The six-point plan emanate from the ICO previously giving the digital advertising industry the last half of 2019 to answer questions surrounding the transparency of how its systems work and whether the industry is compliant with GDPR. The basic concern was a lack of transparency over how data is shared and a fear that in particular, special category data is being used to categorise web users without their consent.
Anyone who knows GDPR will recognise that if this is happening, it's a clear breach of the law. It requires that specific consent is given for data surrounding a person's health, sexuality, religion and political views to be processed.
The six-point plan from the IAB UK is now out and is designed to reassure the ICO how it intends to tackle the issues raised.
An additional note from IAB UK pointed out that to have categories built around content does not break special category rules because advertising is targeted at the nature of the page, not the person visiting.
So an ad for a gay bar on "Pink News," for example, would not be breaking the law because it would be placed there because of the content, not the viewer.
A note from me would add that this all look like a lot of education on what the public may have already thought the digital advertising industry would have nailed down -- such as teaching advertisers about the need for consent on cookies rather than legitimate interest.
In fact, there is an awful lot of addressing legitimate interests as a legal basis for processing personal information in the points below.
Observers may well remember talk of bringing consent into the heart of digital advertising.
Using legitimate interests just feels a little lazy, doesn't it? Most people can get legitimate interests is fine as a legal basis when you're communicating with a company and they feel they have an offer to email over. But an ad popping up while you're reading the news? It's hard to see that legal basis holding much water.
I'll leave you with that thought and the six-point plan in full below. As I say, for me, I'm surprised at how much educating is needed, more than a year and a half after GDPR became law as well as the implied assumption, from the below, that advertisers are relying on legitimate interests.
The proof in the proverbial pudding will come when the ICO responds. That's the opinion that really matters.
The IAB UK's six-point plan comprises:
Data security: IAB UK will develop good practice guidance covering security, data minimisation and data retention, and work with IAB Europe to explore how the requirements in the Transparency and Consent Framework (TCF) policies could be enhanced to support such good practice.
Special category data: A range of actions to be taken, including developing UK-focused guidance on the Content Taxonomy, education for the industry on special category data restrictions and requirements (developed with other relevant trade bodies, particularly on the buy-side), and work to identify potential controls to minimise risks arising from the content of referred URLs in bid requests.
Reliance on legitimate interests for cookies: IAB UK is committed to educating its members on the consent requirements of UK ePrivacy regulations, with reference to the ICO’s current cookie guidance, and promoting the use of the TCF, where appropriate, for obtaining this consent in a compliant way.
Legitimate interests assessments (LIAs): IAB UK will educate its members on LIA requirements, taking into account the outcomes of a joint (ICO/IAB Europe/IAB UK) review of anonymised example LIAs, and work with IAB Europe to develop resources to support companies to meet these requirements in practice.
Data Protection Impact Assessment (DPIAs): IAB UK will educate members on DPIA requirements and encourage them to review their processing operations in light of the ICO’s existing guidance. It will also identify whether additional guidance is needed for the industry, and work with other relevant trade bodies as they develop their own DPIA approaches and guidance.
Transparency and fairness of information provided to consumers: IAB UK will engage with IAB Europe on the outcomes of ongoing discussions about potential changes to TCF policies with respect to Consent Management Provider user interfaces, and then decide on any further action.