The Coalition for Privacy Compliance in Advertising (CPCA), a new industry body launched this year, has announced it is working with the UK’s data regulator the Information Commissioner’s Office (ICO) to develop a new privacy certification in the UK for ad tech companies. The CPCA says this new certification, which it describes as a world-first, will give ad tech businesses much-needed clarity around whether their business practices are compliant with the UK’s General Data Protection Regulation (GDPR) rules, while also giving publishers and advertisers confidence in their ad tech partners.
The CPCA will work directly with the ICO, the regulator responsible for enforcing data laws in the UK including the GDPR, to develop the certification. Industry bodies including ISBA, and the AOP will also have input, as they’re set to have representatives join the CPCA’s board in the coming months. The certification will initially be audited by the Audit Bureau of Circulation (ABC UK).
Once criteria for the certification have been finalised, they’ll be publicised by the CPCA, which aims to complete work in early 2025 and is eyeing up a full launch next year. The long term aim is to create similar schemes across Europe, where GDPR compliance requirements may differ based on regulators’ interpretations in individual markets.
Levelling the playing field
The CPCA was founded by Mattia Fosci, the privacy lawyer who also founded ID-free targeting business Anonymised. Fosci says the new certification aims to create a level playing field for all market participants, from start-ups to big tech platforms.
When the GDPR came into force back in 2018, we saw a range of interpretations in how it applies to media and advertising, both from companies working in the space and the regulators across Europe responsible for enforcing it. But this created an uneven playing field, since companies which took a particularly strict interpretation of GDPR were more restrictive in their business practices, and purposefully avoided doing things which some of their competitors – whose interpretations have been more lax – kept on doing.
“There is still confusion around privacy requirements in digital advertising,” said Fosci. “Some tech platforms have been accused of using privacy as a justification for anti-competitive measures, while independent ad tech providers sometimes sell products and practices with questionable legal compliance.”
Even now, over six years later, issues remain unresolved. Just last week, Europe’s top court ruled that some of Meta’s use of data for targeted advertising isn’t compliant with GDPR – the implication being that Meta has been less restricted in its data usage than some of its competitors over the last six years.
At the same time, the confusion over what GDPR compliance really looks like for ad tech has been a stumbling block for some businesses. Partners may be reluctant to work with particular ad tech businesses not because they don’t comply with GDPR, but because they can’t be 100 percent sure they do comply with GDPR.
Fosci and others working on the certification hope it will help solve these problems. “We hope the certification becomes a game-changer for publishers in the digital advertising landscape,” said Richard Reeves, managing director of the AOP. “If approved by the ICO, it should bring much needed clarity to the UK GDPR application in our industry, fostering a more transparent and fair marketplace. This initiative looks to enable publishers to innovate with confidence, knowing they are operating within a clear regulatory framework that protects both consumer privacy and business interests.”
Stephen Chester, director of media at ISBA, said that “by establishing clear privacy standards and a level-playing field for all market participants, the certification should enhance advertiser confidence in the digital space and enable our members to achieve their marketing goals, while ensuring robust privacy protections for consumers.”