Simon McDougall of the Information Commissioner’s Office: ‘We’re digging and digging, [and] we’re still not happy’
Simon McDougall of the Information Commissioner’s Office: ‘We’re digging and digging, [and] we’re still not happy’ © Anna Gordon/FT

It is now two months since the UK became the first country to attempt to rein in the $200bn online advertising industry, declaring that it is illegally sharing personal data to target ads.

The UK’s data regulator gave the industry, which is dominated by Google, until the end of this year to get its house in order, warning that it would then start to investigate and fine individual companies that remain in breach of the law.

But with only a few months left to go, “absolutely nothing has been solved or resolved at this point”, said Simon McDougall, who is leading the investigation at the regulator, the Information Commissioner’s Office.

In an interview with the Financial Times, Mr McDougall said the ICO had been “unsatisfied” by the answers offered by the adtech industry before it issued its warning in June. “We’re digging and digging, [and] we’re still not happy,” he said.

Without singling out any individual companies, he said the industry has so far given “vague, immature and short answers” when asked about how it safeguards personal information.

His team has now focused on two primary areas of concern. The first is how online advertisers use so-called “special category” data without permission, processing sensitive details about health, sexuality, religious belief and political views to target ads. The second is how the adtech industry indiscriminately transfers personal data through an ecosystem of thousands of companies.

Mr McDougall said any malpractice in the first area would be firmly against the General Data Protection Regulation brought in across Europe in May 2018. “This is not an arcane or small point over here. This is pretty fundamental stuff — if you are processing special-category data, then you need explicit consent,” he said.

Whenever a person visits a website, their computer often sends out personal data including location, device type, previous purchases, inferred race, gender, financial means and interests to “thousands” of adtech companies, according to the ICO.

Those companies take information and use it to bid for the adverts the person will see on screen when their webpage loads. The whole process takes milliseconds and “billions” of bid requests are made each week in the UK alone, the ICO said.

A graphic with no description

Companies often enhance the web data they receive, sending it to third-party companies that might be able to add offline data, gleaned from high street shops or banks, to build up a detailed profile of a person’s potential worth to advertisers. Often, special category identifiers can be inferred — and sold — from this intimate portrait of a person’s life.

“If I’m a young man who’s visited a site which is relating to gay life and I may have clicked on a few things along the way, am I really aware that as the site is loading up, a bid request with my device identifiers and some points around that site including [categories relating to] gay life . . . are potentially being pinged around to possibly hundreds of organisations? I think most people in the street would not be aware of that,” said Mr McDougall. “Why are these fields there? I’ve gotten some mixed messages.”

In the second area of concern, Mr McDougall said personal data are often being passed along a chain without any party checking if there has been any consent and without any oversight on the security of the data. Last year, the French data protector CNIL suspended a small French adtech company called Vectaury after it had illegally amassed profiles of 64m people.

“What we’re seeing is a blind reliance on contracts and no real attempt to assess whether the counterparty you’re using is likely to have controls in place around security, retention. That’s just not how the rest of the world works,” said Mr McDougall.

“One scenario that worries me is that some small intermediary in the adtech world has a bog-standard security breach and it turns out they had really poor controls and it was two kids in a garage . . . and yet they had millions and millions of profiles,” he added.

Mr McDougall said the ICO has yet to audit any individual companies, but has had “ongoing detailed discussions” with Google and the Internet Advertising Bureau, the trade body. “I am really happy with the level of response and engagement we’ve had so far, especially given we’ve done it over the summer. But there is a huge amount of work to do,” he said.

The ICO could ultimately investigate individual companies’ practices and slap fines of up to 4 per cent of global revenue, under GDPR. “If there’s casualties at the end of the six months, then those organisations are organisations that haven’t been paying attention,” said Mr McDougall.

Get alerts on Data protection when a new story is published

Copyright The Financial Times Limited 2019. All rights reserved.
Reuse this content (opens in new window)

Follow the topics in this article