Home Data Privacy Roundup The UK’s ICO Is Helping Ad Tech Companies With Privacy Compliance

The UK’s ICO Is Helping Ad Tech Companies With Privacy Compliance

SHARE:
GDPR compliance

A new nonprofit organization in the UK wants to develop the first regulator-approved privacy-compliance certification for ad tech – and it’s got the UK’s data protection authority on board.

The group, which launched earlier this year, is called the Coalition for Privacy Compliance in Advertising or CPCA for short.

(Not to be confused with the CCPA, CPRA, CPPA, CPA or CTDPA. Privacy is getting worse for acronyms than ad tech, which is saying something. 😅)

The CPCA’s mission is to help dispel the gray cloud of regulatory uncertainty that’s long hung over GDPR and its UK variant, the aptly named “UK GDPR,” which came into effect in 2021 shortly after Brexit.

There’s a divide between regulators and “the reality of programmatic advertising,” said CPCA Founder Mattia Fosci.

To embrace compliance in both letter and spirit, ad tech companies need clarity and “a positive way forward,” said Fosci, who speaks from experience. He’s also the CEO and founder of an “ID-less” data platform called Anonymised that he likens conceptually to a “very little cousin” of the Chrome Privacy Sandbox.

The ICO’s blessing

What’s particularly interesting about the CPCA’s approach is that it’s collaborating with the UK’s Information Commissioner’s Office to create the certification using the ICO’s guidelines.

Under the ICO’s certification scheme, organizations create criteria for standards to support privacy-compliant product development, then devise an auditing methodology to assess the standards.

The ICO evaluates the criteria that underpin the standards, and if they pass muster, they get its official blessing. Companies that adhere to the standards have proof that they’re in compliance with the law.

The CPCA’s criteria won’t be ready for review until earlyish next year.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

In the meantime, the CPCA is staying in close contact with the ICO. The ICO even reviewed the press release that the CPCA put out a few weeks ago announcing its certification initiative – and it had some pointed feedback for the group.

An earlier version of the release included a reference to the CPCA helping businesses clarify “gray areas” in the law, a turn of phrase the ICO pushed back on.

“They told us, ‘Look, we’ve published two massive reports in 2019 and 2021 that went into detail about what we expect tech companies to do and not do,’” Fosci said. “‘There aren’t gray areas; there’s just an unwillingness to understand the consequences of our guidance and the law.’”

‘Making the regulation real’

But investing time and effort to craft compliance standards demonstrates that there is willingness in the ad tech industry to engage with regulators.

What’ll these standards actually look like, though?

It’s a little premature to say. But the ethos is already there, which is to make compliance practical.

“This is very much about making the regulation real for people,” Fosci said. “Uncertainty doesn’t suit anybody.”

Eventually, the CPCA plans to expand its standards into other jurisdictions beyond the UK, including the rest of the EU. Like the ICO in the UK, the European Data Protection Board also has the power to approve certification schemes for GDPR compliance.

Getting started

But first things first.

To develop the criteria for UK GDPR compliance certification, the CPCA is partnering with the Association of Online Publishers and the Incorporated Society of British Advertisers (ISBA, the “unknown delta” guys). And it’s got the UK’s Audit Bureau of Circulation lined up to do the audit.

Fosci emphasized the initiative is open for any industry body to join, including privacy advocacy groups and consumer rights groups – well, the “reasonable” ones, anyway.

“NGOs sometimes have hardcore uncompromising positions, because they’re essentially campaigning organizations – and that’s fine,” Fosci said. “But they’re not able to engage in conversations, and that’s what we want here; for industry groups to have a real relationship with the ICO.”

🙏 Thanks for reading! And If you’ve got any comments, feedback or ideas for future newsletters, please don’t hesitate to raise a paw and drop me a line at allison@adexchanger.com.

Must Read

Peppa Pig

The Media And Retail Deals Behind The Peppa Pig Franchise Expansion

Peppa Pig is everywhere. Whether or not you have children, you likely know the little girl pig from the kid’s cartoon show. But the Peppa media franchise is just getting started.

How A For-Profit College Is Using CTV Ads To Win Over New Students

The American College of Education partnered with performance TV company MNTN to better reach its audience of adults seeking higher education.

Critics Say The Trade Desk Is Forcing Kokai Adoption, But Apparently It’s Up To Agencies

Is TTD forcing agencies to adopt the new Kokai interface despite claims they can still use the interface of their choice? Here’s what we were able to find out.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

Why Big Brand Price Increases Will Flatten Ad Budgets

Product prices and marketing budgets are flip sides of the same coin. But the phase-in effects of tariffs, combined with vicissitudes of global weather and commodity production, challenge that truism.

The IAB Tech Lab Isn’t Pulling Any Punches In The Fight Against AI Scraping

IAB Tech Lab CEO Anthony Katsur didn’t mince his words when declaring unauthorized generative AI scraping of publisher content “theft, full stop.”

Comic: Gamechanger (Google lost the DOJ's search antitrust case)

Here’s Who’s Testifying During The Remedy Phase Of Google’s Ad Tech Antitrust Trial

Last week, the DOJ and Google filed their respective witness lists and the exhibit lists for the remedy phase of the ad tech antitrust trial. Lots of familiar faces!