card.

In addition, its service is favored by millennial and Gen Z shoppers who often opt for non-traditional cards and banking products, like mobile banking apps and cards that also function as status symbol cards, like the new  Apple Card. Plus, they prefer visual communication when it comes to sharing what they’re spending — over 90% of Venmo transactions include emojis, the company notes.

Venmo says the new stickers in the app will help the retailers to better connect with Venmo users and could allow for tailored experiences, going forward. But not all the stickers are branded — some are just happy tacos or burritos, jars and mugs filled with pennies, and other generic images.

The stickers are rolling out, starting today, says Venmo.

Source: TechCrunch
Continue reading Venmo woos retailers with branded, animated stickers for its newsfeed

Posted on

ICO reveals Phishing as top threat between 2017-2019

Cyber security data breach reports continued to flood in to the Information Commissioner’s Office (ICO) last year, with phishing proving to be the top cause of breaches, according to new analysis of ICO data between 2017 to 2019. The analysis conducted by the intelligent cyber security awareness platform, CybSafe, includes data published on Tuesday this week by the ICO.

CybSafe found that in 2019, UK organisations reported more cyber security breaches to the ICO than ever before. A total of 2,376 reports were sent to the public body last year, up from 540 in 2017, and 1,854 reports in 2018 – the year that GDPR came into force. Based on these figures, cyber breach reports to the ICO increased by 28 per cent from 2018 and 2019.

Phishing data breach reports have increased even more significantly over the last three years. In 2017, only 16 breach reports were made to the ICO as a result of successful phishing attacks. This jumped to 877 phishing reports in 2018, and in 2019, UK organisations reported a record 1,080 phishing-related breaches to the ICO – representing 45 per cent of all cyber security data breach reports received by the ICO that year.

In 2019, phishing was therefore the most common reason cited for cyber data breaches. ‘Unauthorised access’ took second place, with 791 breaches reported to the ICO. Other notable causes for breaches included 243 reports related to malware or ransomware, 64 related to hardware/software misconfiguration, and 34 related to brute force password attacks.

CybSafe’s research illustrates the continued prevalence of human-focused attacks and breaches. Considering all cyber security reports received by the ICO in 2019, the company suggests that over 90 per cent can likely be attributed to some form of user error or mistakes, as opposed to hardware or software security vulnerabilities.

Commenting on the company’s latest analysis, Oz Alashe, CEO of CybSafe, said: “With GDPR causing a massive surge in reporting during 2018, we might have expected that reports to the ICO would taper off in 2019 – but this wasn’t the case. 2019 surpassed the numbers achieved in the previous year quite dramatically. In terms of human error data breaches, it was a particularly significant year.

“With end-user mistakes often found to be the cause or catalyst of the majority of breaches, there’s a clear opportunity for the channel to step up and offer expertise and workable programmes. The channel needs to start the conversation with their customers about whether they’re successfully minimising human risk. Many companies won’t be doing anything at all to tackle these types of cyber risks, and those that are doing something, often won’t be using cost-effective, impactful, and measurable solutions.”

The following two tabs change content below.

David Dungay

Editor – Comms Business Magazine

Latest posts by David Dungay (see all)

Source: Ico Search Results
Continue reading ICO reveals Phishing as top threat between 2017-2019

Posted on

ICO eyes formal real-time bidding regulation after being ‘ignored’

The UK’s data watchdog has accused companies of “ignoring” its message that the adtech industry needs to clean up its act as it considers formal regulatory action as part of its real-time bidding investigation.

Simon McDougall, executive director for technology and innovation at the Information Commissioner’s Office’s, warned today that “those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilise its wider powers”.

The ICO launched an investigation in June 2019 into the RTB industry supply chain and gave a deadline of six months for companies to start getting their house in order.

Through the RTB process, a wide range of data is broadcast to multiple advertisers via an auction that uses this data to serve ads to online users in a fraction of a second.

Following complaints by privacy advocates and Brave, the anti-tracking internet browser company, the ICO said RTB was failing in terms of good data protection and that the adtech industry was “immature” in its understanding of compliance. 

Companies that fall foul of the General Data Protection Regulation, Europe’s data-privacy law, are liable to be fined 4% of annual turnover or €20m (£17.9m), whichever is higher. The ICO enforces GDPR in the UK. 

Google and the Internet Advertising Bureau are the principal bodies in the UK that set RTB standards and support for online advertisers.

Today, McDougall added that both companies had made progress on cleaning up the RTB supply chain: the IAB has pledged to educate the industry on special category data (which contains sensitive information about internet users), while Google will remove content categories and improve its auditing process. 

Google also announced this week that it will remove third-party data cookies from its Chrome browser that allow advertisers to track users across the web. 

McDougall said: “We are using the intelligence gathered throughout last year to develop an appropriate regulatory response. While it is too soon to speculate on the outcome of that investigation, given our understanding of the lack of maturity in some parts of this industry, we anticipate it may be necessary to take formal regulatory action and will continue to progress our work on that basis.”

Source: Ico Search Results
Continue reading ICO eyes formal real-time bidding regulation after being ‘ignored’

Posted on

Mobile payment app Lydia raises $45 million round led by Tencent

French startup Lydia is raising a $45 million Series B round (€40 million). Tencent is leading the round with existing investors CNP Assurances, XAnge and New Alpha also participating.

If you live in France, chances are you already know Lydia quite well. The company has become a ubiquitous mobile payment app, especially for people under 30 years old. Think about it as a sort of Square Cash or Venmo, but for France.

“At first, we wanted to raise less but we ended up raising more,” Lydia co-founder and CEO Cyril Chiche told me in a phone interview.

The company has managed to attract 3 million users in France. More impressive, 25% of French people between 18 and 30 years old have a Lydia account — and 5,000 people sign up every day. Lydia currently has 90 employees.

More recently, the company has expanded beyond peer-to-peer payment. First, the company wants to help you manage your money in many different ways with an important value — everything should happen in real time.

You can create multiple Lydia accounts to put some money aside or use money in that sub-account for a specific purpose. That feature alone turns the app into a versatile money management app.

For instance, you can associate a Lydia payment card with a Lydia account and a virtual card with another Lydia account — that virtual card works with Apple Pay, Google Pay, Samsung Pay and more. You can change those settings in real time.

You can share accounts with other Lydia users. And shared accounts are truly shared — everyone can top up and withdraw money from that account. You can spend directly from that account or withdraw money to another account.

You can also turn any Lydia account into a money pot account. In just a few taps, you can generate a link and share it with your friends so that they can add money using their regular payment card or a Lydia account.

More recently, the company has introduced “the market”, a marketplace of other financial products. From the Lydia app, you can borrow up to €1,000 in just a few seconds. You can also insure your phone and other mobile devices. You can get some free credit when you open a bank account, insure your home with Luko, switch to another electricity and gas provider, compare mobile phone and internet providers and more.

And that strategy is going to be key in the future. “We have an ambitious goal, which is turning Lydia into a mobile financial service app,” Chiche said.

He also pointed out that the company that has been the most successful when it comes to creating a mobile marketplace of financial products is Tencent with WeChat.

“Tencent is also the number one player in the video game industry, and there’s no industry with as much user engagement,” Chiche said. Tencent acquired Supercell, bought 40% of Epic Games, acquired Riot Games (League of Legends), invested in Ubisoft, Activision Blizzard, Discord, etc. Lydia hopes that it can learn from Tencent on the user engagement front.

Compared to many fintech startups, Lydia doesn’t want to replace banks altogether — the company says it wants to build a meta-banking app. Peer-to-peer payments represent the top of the funnel and a great user acquisition strategy thanks to networking effects.

You can then connect your Lydia account with your bank account and your debit card. This way, you can send money back and forth between your Lydia accounts and your bank account. As a user, that strategy slowly pays off over time. After a while, you end up spending money directly from your Lydia account and relying more heavily on Lydia’s native payment features, with your bank account acting as a money back end.

At the bottom of the funnel, Lydia hopes that it can turn active Lydia users into paid customers with a handful of in-house and third-party financial products. In other words, Lydia doesn’t want to become a credit institution like a traditional bank, it wants to become a financial hub. Expanding the marketplace will be a big focus for the company going forward.

While Lydia is available in other European countries, Lydia is still massively used in its home market with other markets lagging behind. With today’s funding round, growth in foreign countries is going to be the second key topic.

Source: Startups – TechCrunch
Continue reading Mobile payment app Lydia raises $45 million round led by Tencent

Posted on

An ICO by Any Other Name: SEC Issues Investor Alert on Initial Exchange Offerings (IEOs)

The US Securities and Exchange Commission’s (SEC’s) Investor Education and Advocacy division is warning the public that, because both Initial Exchange Offerings (IEOs) and the platforms selling them may be unregistered and unregulated, investing in IEOs may be high risk- and not much different than investing in ICOs.

There is no such thing as an SEC-approved IEO,” the SEC writes in the warning.

IEO’s emerged in 2018 after a number of SEC communiqués and enforcements made it clear that the regulator largely regards ICO’s (initial coin offerings) as unregistered securities.

According to the SEC, IEOs are differently named but similarly featured. The only difference is that, rather than being sold directly to investors by ICO projects themselves, IEO’s are sold by trading platforms where they can also be traded:

“Initial exchange offerings (IEOs) are a recent development in the rapidly evolving digital asset space.  IEOs are similar to initial coin offerings (ICOs) in that they are initial offerings of digital assets (e.g., coins or tokens) to raise capital.  However, IEOs are being touted as an innovation on ICOs because they are offered directly by online trading platforms on behalf of companies—usually for a fee—to provide immediate trading opportunities for the digital assets.”

First, the word “exchange” is a misnomer, the SEC claims:

“These online trading platforms, which are typically not registered with the SEC and which may improperly refer to themselves as ‘exchanges,’ may also claim to perform due diligence or other quality assessments of the IEOs.”

Because the platforms are not true and regulated exchanges, using them implies considerable risk:

“Noncompliance with the federal securities laws means the IEO and/or trading platform may be operating unlawfully and the investor and market protections and remedies these laws are intended to provide may be absent.”

Further:

“You should carefully consider whether the company and the trading platform involved in the IEO has complied with federal securities laws.”

IEO’s may be cleverly marketed, but, “Be cautious if considering an investment in an IEO,” the SEC writes:

“Claims of new technologies and financial products, such as those associated with digital asset offerings, and claims that IEOs are vetted by trading platforms, can be used improperly to entice investors with the false promise of high returns in a new investment space.  As described below, IEOs may be conducted in violation of the federal securities laws and lack many of the investor protections of registered and exempt securities offerings.”

According to the regulator, a failure to reference securities laws in an IEO offering is “a red flag”:

“It is a red flag if the IEO and its participants, including the online trading platform, do not address or discuss the applicability of the federal securities laws.”

Projects may also claim they are registered when they are not:

Saying something is registered doesn’t make it so.  In addition, be careful if the promoter of the IEO or the digital trading platform hosting the IEO states that they are approved or registered with the SEC.”

Once again:

There is no such thing as an SEC-approved IEO.”

American securities laws are thorough -some would say too thorough- though SEC Chair Jay Clayton has defended the standards claiming they help assure that U.S. remains a safe place to invest money.

Strong rules have meant that even cryptocurrency projects and trading platforms with premises and staff in the US are registered offshore.

Rules at offshore businesses may be loosely enforced. Cryptocurrency trading platforms like Bitfinex and BitMEX, for instance, have been accused of only tacitly enforcing stated policies barring American traders.

Though, “Projects may claim to be exempt because they are located overseas,” the SEC warns, “…if the offering is being made to American investors, American securities laws may apply,” meaning IEO offerings may be non-compliant (and subject to future enforcement action?).

Furthermore, “Offshore trading platforms that attempt to avoid regulatory scrutiny can leave investors without important information,” the SEC writes, “including information about the IEO issuer, the digital asset offered, and any arrangements between the trading platforms and IEO issuers that enable them to make informed judgments about whether to invest in an IEO.”

Distance can also mean poor oversight regarding trades and conflict of interest at exchanges. Popular crypto trading platforms have been accused of using order data to trade against their own customers and conspiring amongst themselves to manipulate the prices of cryptocurrencies.

For example, executives at Korean crypto trading platform Komid were prosecuted for consducting alleged billion dollar wash trades designed to give customers the false impression that the exchange and the “crypto assets” on it were very popular.

Importantly, if an investor ends up defrauded by a foreign entity, the SEC warns, there may be little recourse.

Defrauded investors, “may have no effective legal remedies in U.S. courts against offshore trading platforms or IEOs issuing on the platforms.  Even if investors sue successfully in a U.S. court, they may not be able to collect on a U.S. judgment against a foreign company, entity or person.”

As well, collecting relief in such cases would, “rely on legal remedies in a foreign country.  These remedies may not exist or may differ greatly from remedies available in the United States.”

Source: Ico Search Results
Continue reading An ICO by Any Other Name: SEC Issues Investor Alert on Initial Exchange Offerings (IEOs)

Posted on

Visa is acquiring Plaid for $5.3 billion, 2x its final private valuation

Visa announced today that it is buying financial services API startup Plaid for $5.3 billion. 

Plaid develops financial services APIs. It is akin to what Stripe does for payments, but instead of facilitating payments, it helps developers share banking and other financial information more easily. It’s the kind of service that makes sense for a company like Visa.

The startup bought Quovo two years ago to move beyond just banking, and into broader financial services and investments. The idea was to provide a more holistic platform for financial services providers. As the founders wrote in a blog post at the time of the acquisition, “Financial applications have historically used Plaid primarily to interact with checking and savings accounts. In acquiring Quovo, we are extending our capabilities to a wider class of assets.”

The deal is expected to close in the next three to six months, pending regulatory approval.

The price

Plaid’s exit price is a triumph for its investors, who put a combined $353.3 million into the company, according to Crunchbase data. Most important among those rounds was a $250 million infusion that came in late 2018. Index and Kleiner led that round, valuing Plaid at $2.65 billion, or 50% of its final sale price (we doubt that that ratio is a coincidence).

At the same time, it was later revealed, Mastercard and Visa also took part in the round, with TechCrunch reporting in 2019 that the two payments giants “quietly participated in the round.” 

Whether those investments were large enough to grant Visa information rights isn’t clear, but certainly the two credit card giants had more insight into what Plaid was doing than they did before their investment. We can presume, then, that Plaid was doing well as a private company; no one pays twice a multi-billion-dollar valuation for a firm unless they want to keep it away from their core business, or a key competitor. 

Or perhaps both, in the case of Plaid.

The Twilio comparison

Plaid is often compared to Twilio, another API-first company that sits in the background, helping other players do business. Noyo, on the early-stage front, is doing something similar with its healthcare information and insurance APIs. Stripe, as mentioned above, is similar but in the payment space. The model has proved lucrative for Twilio, which has soared as a public company; Plaid’s huge exit will add extra shine to the startup varietal.

However, unlike Twilio, Plaid was bought while still private, depriving us of a good look into its figures. We anticipate that they would show growth in high-margin revenues. That’s something that all companies, public and private, covet.

For Visa, however, there’s likely something more to the deal. Namely, it now has a view into scads of high-growth, private companies that are reinventing the world in which Visa operates. Buying Plaid is insurance against disruption for Visa, and also a way to know who to buy. 

But for today, it’s a win for Plaid shareholders (including employees).

Source: TechCrunch
Continue reading Visa is acquiring Plaid for $5.3 billion, 2x its final private valuation

Posted on

FINTECH COMPANY MANAGECASH HOSTS CASH LOGISTICS EXHIBIT AT WORLD’S LARGEST ATM-FOCUSED EVENT


FINTECH COMPANY MANAGECASH HOSTS CASH LOGISTICS EXHIBIT AT WORLD’S LARGEST ATM-FOCUSED EVENT – Global Investing Today – EIN News

























Trusted News Since 1995

A service for investment professionals
·
Thursday, January 9, 2020

·
506,776,606
Articles


·
3+ Million Readers

News Monitoring and Press Release Distribution Tools

News Topics

Newsletters

Press Releases

Events & Conferences

RSS Feeds

Other Services

Questions?




Source: Ico Search Results
Continue reading FINTECH COMPANY MANAGECASH HOSTS CASH LOGISTICS EXHIBIT AT WORLD’S LARGEST ATM-FOCUSED EVENT

Posted on

IAB launches six ‘actions’ in response to ICO real-time bidding probe

The Internet Advertising Bureau UK has announced a range of commitments to help advertisers that use real-time bidding meet their data protection obligations amid an investigation by the UK’s data watchdog.

The six actions are launched ahead of an expected update by the Information Commissioner’s Office on its probe into RTB, having heavily criticised the practice in June 2019. The ICO warned that sensitive data about internet users may be being broadcasted through bid requests and thus breaching Europe’s General Data Protection Regulation without the necessary consent.

Each of the IAB commitments respond to key issues that the ICO identified in its latest update report, in which the data watchdog gave six months for companies involved in the RTB supply chain to get their houses in order because the adtech industry appears “immature” in its understanding of GDPR compliance.

Regulators such as the ICO are empowered to fine GDPR violators up to €20m (£17.9m) or 4% of the offending company’s annual turnover (whichever is highest).

Through the RTB process, a wide range of data is broadcast to multiple advertisers via an auction that uses this data to serve ads to online users in a fraction of a second.

The IAB, which develops industry standards and provides legal support for the digital advertising industry, has committed to:

  • Develop good-practice guidance covering data security, minimisation and retention, and work with IAB Europe to explore how the requirements in the Transparency and Consent Framework policies could be enhanced;
  • Carry out a range of actions to be taken on special category data, including education for the industry on restrictions (developed with other trade bodies, particularly on the buy side), and work to identify potential controls to minimise risks arising from the content of referred URLs in bid requests;
  • Educate its members on the consent requirements of UK online privacy regulations, with reference to the ICO’s current cookie guidance, and promoting the use of the TCF for obtaining user consent in a GDPR-compliant way;
  • Educate its members on Legitimate Interests Assessment requirements and work with IAB Europe to develop resources to support companies to meet these requirements;
  • Educate members on Data Protection Impact Assessment requirements and encourage them to review their processing operations in light of the ICO’s existing guidance. It will also identify whether additional guidance is needed for the industry and work with relevant trade bodies as they develop their own DPIA approaches and guidance;
  • Provide transparency and fairness of information to consumers.

Simon McDougall, the ICO’s executive director for technology and innovation, said: “Our ‘update report’  documented our concerns with how personal data is processed using RTB and our subsequent engagement work with the adtech industry has largely validated these concerns. 

“We’re very pleased with the engagement we’ve had so far and, while we still have a long way to go, we’re optimistic that an industry-led solution is possible. We look forward to continuing our constructive discussions with the IAB and the industry as it implements the proposals made.”

However, the IAB has also said it does not believe that including context category fields in bid requests, such as “health” or “religion”, leads to special category data used.

In the IAB’s full response to the ICO, published last month, it said: “[Context category fields] do not in themselves constitute special category data because, on their own, they do not reveal information about the individual user or concern their health, sex life or sexual orientation. 

“Rather, they are derived from categorising the nature of the environment (eg surrounding page content) where the ad impression has become available. The nature of the environment is independent from the user and cannot be attributed to the user by default. Whether the content-based data in a bid request constitutes personal data on the basis that it can identify a person, directly or indirectly, will depend on what other data the company in question holds or has access to.”

Source: Ico Search Results
Continue reading IAB launches six ‘actions’ in response to ICO real-time bidding probe