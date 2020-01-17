The UK’s data protection regulator is braced to do battle with the country’s £13bn online advertising industry, saying it will start investigating individual companies that are in breach of European data protection law and enforcing it against them.

In June, the ICO said it had found a widespread disregard for the requirements of the EU’s General Data Protection Regulation (GDPR), and gave the industry — which involves the dissemination of personal data to hundreds of third-party advertisers, often without users’ consent — until the end of 2019 to get its house in order.

However on Friday, the regulator concluded that, at the end of the six-month grace period, the deep-rooted malpractice remained. It said it had seen examples of “basic data protection controls around security, data retention and data sharing being insufficient”.

“While many organisations are on board with the changes that need making, some appear to have their heads firmly in the sand. It is now clear to us that engagement alone will not address all these issues,” said Simon McDougall, executive director of technology and innovation at the Information Commissioner’s Office. “[W]e anticipate it may be necessary to take formal regulatory action.”

“Those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilise its wider powers,” he added.

According to the ICO, whenever a person visits a website, their computer can send out personal data including their location, device type, hobbies, previous purchases, gender, inferred race, and financial means to “thousands” of adtech companies.

Those companies take the information and use it to select and bid for the adverts the person will see on screen when the webpage loads. The whole process takes milliseconds and “billions” of bid requests are made each week in the UK alone, the ICO said.

Specifically, the ICO said it was concerned that companies in the ecosystem continued to trade in “special category” data — information such as race, sexuality, health status and political views, which under GDPR requires the explicit consent of the subject before it can be shared.

It also said companies were illegally collecting and processing personal data, claiming they were doing so in the “legitimate interest” of consumers. “None of these justifications really pass muster . . . we are not convinced,” Mr McDougall said. “We want to communicate to the market that we are escalating, and preparing for action.”

The announcement comes as the adtech industry faces regulatory crackdowns around the world, including across Europe and the US. The market’s biggest player, Google, is being investigated by the Irish data protection authority, which is looking into whether the company illegally taps into sensitive personal information about internet users.