Ticketmaster’s fine relates to a breach, which included names, payment card numbers, expiry dates, and CVV numbers, that may have affected 9.4m Ticketmaster customers across Europe – including 1.5m in the UK.

The ICO’s investigators found that 60,000 payment cards belonging to Barclays customers had been affected by fraud as a result of the breach. Another 6,000 cards were replaced by Monzo after the mobile bank suspected fraudulent use.

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not,” said James Dipple-Johnstone, Deputy Commissioner. “Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.

“The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”

The breach, which stemmed from a third-party chatbot on the company’s online payment page, began back in February 2018 but the ICO’s penalty only relates to the breach from 25 May 2018 – when GDPR came into effect. The chatbot allowed the attacker to access customers’ financial details.

Despite Monzo, The Commonwealth Bank of Australia, Barclaycard, Mastercard, and American Express all reporting their concerns about fraud to Ticketmaster, it took the ticket company nine weeks to begin monitoring network traffic through its online payment page.

“This particular case sends a stark warning to organisations that GDPR compliance is both people and technology driven. It is the duty of every person within an organisation to know their responsibilities under the GDPR and this includes being accountable for all technology used. Despite it being a third party’s chatbot software that created a gateway for this data breach, the onus is still on Ticketmaster to ensure that any technology they use is secure,” said Chris Combemale, CEO at Data & Marketing Association.

“Within a month, the ICO has now issued several record-breaking fines in response to significant security failures by organisations who are responsible for the data of millions of customers. Data privacy is not a tick-box exercise, organisations must continue to invest in keeping their customers’ data secure. Otherwise they will face penalties that could prove far more costly to the business.”

The post Ticketmaster hit with £1.25m ICO fine for chatbot-related data breach appeared first on Mobile Marketing Magazine.

A year on from the revelation that the Information Commissioner’s Office (ICO) was owed 42 per cent of the fines it handed out since 2015, it’s been revealed that the non-departmental public body’s collection struggles have continued in the past year.

Since last year’s report, the ICO has only managed to collect one of the 47 unpaid fines levied between 2015 and the end of July 2019, according to data once again obtained by The SMS Works via a freedom information request.

Of the 21 fines handed out more recently, namely between January 2019 and the end of August 2020, the ICO has only managed to collect £1.03m of the £3.2m it is owed – just 32 per cent of all fines issued. It has collected just nine of the 21 fines issued – and that’s despite new regulations making company directors individually responsible for paying the fines.

The SMS Works has found that directors have found loopholes to avoid paying fines such as claiming voluntary insolvency or shutting down their business and opening up under a new name.

Of course, the data obtained doesn’t include the recent fines handed out to Marriott International and British Airways of £18.4m and £20m respectively. Those two major international companies will struggle to find loopholes to get out their fines, both for data breaches under GDPR.

The post More than two-thirds of ICO fines issued since January 2019 havent been paid appeared first on Mobile Marketing Magazine.

The hospitality giant may feel unfairly punished by the fine – because the company itself was not responsible for the breach – but has said it does not intend to appeal the decision.

A cyber-attack on Starwood Hotels and Resorts Worldwide in 2014 is estimated by Marriott to have left the records of 339m worldwide guests vulnerable. Marriott acquired Starwood two years after the breach. The attack remained undetected until September 2018 and was reported in November 2018.

The true number of guests affected is unclear because some guests may have had multiple records. 7m of the records related to people in the UK.

“Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not,” said Elizabeth Denham, Information Commissioner.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

Marriott said it regrets the incident but makes no admission of liability. It also stated that it continues to be committed to the privacy and security of its guests’ information and has reassured guests that Starwood’s network is no longer in use.

The ICO has acknowledged the work that Marriott has done to mitigate the risk of damage suffered by its customers and the measures it has put in place to improve security.

The fine comes just two weeks after the ICO hit British Airways with a £20m fine for a failure to protect the personal and financial details of more than 400,000 customers.

“Within just two weeks, the ICO has now issued a fine of £20m to British Airways and £18.4m to Marriott. These are the two highest confirmed fines in the history of the ICO in response to significant data security failures by both organisations,” said Chris Combemale, CEO of the Data & Marketing Association. “Given the dramatic fall in revenue that the travel and leisure sector has experienced during the coronavirus pandemic, these fines send a very powerful message to organisations that they must invest in keeping their customers’ data secure. Otherwise they will face penalties that could prove far more costly to the business.”

The post Marriott slapped with £18.4m ICO fine for data breach appeared first on Mobile Marketing Magazine.

The UK Information Commissioner’s Office has created a new code of 15 principles that aim to make the internet a safer place for children, including the prevention of self-harm or suicidal content, sexual grooming risks, and location sharing. The ICO will allow companies a year of transition to abide by the new rules, and then will enforce the code starting in Fall of 2021.

Companies who fail to enforce the safety code will be breaking the law, and will face fines up to £17m, or 4 per cent of global turnover. Some of the 15 principles will require companies to set default privacy settings to high, set default location sharing services to off, and block “nudge” notifications that encourage children to loosen their privacy settings.

“Personal data often drives the content that our children are exposed to – what they like, what they search for, when they log on and off and even how they are feeling,” said Elizabeth Denham, the information commissioner.

Additionally, the ICO warned companies that do not want to attract children to their site to make it a priority that such users can’t gain access: “If your service is the kind of service that you would not want children to use in any case, then your focus should be on how you prevent access. If your service is not aimed at children but is not inappropriate for them to use either, then your focus should be on assessing how appealing your service will be to them.”

“This transformative code will force high-risk social networks to finally take online harm seriously and they will suffer tough consequences if they fail to do so,” said Andy Burrows, the NSPCC’s head of child safety online policy.

Burrows continued, “For the first time, tech firms will be legally required to assess their sites for sexual abuse risks and can no longer serve up harmful self-harm and pro-suicide content. It is now key that these measures are enforced in a proportionate and targeted way.”

The biggest companies that will likely be affected by this new code will be social media giants such as Facebook, Twitter, Instagram, TikTok, SnapChat and YouTube. Hesitant companies should be made aware that the new code is legally backed by a requirement in the Data Protection Act 2018, citing the “age-appropriate design” of websites.

The post The UK will be implementing a new code to keep children safe from online harm appeared first on Mobile Marketing Magazine.

In June last year, the ICO released a report that highlighted a number of issues and concerns around the use of personal data in the real-time bidding process, and it gave the industry six months to respond to its findings. Just last week IAB UK issued its response, in the shape of a series of actions designed to help companies engaged in real-time bidding to understand and meet their data protection and privacy compliance obligations in practice.

In a blog post today, Simon McDougall, the ICO’s executive director of technology and innovation, paid tribute to the IAB’s work, naming it and Google as “two key organisations in the industry” who “are starting to make the changes needed”.

But he noted also that “while many organisations are on board with the changes that need making, some appear to have their heads firmly in the sand.” He added that the ICO had reviewed a number of justifications for the use of legitimate interests as the lawful basis for the processing of personal data in RTB and found that the justification offered by organisations is insufficient.

“Furthermore,” he wrote, “the Data Protection Impact Assessments we have seen have been generally immature, lack appropriate detail, and do not follow the ICO’s recommended steps to assess the risk to the rights and freedoms of the individual. We have also seen examples of basic data protection controls around security, data retention and data sharing being insufficient.”

And he warned the industry that if it does not put things right, regulation is inevitable, saying: “We will continue to investigate RTB. While it is too soon to speculate on the outcome of that investigation, given our understanding of the lack of maturity in some parts of this industry we anticipate it may be necessary to take formal regulatory action and will continue to progress our work on that basis…

“I am both heartened at how much progress we have made, and disappointed that there are some who are still ignoring our message. Those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilise its wider powers.”

Aaron Goldman, CMO of 4C Insights, said the ad tech industry should take the ICO’s warning seriously. “The latest ICO update will have significant consequences for ad tech companies operating on the open web and in particular using real-time bidding,” he said. “These latest developments along with Googles announcement that it will do away with third-party cookies spell doom for demand side platforms that are not interoperable within and across walled gardens. Going forward, the imperative for publishers and broadcasters will be to create closed ecosystems with opt-in consumers and enable brands to connect with consumers on multiple screens through targeted placements.”

The post ICO issues real-time bidding regulation warning appeared first on Mobile Marketing Magazine.

The ICO’s report summarised the findings of its review of the use of personal data in the real-time bidding process in terms of the relevant provisions of the GDPR and ePrivacy legislation. Following its publication, the regulator announced a six-month period for further industry engagement and for the industry to respond to its findings.

This process has been led by IAB UK and its members, along with IAB Europe and IAB Tech Lab where appropriate. As a result, IAB UK has committed to a series of actions on six key issues raised in the ‘Update report’, to help improve standards of compliance. These are:

Data security
IAB UK will develop good practice guidance covering security, data minimisation and data retention, and work with IAB Europe to explore how the requirements in the Transparency and Consent Framework (TCF) policies could be enhanced to support such good practice.

Special category data
A range of actions will be taken here including developing UK-focused guidance on the Content Taxonomy; education for the industry on special category data restrictions and requirements (developed with other relevant trade bodies, particularly on the buy-side); and work to identify potential controls to minimise risks arising from the content of referred URLs in bid requests.

Reliance on legitimate interests for cookies
IAB UK is committed to educating its members on the consent requirements of UK ePrivacy regulations, with reference to the ICO’s current cookie guidance, and promoting the use of the Transparency & Consent Framework (TCF) where appropriate, for obtaining this consent in a compliant way.

Legitimate interests assessments (LIAs)
IAB UK will educate its members on LIA requirements, taking into account the outcomes of a joint (ICO/IAB Europe/IAB UK) review of anonymised example LIAs, and work with IAB Europe to develop resources to support companies to meet these requirements in practice.

Data Protection Impact Assessment (DPIAs)
IAB UK will educate members on DPIA requirements and encourage them to review their processing operations in light of the ICO’s existing guidance. It will also identify whether additional guidance is needed for the industry, and work with other relevant trade bodies as they develop their own DPIA approaches and guidance.

Transparency and fairness of information provided to consumers
IAB UK will engage with IAB Europe on the outcomes of ongoing discussions about potential changes to TCF policies with respect to Consent Management Provider user interfaces, and then decide on any further action.
In addition to the actions outlined above, IAB UK has also identified areas where further discussion is needed before a clearer position and consensus can be reached. The ICO, meanwhile, is expected to provide a further update on its position in the coming weeks, once it has reviewed all relevant responses.

Simon McDougall, the ICO’s executive director for technology and innovation, said: “Our ‘Update report’ documented our concerns with how personal data is processed using RTB, and our subsequent engagement work with the adtech industry has largely validated these concerns. We’re very pleased with the engagement we’ve had so far and, while we still have a long way to go, we’re optimistic that an industry-led solution is possible. We look forward to continuing our constructive discussions with the IAB and the industry as it implements the proposals made.”

Christie Dennehy-Neil, IAB UK’s head of policy and regulatory affairs, added: “It’s now critical that we work together with our members to implement change. This needs everyone – advertisers, intermediaries and media owners – to work with us, and to be willing to take action and invest in making changes where necessary.”

The post IAB outlines plans in response to ICOs concerns over real-time bidding appeared first on Mobile Marketing Magazine.

The Information Commissioner’s Office (ICO) is still owed 42 per cent of the total fine amount it’s handed out for data breaches, spam, and nuisance calling since 2015, showing the difficulty the governmental office has had in enforcing the punishments levelled at companies.

152 fines have been issued since 2015, with 47 – or 30 per cent – remaining unpaid, according to data obtained by The SMS Works via a freedom of information request. The total amount fined in that period was £16.6m, of which £7.05m remains uncollected – that’s 42 per cent.

All the fines levelled at charities and public organisations have been paid, as you’d expect. However, private firms haven’t been anywhere near as accepting of fines.

The claims management industry – the worst of the bunch – has received a total of £3.2m in fines with a staggering 84 per cent remaining unpaid, only £490,000 having been collected. The home improvements sector payments are under 30 per cent, while both marketing and telecoms sit under 40 per cent. The financial services industry is the best within the private sector, paying over 70 per cent of fines.

Looking at payments based on reason behind the fine, just 23 per cent of nuisance call fines are successfully collected by the ICO. Email and SMS spam have payment rates of 64 per cent and 74 per cent respectively, while fines for data breaches are paid 85 per cent of the time.

The three largest unpaid fines are two of £350,000 and one of £400,00 from companies that are all no longer trading. This is a problem the ICO has faced in collecting fines, but a law change could pave the way for it securing all the money it’s owed.

“Some nuisance call directors liquidate their firms to avoid paying fines from the ICO,” an ICO spokesperson said in a statement. “In December 2018, the law changed to make directors themselves responsible for nuisance marketing. This should have a real deterrent effect on those who deliberately set out to disrupt people with troublesome calls, texts and emails.”

The three unpaid fines, of course, do not include the big fines currently facing British Airways and Marriott Hotels. The paid have been charged with paying £183m and £99m respectively for failing to protect customer data, although both are currently appealing their fines and thus don’t yet officially owe the money to the ICO.

Unlike most, if not all, of the £7.05m owed to the ICO, the fines levelled at British Airways and Marriott were handed out under the General Data Protection Regulation (GDPR). As is now well-documented, the regulation enables to the ICO – and other data regulators across the European Union – to fine organisations up to €20m or four per cent of their global turnover.

The post More than 40 per cent of ICO fines havent been paid appeared first on Mobile Marketing Magazine.

With a stringent doctrine of data regulation being approved or in the legislative pipeline across the globe in the past few years, companies have recognised that they need to review the way they collect, use and store data for marketing purposes. In the UK, the data regulator, the Information Commissioner’s Office (ICO), has recently shaken up the industry with two remarkable actions, and in doing so they have highlighted the sins of the industry against data privacy.

The first is the ICO’s adherence to the new penalty structure for data privacy breaches. The ICO intends to fine British Airways £183m – though British Airways intends to appeal – for the data breach that occurred last September, exposing 380,000 transactions, including card details and personal data, to the eyes of fraudsters and hackers. This dwarves the £500,000 fine imposed on Facebook for the Cambridge Analytica scandal that happened before GDPR came into effect. For the first time, the GDPR’s promise of draconian penalties for mishandling data has been implemented in the UK. But the ICO is not waiting for this to sink in, issuing a notice of its intention to fine hotel group Marriott International £99.2m for a similar breach. With these actions, ICO has laid out a new zealotry for data privacy. Stringent enforcement is now a reality.

These punitive actions also lend a certain weight to the statements contained in the report that ICO issued a fortnight earlier. The Update Report into Ad tech and Real Time Bidding gives a disparaging view of the state of data privacy in online behavioural advertising, a wide ecosystem that includes a large slice of the UK economy, from advertisers to publishers, and everything in between. The report – a must read for any marketer who is building a data strategy for their company – highlights several aspects of RTB that have been under scrutiny since the onset of the GDPR due to a number of complaints across Europe. In a barely disguised way, the Commissioner is saying that ad tech is illegal at the moment, insofar as it relies on the Real-Time Bidding (RTB) protocol in its current form as a way to allocate publishers’ inventory. The report’s tone and conclusions are in line with ICO’s counterpart in France, the CNIL (Commission Nationale de l’Informatique et des Libertés) that is investigating complaints of GDPR infringements while urging adtech to self-regulate and reform. (Should encouragement not work, last January the CNIL levied a €50m on Google for collecting users’ consent in ways the contravened the GDPR). And so, a new wind is sweeping across Europe.

But what are the risks RTB poses to marketers in terms of data privacy according to the regulators?

1. There is a persistent confusion on the quality of consent required for dropping trackers like cookies. While companies could process some personal data on the basis of legitimate interest, consent for cookies should be actively and clearly given and the purpose of the cookies explained in simple terms. When setting up cookies, companies should be mindful of both the GDPR and the recently updated PECR (Privacy and Electronic Communication Regulation) and the way they combine together. Consent, not legitimate interest, may provide the appropriate basis for cookies other than the essential ones.
2. The report claims that the content taxonomies used by the IAB’s and Google’s protocols for bidding contain data information that the GDPR identifies as sensitive, such as health, religion, ethnicity or political orientation. The IAB has made some progress on this, changing old categories such as ‘depression’ or ‘Catholicism’ into more comprehensive ones, such as, ‘mental health’ and ‘Christianity’, but are users informed clearly that such information will be shared or even captured? The regulator does not think that is the case.
3. Most companies are at fault for not carrying a privacy assessment. The GDPR mandates a data protection impact assessment (DPIA) when there exists a “large-scale processing of special categories of data”, but companies have often negligently plugged into the existing RTB protocols without assessing the impact on the customer data that they are controlling.
4. Complexity is a major problem with RTB, in conflict with GDPRs requirement to explain clearly and break down for the user the different services for which consent is collected (the basis of CNIL’s fine on Google, which was deemed to have failed in doing so). As it stands, in RTB, data is harvested for a number of purposes and fired off to dozens, even hundreds, of organisations in milliseconds. What users cannot understand, they cannot give consent to, according to the law.
5. Perhaps more damning and less remediable for RTB, the regulator finds it naïve to design a system that relies simply on contractual obligations to protect personal data. Data leakage has been dogging programmatic advertising since the onset and there is really no secure knowledge of what data the hundreds of entities in the chain capture, retain or how they use it.

The report gives away the Commissioner’s incredulity at the cavalier way in which customer data has been handled. Its list of high risks is not accompanied by examples of good practices within RTB and therefore while the report points the finger to ‘some market participants’ it is really the entire industry that is under fire, echoing GDPR’s insistence on the responsibility of data controllers for data partners’ infractions. Finally, the report identifies the causes of such mess in a “lack of maturity” over privacy issues, but also in the “commercial incentives to associate personal data with bid requests” – an unholy mix of greed and ignorance. Such proclamations could be seen as commandments from upon high urging the digital marketing ecosystem to convert to the new order.

Behind the regulators’ cautious and iterative approach, stopping short of disrupting a whole industry, there is an awareness that while the problems are clear, the solution requires a major shift in entrenched practices. The IAB (Internet Advertising Bureau) in its response has reiterated its view that it merely provides an instrument that companies can use, but it is not responsible for their compliance with the law. As we discussed in a previous article, this view is amply contested. In any case, legal responsibilities aside, it does not provide a solution to the woes of the industry.

What the ICO report does not look into are the many companies and initiatives that prefigure a different, more transparent relationship between customers, their data, the data controller and the way companies can market themselves. A return to contextual advertising, with more sophisticated contextual audience metrics, has been touted as a way to become GDPR-safe, but this seems like a step backwards to go forward.

Instead, Teavaro has been passionate, even before regulation had made change inevitable, about the design of systems to harness data within the customer relationship. This is a matter of sound business, rather than only legal compliance. Recent research has vindicated this perspective by suggesting that the use of cookies has a negligible impact on publishers’ revenue, by extension casting doubts on the overall benefits for other stakeholders too. The architecture of such customised systems comprises building a unified customer view by stitching together first party identifiers that companies can collect with clear permission, transparency and fairness, providing easy to use controls to the users. With this as a base, data activation tools, such as Teavaro’s DataAction, can then harness such personal data with a protocol that ensures that it is shared only with parties that have the clearance to read it, from data controller partnership to individual user permissions. Such systems are designed to put the data controller in the driving seat, not the ad tech firms.

After the ICO’s prediction that fixing RTB won’t happen “without intervention”, the writing is on the wall for a cookie-based ecosystem. Such a revelation does not mean the end for digital marketing. Instead it can be born again by activating first-party identifiers, and online advertising can continue to flourish. The question remains, will marketers take this opportunity to repent or continue down this path? The knowledge that there are viable alternatives to the current status quo make these opportunities more tempting and will allow consumers to place new faith in how their data is being used.

The post ICO ad tech report: Can digital marketing repent and be born again? appeared first on Mobile Marketing Magazine.

More than 2.5m direct marketing messages were sent in early 2018, encouraging people to use the ‘My EE’ app to manage their account and also to upgrade their phone. Customers who didn’t engage with first message were sent a follow-up.

EE told the ICO that it viewed the texts as service messages and not direct marketing messages, meaning they would not be in breach of electronic marketing laws. The ICO disagreed but has acknowledged that EE did not set out to deliberately breach the laws.

“These were marketing messages which promoted the company’s products and services. The direct marketing guidance is clear: if a message that contains customer service information also includes promotional material to buy extra products for services, it is no longer a service message and electronic marketing rules apply,” said Andy White, director of investigations at the ICO.

“EE Limited were aware of the law and should have known that they needed customers’ consent to send them in line with the direct marketing rules.”

Under the Privacy and Electronic Communications Regulations (PECR), marketing messages can only be sent to existing customers if they have provided consent and if they are given a simple way of opting out of future marketing. The maximum fine for a breach is £500,000.

The post EE hit with £100,000 fine for breach of messaging laws appeared first on Mobile Marketing Magazine.

In particular, the report addresses the use of personal data in real-time bidding (RTB) within programmatic advertising – an area which has received several complaints in the past year from privacy activists.

The process of RTB sees advertisers on an ad exchange, network, or supply side platform (SSP) receive an impression call when someone visits a website. As the site is loading for that user, ad spaces on the page are auctioned off by the publisher and the slots are filled by the advertisers that have bid to reach people that match criteria. As such, advertisers gain access to information about the user without their direct consent.

The report, which will be passed to the ad tech sector, takes issue with a single visit to a website potentially handing over a person’s personal data to ‘hundreds’ of organisations. The ICO will give the industry six months to get in line with its guidelines for GDPR – as well as the Privacy and Electronic Communications Regulations (PECR) – compliance before conducting another review.

“We are clear about the areas where we have initial concerns, and we expect to see change. But we understand this is an extremely complex market involving many organisations and many technologies,” writes information commissioner Elizabeth Denham in the report.

“With that in mind, we’ll continue engaging with the sector, further exploring the data protection implications of the real time bidding system. We’ll continue collaborating with Data Protection Authorities in other European countries too, who are also looking at complaints in this area.”

According to the ICO, the rules on the use of cookies laid out in the PECR take precedence over the GDPR rules. Under the PECR, organisations are required to provide ‘clear and comprehensive’ information about why any cookie or similar technology is being used and obtain prior consent which is up to the GDPR standard. The report highlights that most industry initiatives focus either solely or primarily on GDPR compliance rather than PECR.

It’s also now been made clear that the processing of any ‘special category data’ – which is any data relating to politics, religion, ethnic groups, mental and physical health, and other highly sensitive data – is entirely prohibited, unless there has been explicit consent. As such, the ICO points to both IAB Europe’s Transparency Consent Framework (TCF) and Google’s Authorised Buyers as being non-compliant because their ‘consent mechanisms’ are not ‘appropriate’ for the processing of special category data.  

When it comes to all other data, due to the PECR, legitimate interest cannot be used as a reason for its collection within RTB.

The ICO goes on to take issue with a lack of transparency in RTB, claiming it “often lacks clarity and does not give individuals an appropriate picture of what happens to their data”, and the data supply chain as a whole, highlighting the potential for data leakage due to the nature of data processing within RTB.

The report isn’t all doom and gloom for the ad tech industry. It makes it clear that the ICO is aware of ‘various ongoing initiatives’ that are looking to change the way the RTB ecosystem works, including changes to the criticised TCF.

However, going back to the doom and gloom, the ICO doesn’t feel any of these initiatives are yet to be ‘fully mature’, doesn’t feel they address its concerns, and doesn’t think the current market would adopt any of the measures voluntarily.

Looking ahead to the next six months, the ICO will conduct further analysis into the processing of special category data without explicit consent and the complexity of the data supply chain.

It will further explore the data protection implications of RTB, continue to engage with key stakeholders, and cooperate with data protection authorities across the European Union.

Depending on the state of the industry in six months’ time, the ICO will undertake a further industry review.

“In the meantime, we expect data controllers in the ad tech industry to re-evaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the RTB ecosystem,” the report reads.

“Following these initial activities, we will continue to focus on both RTB and ad tech in general, and may issue a further update report in 2020.”

Commenting on the report, Rowly Bourne, CEO of Rezonence, said:  “As can be sometimes be the way with government work; it’s a touch a case of stating the obvious – that you need explicit consent – with the latest ICO report. But nevertheless, it’s good to have clear guidelines for ad-tech.

“We shouldn’t expect much change quickly. It’s taken the ICO over a year to provide UK guidance on the GDPR, and they plan to spend the next 6 months consulting with the industry before advising again — which would still fall inside the two-year grace period so potentially another 12 months before we see anything concrete — but the findings are nevertheless the hard truths we needed to hear.

“It’s also encouraging that it addresses ad-tech and digital marketing specifically, with it being clear is that much of the sector falls short of compliance, and may always do. Most of the general public have not heard of tech outside of GAFA, so are unlikely to give explicit consent to the 7040 AdTech vendors the Lumascape recognises.

“Interestingly, it has in fact been the big tech players — Apple’s Safari ITP 2 and Google Chrome following suit — who’ve begun to move the needle when it comes to privacy, and the same could be true with this report. These browser wars, along with the potential killing of cross app tracking could end much of the immature  ad-tech behaviour that the ICO mentions.

“Only time will tell whether this leads to any action, or ends up as merely another ‘report’, with no action coming off the back of it. Nevertheless, I expect the industry to pause and think, potentially with some consolidation, and would not be surprised to see brands scurry to premium content and an increase in direct IOs in the short-term.”

The post ICO slams ad tech industry for failure to comply with data protection laws appeared first on Mobile Marketing Magazine.