Ad technology companies that collect and use data about consumers appear to be violating Europe’s broad privacy rules, a new report by the UK’s Information Commissioner’s Office suggests.

“Overall, in the ICO’s view the adtech industry appears immature in its understanding of data protection requirements,” the report states.

The data protection officials add that they have “general, systemic concerns” over whether ad-tech companies engaged in real-time bidding are complying with European laws.

The ICO flags several concerns, including that ad-tech companies engaged in real-time bidding don’t obtain people’s consent before using their online browsing data for ad targeting.

The agency also says companies aren’t providing consumers with easily understandable information about data collection and use.

“Privacy information provided to individuals lacks clarity whilst also being overly complex,” the report states. “The profiles created about individuals are extremely detailed and are repeatedly shared among hundreds of organizations for any one bid request, all without the individuals’ knowledge.”

The ICO says the General Data Protection Regulation, in combination with the Privacy and Electronic Communications Regulations, requires companies to obtain consumers’ consent before drawing on tracking data that is stored in cookies.

The report also found fault with the IAB Europe’s “Transparency & Consent” framework — which aims to serve as a standardized technology for notifying consumers about data collection, obtaining their consent, and informing online ad companies about that consent.

Among other criticisms, the ICO says the “Transparency & Consent” framework may not give consumers as much information as they need to make a decision about tracking.

“The vendor list that forms part of IAB Europe’s TCF has over 450 organizations, each with separate privacy policies to the online service the user is actually visiting,” the report states. “It is therefore unclear whether this vendor list is of practical use to individuals when they are presented with the TCF ‘mechanism.’”

The report also notes that IAB’s content taxonomy includes categories of data that are given heightened protections in Europe — including categories like “Heart and Cardiovascular Diseases,” “Mental Health,” “Sexual Health” and “Infectious Diseases.”

IAB Europe says the content taxonomy and real-time bidding protocol “allow for better placement of advertising alongside editorial, notably including avoidance of ads for content falling into sensitive categories.”

But the ICO says collecting information that connects individuals to that type of content can still be problematic.

“Regardless of how the advertisers intend to use this data, their collection alongside the identifiers and other personal data in a bid request indicates the processing of special categories of data either directly or by inference,” the report states.

IAB Europe also says the report contains some “misconceptions” regarding the features and functionality of the Transparency & Consent Framework.

“We look forward to working with the ICO over the coming weeks and months to continue to educate the ICO on the industry’s practices, identify and address its concerns, and drive the industry in a positive direction toward a standardised solution,” Townsend Feehan, CEO of IAB Europe stated Friday.