A new nonprofit organization in the UK wants to develop the first regulator-approved privacy-compliance certification for ad tech – and it’s got the UK’s data protection authority on board.
The group, which launched earlier this year, is called the Coalition for Privacy Compliance in Advertising or CPCA for short.
(Not to be confused with the CCPA, CPRA, CPPA, CPA or CTDPA. Privacy is getting worse for acronyms than ad tech, which is saying something. 😅)
The CPCA’s mission is to help dispel the gray cloud of regulatory uncertainty that’s long hung over GDPR and its UK variant, the aptly named “UK GDPR,” which came into effect in 2021 shortly after Brexit.
There’s a divide between regulators and “the reality of programmatic advertising,” said CPCA Founder Mattia Fosci.
To embrace compliance in both letter and spirit, ad tech companies need clarity and “a positive way forward,” said Fosci, who speaks from experience. He’s also the CEO and founder of an “ID-less” data platform called Anonymised that he likens conceptually to a “very little cousin” of the Chrome Privacy Sandbox.
The ICO’s blessing
What’s particularly interesting about the CPCA’s approach is that it’s collaborating with the UK’s Information Commissioner’s Office to create the certification using the ICO’s guidelines.
Under the ICO’s certification scheme, organizations create criteria for standards to support privacy-compliant product development, then devise an auditing methodology to assess the standards.
The ICO evaluates the criteria that underpin the standards, and if they pass muster, they get its official blessing. Companies that adhere to the standards have proof that they’re in compliance with the law.
The CPCA’s criteria won’t be ready for review until earlyish next year.
In the meantime, the CPCA is staying in close contact with the ICO. The ICO even reviewed the press release that the CPCA put out a few weeks ago announcing its certification initiative – and it had some pointed feedback for the group.
An earlier version of the release included a reference to the CPCA helping businesses clarify “gray areas” in the law, a turn of phrase the ICO pushed back on.
“They told us, ‘Look, we’ve published two massive reports in 2019 and 2021 that went into detail about what we expect tech companies to do and not do,’” Fosci said. “‘There aren’t gray areas; there’s just an unwillingness to understand the consequences of our guidance and the law.’”
‘Making the regulation real’
But investing time and effort to craft compliance standards demonstrates that there is willingness in the ad tech industry to engage with regulators.
What’ll these standards actually look like, though?
It’s a little premature to say. But the ethos is already there, which is to make compliance practical.
“This is very much about making the regulation real for people,” Fosci said. “Uncertainty doesn’t suit anybody.”
Eventually, the CPCA plans to expand its standards into other jurisdictions beyond the UK, including the rest of the EU. Like the ICO in the UK, the European Data Protection Board also has the power to approve certification schemes for GDPR compliance.
Getting started
But first things first.
To develop the criteria for UK GDPR compliance certification, the CPCA is partnering with the Association of Online Publishers and the Incorporated Society of British Advertisers (ISBA, the “unknown delta” guys). And it’s got the UK’s Audit Bureau of Circulation lined up to do the audit.
Fosci emphasized the initiative is open for any industry body to join, including privacy advocacy groups and consumer rights groups – well, the “reasonable” ones, anyway.
“NGOs sometimes have hardcore uncompromising positions, because they’re essentially campaigning organizations – and that’s fine,” Fosci said. “But they’re not able to engage in conversations, and that’s what we want here; for industry groups to have a real relationship with the ICO.”
🙏 Thanks for reading! And If you’ve got any comments, feedback or ideas for future newsletters, please don’t hesitate to raise a paw and drop me a line at [email protected].