Data and Privacy: GDPR 18 months on


At A Million Ads we are constantly evolving and improving what we do. As part of that, we take our privacy and compliance obligations very seriously. As a tech company in the advertising space we have a responsibility to ensure that our technology and business processes are developed and constantly reviewed with privacy in mind.

Our industry is under the microscope of privacy regulators and it’s a complex industry, with lots of different participants, and lots of personal data involved. GDPR coming into force was just the start, but clearly industry practice is going to change at a fast pace in the near future. Here’s our take on the latest developments and plans for the future.

What’s the latest?

The ICO (the body governing data protection within the UK) recently published a report on the adtech industry and made some clear statements about consent of the data subject and processing of personal data. The ICO recognised the benefit of the industry as a whole to both technological innovation and the economy, and wants to work with adtech businesses on an ongoing basis in order to raise the bar in privacy compliance.

IAB has since published an updated version of its Transparency and Consent Framework to standardise how businesses within the adtech space operate. There has yet to be any comment on this version from the ICO, but Google has committed to signing up, which could instigate a rush to join the TCF in the new year.

What does this mean for the industry?

The path forward is not set in stone and we anticipate further material and guidance coming from the ICO, including potential comment on the TCF 2.0. There should be further clarity should Google follow through on its commitment to join the TCF 2.0 and the immediate effect this has on the industry.

What is relatively certain is that an industry-wide move towards implementing mechanisms for gaining clear, affirmative consent from users before their personal data enters the adtech stack appears likely. For a long time, businesses sitting within the adtech stack have predominantly been relying on “legitimate interest” to process personal data, and now the ICO has suggested a move towards active consent could be more appropriate.

Isn’t that practically impossible?

It is impractical for the many businesses within the adtech stack to obtain direct consent from the consumer receiving advertising. However, the ICO has acknowledged this, and emphasised that the shift needs to be industry-wide, rather than dependent upon on any one entity acting within it.

Nonetheless, regulators and data subjects require more transparency over how their data is being used. The ICO has been critical of businesses relying on legitimate interests as a “get out clause”, without carrying out the appropriate balancing test where data subjects’ rights and freedoms are considered.

What is A Million Ads doing?

At A Million Ads we are keeping tabs on all developments within the industry, and are regularly reviewing our own practices with our legal team.

We engage with participants at all levels of the advertising stack to ensure that we are at the forefront of privacy compliance, and provide complete transparency to our data subjects.

We have reviewed and improved our privacy policy to provide greater and clearer information to data subjects and we have also documented our legitimate interest assessment and considered how to avoid or mitigate any risks to the rights and freedoms of data subjects. Our updated privacy policy is available here.

We will continue to monitor regulatory developments as they arise and work with our partners and legal team to ensure we stay ahead of the curve. We think this is an exciting time for the industry, and we can only benefit from engaging and evolving with it.

Photo by Matthieu A on Unsplash