RTB evidence
Selected evidence submitted to data protection authorities to demonstrate RTB’s GDPR problems
In September 2018, Brave initiated a campaign of formal GDPR complaints against Google and the IAB’s “real-time bidding system” (RTB), which leaks the personal data of Internet users hundreds of billions of times a day. This is a sample of the evidence submitted to European data protection authorities so far.
The campaign for GDPR action to fix the Google and IAB real-time bidding system now includes Brave, the Open Rights Group, Dr Michael Veale of the Turing Institute, the Panoptykon Foundation, Bits of Freedom, Eticas Foundation, Exigo, Dr Jef Ausloos of the University of Amsterdam, Pierre Dewitte of the University of Leuven, Liberties.eu, the Society for Civil Rights, Digitale courage, Digitale Gesellschaft, Netzwerk Datenschutzexpertise, Deutsche Vereinigung für Datenschutz, the Italian Coalition for Civil Rights and Freedoms, the Bulgarian Helsinki Committee, the Association for the Defense of Human Rights in Romania, the Italian Coalition for Civil Rights and Freedoms, the Estonian Human Rights Centre, the Peace Institute.
Click here to view updates on the RTB complaints.
Initial complaint submissions
-
Grounds of complaint to the Irish Data Protection Commission
-
Grounds of complaint to the UK Information Commissioner
Evidence
What is “real time bidding”?
- Ryan Report on personal data in Real Time Bidding
Behavioural-advertising-and-personal-data.pdf
This report was submitted with the initial complaints.
What data are leaked in RTB broadcasts?
-
Example RTB bid requests
These examples are taken from the IAB and Google’s own documentation
-
Brave’s feedback to the IAB on the draft OpenRTB 3.0 specification, including excerpts from OpenRTB 3.0 AdCOM v1 bid request specification
-
Sexuality, politics, ethnicity, etc. (“special category personal data”) in RTB bid request content and interest categories
-
IAB “taxonomies” (marked up)
-
Google “publisher verticals”
-
Failure of data protection in IAB OpenRTB system
-
IAB TechLab document “pubvendors.json v1.0” revealing “no technical measures” to control data once broadcast
Note “Liability” section on page 5
-
Townsend Feehan E-mail to senior European Commission officials on 26 June 2017, and attached lobbying paper
Townsend-Feehan-email-26-june-2017.pdf
Note “Prior information requirement will“break” programmatic trading” on page 3 of IAB lobbying paper.
-
Count of hundreds billions of bid request broadcasts, every day
Scale-billions-of-bid-requests-per-day.pdf
This note itemises the number of bid requests handled every day by each of the eight major RTB ad exchanges. The figures range from tens to hundreds of billion bid requests per day for each ad exchange.
Failure of data protection in Google Authorized Buyers RTB system
-
Google’s GDPR workaround Push Page mechanism
-
Sample push page
-
Explanatory note on Google’s GDPR workaround “Push Page” mechanism
-
Sequence diagram of Google’s GDPR workaround “Push Page” mechanism
-
-
Google “certified external vendors and ad technology providers”
Google-certified-external-vendors-and-ad-technology-providers.xlsx
This document contains two lists of companies that Google sends bid request data to, including a list of 2,033 “certified” companies, and 833 “ad technology providers.
-
Count of hundreds billions of bid request broadcasts, every day
Scale-billions-of-bid-requests-per-day.pdf
This note itemises the number of bid requests handled every day by each of the eight major RTB ad exchanges. The figures range from tens to hundreds of billion bid requests per day for each ad exchange.
Related
Data protection flaws in the IAB’s GDPR guidance.
-
3 April 2019 complaint to Data Protection Commission of Ireland regarding IAB Europe cookie wall and consent guidance
-
IAB cookie wall screen shots
screenshot-iabeurope-cookie-wall.png
-
IAB Europe guidance to industry on GDPR consent
-
Ryan to IAB 20 September 2017 (Correspondence rebutting IAB guidance on GDPR and ePrivacy Directive regarding forced consent)
