Home Data Privacy Roundup The UK’s ICO Is Helping Ad Tech Companies With Privacy Compliance

The UK’s ICO Is Helping Ad Tech Companies With Privacy Compliance

SHARE:
GDPR compliance

A new nonprofit organization in the UK wants to develop the first regulator-approved privacy-compliance certification for ad tech – and it’s got the UK’s data protection authority on board.

The group, which launched earlier this year, is called the Coalition for Privacy Compliance in Advertising or CPCA for short.

(Not to be confused with the CCPA, CPRA, CPPA, CPA or CTDPA. Privacy is getting worse for acronyms than ad tech, which is saying something. 😅)

The CPCA’s mission is to help dispel the gray cloud of regulatory uncertainty that’s long hung over GDPR and its UK variant, the aptly named “UK GDPR,” which came into effect in 2021 shortly after Brexit.

There’s a divide between regulators and “the reality of programmatic advertising,” said CPCA Founder Mattia Fosci.

To embrace compliance in both letter and spirit, ad tech companies need clarity and “a positive way forward,” said Fosci, who speaks from experience. He’s also the CEO and founder of an “ID-less” data platform called Anonymised that he likens conceptually to a “very little cousin” of the Chrome Privacy Sandbox.

The ICO’s blessing

What’s particularly interesting about the CPCA’s approach is that it’s collaborating with the UK’s Information Commissioner’s Office to create the certification using the ICO’s guidelines.

Under the ICO’s certification scheme, organizations create criteria for standards to support privacy-compliant product development, then devise an auditing methodology to assess the standards.

The ICO evaluates the criteria that underpin the standards, and if they pass muster, they get its official blessing. Companies that adhere to the standards have proof that they’re in compliance with the law.

The CPCA’s criteria won’t be ready for review until earlyish next year.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

In the meantime, the CPCA is staying in close contact with the ICO. The ICO even reviewed the press release that the CPCA put out a few weeks ago announcing its certification initiative – and it had some pointed feedback for the group.

An earlier version of the release included a reference to the CPCA helping businesses clarify “gray areas” in the law, a turn of phrase the ICO pushed back on.

“They told us, ‘Look, we’ve published two massive reports in 2019 and 2021 that went into detail about what we expect tech companies to do and not do,’” Fosci said. “‘There aren’t gray areas; there’s just an unwillingness to understand the consequences of our guidance and the law.’”

‘Making the regulation real’

But investing time and effort to craft compliance standards demonstrates that there is willingness in the ad tech industry to engage with regulators.

What’ll these standards actually look like, though?

It’s a little premature to say. But the ethos is already there, which is to make compliance practical.

“This is very much about making the regulation real for people,” Fosci said. “Uncertainty doesn’t suit anybody.”

Eventually, the CPCA plans to expand its standards into other jurisdictions beyond the UK, including the rest of the EU. Like the ICO in the UK, the European Data Protection Board also has the power to approve certification schemes for GDPR compliance.

Getting started

But first things first.

To develop the criteria for UK GDPR compliance certification, the CPCA is partnering with the Association of Online Publishers and the Incorporated Society of British Advertisers (ISBA, the “unknown delta” guys). And it’s got the UK’s Audit Bureau of Circulation lined up to do the audit.

Fosci emphasized the initiative is open for any industry body to join, including privacy advocacy groups and consumer rights groups – well, the “reasonable” ones, anyway.

“NGOs sometimes have hardcore uncompromising positions, because they’re essentially campaigning organizations – and that’s fine,” Fosci said. “But they’re not able to engage in conversations, and that’s what we want here; for industry groups to have a real relationship with the ICO.”

🙏 Thanks for reading! And If you’ve got any comments, feedback or ideas for future newsletters, please don’t hesitate to raise a paw and drop me a line at allison@adexchanger.com.

Must Read

DOJ v. Google: During Opening Arguments, The DOJ And Google Battle Over An AdX Divestiture

Court is back in session. And the fate of  the open internet is in the balance.

Chris Mufarrige, director, Bureau of Consumer Protection, FTC

FTC Consumer Protection Chief: No Easy Answers On Privacy, ‘Only Trade-Offs’

Privacy isn’t black-and-white, says the FTC’s Chris Mufarrige, promising evidence-driven consumer protection cases under the Trump administration.

How Encryption Keys Could Resolve The TID Furor

Rather than sharing universal TIDs that any DSP or curator can access, Raptive says publishers should instead share encrypted TIDs with an encryption key provided only to trusted demand-side partners.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

Clear Channel Brings Mid-Flight Measurement To Its OOH Network

Clear Channel will provide advertisers weekly, mid-flight reports on outcomes driven by its inventory in order to bring OOH measurement closer to the speed of digital.

FTC Commissioner Mark Meador speaking at the NAD's annual conference in Washington, DC on Sept. 16, 2025. (Photo: Brian O'Doherty)

FTC Commissioner Mark Meador: ‘No Human Society Can Long Survive Without Consumer Trust’

Keeping American kids safe in what FTC Commissioner Mark Meador calls “an increasingly complex and fast-paced technological environment” is a top priority for the agency.

Comic: "Deal ID, please."

Amazon Expands Its Programmatic Integration With SiriusXM

On Tuesday, Amazon DSP announced an expanded integration with satellite radio company SiriusXM.