Little progress being made on privacy and data protection

Little progress being made on privacy and data protection

Clive Rich discusses the laws surrounding digital advertising, and examines the latest offering from the ICO.

Of all the issues currently challenging the day-to-day work of the Information Commissioner’s Office (ICO), the explosion of ‘online digital advertising’ may well be the toughest. Since its formation 38 years ago, the ICO has been charged with policing the legal flow of information within the UK.

‘Data protection’ and ‘privacy’ have been at the forefront of its daily duties, with the European Union’s General Data Protection Regulation (GDPR) taking a central role since being introduced in 2016.

In short, the whole point of the ICO‘s existence is to ‘uphold information rights in the public interest, while promoting openness by public bodies and data privacy for individuals.’

Towards the end of 2021, the ICO published a 48-page document titled: ‘Data protection and privacy expectations for online advertising proposals.’ This detailed publication investigates privacy standards and includes topics such as ‘new methods of online advertising’.

In it, the outgoing Information Commissioner Elizabeth Denham acknowledged that digital advertising is a complex ecosystem that grew quickly with the e-commerce boom, but without people’s privacy in mind.

After more than five years in the job, Denham left office shortly after the publication of this document in which she discussed the importance of promoting compliance in accordance with data protection laws, while preventing the unnecessary and excessive collection and use of personal data.

Privacy standards and recommendations

Within this new document, the Commissioner highlighted the need to eliminate intrusive online tracking and profiling practices, and give people meaningful choice over the use of their personal data. When developing new digital advertising technologies, companies should offer data subjects a choice with regards to receiving advertising without tracking, profiling or targeting.

Companies must be able to demonstrate that valid consent has been obtained, when using personal information for online advertising. They also need to be open and transparent about how this personal data will be used, and the purposes for which they are using it. 

And if data subjects are willing to share their personal information, there should be meaningful accountability by all companies within the supply chain. It is important to ensure people are in control of their personal data and that they are able to exercise data protection rights. 

Therefore it is important that companies follow these key steps

  • Protect users to ensure they have control. This includes cookie controls and providing valid consent;
  • Demonstrate necessity and proportionality;
  • Explain design choices;
  • Be fair and transparent (provide up to date policy information on cookies and privacy);
  • Only collect the minimal amount of personal data; 
  • Consider and mitigate risks of processing sensitive personal data.


Two years ago, the Commissioner published its initial report on this topic. However, there appears to be a lack of progress, with these proposals merely ‘relabelling’ what had been suggested earlier. And the outgoing Commissioner has expressed a frustration regarding this.

Nonetheless, companies must make sure they have up-to-date policies, as well as detailed information about cookies, along with the necessary procedures in place for them to be GDPR compliant.  

Clive Rich
Clive Rich

Share via
Copy link