Last Tuesday, the ICO held a fact-finding forum with various brands, ad tech industry executives, privacy campaigners and lawyers. Key focuses were companies’ treatment of sensitive, “special category” data and the often substandard contractual agreements to protect how bid-request data is shared between vendors.
Following their insightful June 2019 report on the same topic, it looks like the ICO isn't taking its foot off the pedal any time soon when it comes to scrutinising the ad tech industry. The ICO tends to publish a summary report of its fact-finding forums, so fingers crossed we'll see some output in the coming weeks.
In his presentation, the ICO’s McDougall said the data protection authority’s look into the ad tech sector so far had confirmed some direct processing by vendors of special category data — such as ethnicity or data on someone’s health or sex life — without explicit consent, a violation of GDPR.
As for user consent, the ICO said it found inadequate and — in some cases — inaccurate transparency information was made available. It discovered privacy policies that lacked clarity or provided conflicting information. It was sometimes unclear how users would withdraw consent. The ICO said it had also found a poor standard of companies assessing they have a “legitimate interest” for their collection and retention of data.