It has been over two years since the UK’s data protection watchdog warned the behavioral advertising industry that it is ‘totally out of control.’ The UK’s Information Commissioner's Office (ICO) reportedly has not taken any action to stop the systematic unlawfulness of the tracking and targeting industry abusing Internet users’ personal data to try to manipulate their attention. That is not in terms of enforcing the law against offenders and stopping what digital rights campaigners have described as the biggest data breach in history. In fact, it is being sued over inaction against real-time-bidding’s misuse of personal data by complainants who filed a petition on the issue all the way back in September 2018.
Recently the UK’s outgoing information commissioner published an opinion, in which she warns the industry that its old unlawful tricks simply won’t do in the future. New methods of advertising must be compliant with a set of what she describes as “clear data protection standards” to safeguard people’s privacy online, she writes.
Among the data protection and privacy “expectations” the commissioner suggests she wants to see from the next wave of online AD technologies are:
- engineer data protection requirements by default into the design of the initiative;
- offer users the choice of receiving adverts without tracking, profiling or targeting based on personal data;
- be transparent about how and why personal data is processed across the ecosystem and who is responsible for that processing;
- articulate the specific purposes for processing personal data and demonstrate how this is fair, lawful and transparent;
- address existing privacy risks and mitigate any new privacy risks that their proposal introduces.
The goal of her opinion is to provide “further regulatory clarity” as new AD technologies are developed, further specifying that she welcomes efforts that propose to:
- move away from the current methods of online tracking and profiling practices;
- improve transparency for individuals and organizations;
- reduce existing frictions in the online experience;
- provide individuals with meaningful control and choice over the processing of device information and personal data;
- ensure valid consent is obtained where required;
- ensure there is demonstrable accountability across the supply chain.
Many think the timing of her opinion is interesting, given an impending decision by Belgium’s data protection agency on a flagship AD industry consent gathering tool. Earlier in November the IAB Europe warned that it expects to be found in breach of the EU’s General Data Protection Regulation, and that its so-called ‘transparency and consent’ framework (TCF) has not managed to achieve either of the things it has claimed. IAB Europe says it is expecting to be found in breach of GDPR. But this is also just the latest ‘reform’ missive from the ICO to rule-breaking ADtech. And the commissioner is merely restating requirements that are derived from standards that already exist in UK law.
The European Commission recently released new rules on targeted political advertising, restricting how Internet users' personal information can be used. Political organizations using targeting and amplification techniques would need to explain them clearly and in detail, and would be banned from using sensitive personal data without the explicit consent of the individual. Meanwhile, political ADs would have to be clearly labelled as such, and include information such as who paid for them and how much.[1] "Elections must not be a competition of opaque and non-transparent methods. People must know why they are seeing an ad, who paid for it, how much, what micro-targeting criteria were used," says vice-president for Values and Transparency. "New technologies should be tools for emancipation, not for manipulation. This ambitious proposal will bring unprecedented level of transparency to political campaigning and limit the opaque targeting techniques."
The rules will apply not just to directly political ADs, but also to so-called issue-based ADs that could influence the outcome of an election or referendum, a legislative or regulatory process or voting behavior. Paid political advertising must be clearly labelled and provide the name of the sponsor, prominently displayed, and an easy-to-find transparency notice with the amount spent on the AD, the sources of the funds used and a link between the advertisement and the relevant election or referendum.[2]
Meanwhile, the use of micro-targeting by using sensitive personal data, such as ethnic origin, religious beliefs, or sexual orientation, will be banned unless the user gives explicit consent. And, for the first time, it will be mandatory to include in the ADs a description of on what basis the person is targeted and which groups of individuals were targeted, the criteria used and the amplification tools or methods deployed.
Organizations carrying out political targeting and amplification will need to create and make public an internal policy on the use of such techniques. The center-right EPP Group, the largest and oldest group in the European Parliament, says it welcomes the new rules. "Russia, China and other authoritarian regimes spent more than $300 million in 33 countries in order to interfere in democratic processes. This trend is growing more dangerous. Half of these cases concern Russia's hostile actions in Europe," it EPP says. "These cases include the Brexit referendum in the UK, presidential elections in France and in the USA, practical support for far-right and other radical actors across Europe, including in France, Austria, Germany and Italy. Europe cannot and must not allow this any longer."
The proposals now need to be passed by the European Parliament and ratified by individual member states but are expected to come into force before the 2024 EU elections.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Our analysts have long collected and analyzed social media manipulations of information on both the surface and deep/dark web. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
[1] https://www.macmillandictionary.com/us/dictionary/american/does-exactly-what-it-says-on-the-tin
[2] https://www.forbes.com/sites/emmawoollacott/2021/11/25/european-commission-clamps-down-hard-on-political-ads/
Comments