New evidence to regulators: IAB documents reveal that it knew that real-time bidding would be “incompatible with consent under GDPR”.


New evidence to regulators: IAB documents reveal that it knew that real-time bidding would be “incompatible with consent under GDPR”.

  • Further new evidence drawn from sample bid requests in Google and IAB’s own documentation reveals the personal data in bid requests. 
  • Campaign website launched at 

Privacy watchdogs in the UK and in Ireland today received evidence of the data crisis at the heart of the online advertising industry.

The new evidence, taken from Google and IAB (an industry rule setting body) documents, shows that the online ad auction system broadcasts highly sensitive data about web users. This occurs hundreds of billions of times a day. There are no technical controls to prevent thousands of receiving companies who receive these data from monitoring what every person on the web reads, watches, and listens to online.

The IAB “transparency and consent framework” has become the de facto GDPR consent system for major websites. But the new evidence also reveals that the IAB knew that real-time bidding would be “incompatible with consent under GDPR”, before it even launched the system.

The evidence also shows that the IAB had concerns that its ad auction rules, which govern the €12 Billion “real-time bidding” online ad auction industry in Europe, were incompatible with the GDPR.

The evidence has been submitted by Jim Killock, Executive Director of the Open Rights Group, Michael Veale of University College London, and Dr Johnny Ryan of Brave, a private web browser. All three are represented by Ravi Naik of ITN Solicitors. This is part of a major complaint about the online ad auctions system that is ongoing in the UK, Poland, and Ireland. See previous evidence and all filings to date at /update-rtb-ad-auction-gdpr/

The solution to all of this is simple. The IAB RTB system allows 595 different kinds of data to be included in a bid request. 4% of these should be disallowed, or truncated. The same applies to the Google system. It is an easy fix, long overdue, and will prevent the system from leaking the personal data (including location and interests) of every single person on the Web.

“We want to reform adtech, not kill it”, said Dr Johnny Ryan of Brave. “This new evidence exposes the massive data breach at the heart of the online advertising system. The IAB and Google have it in their power to fix this”.

Jim Killock of Open Rights Group said: “The ad industry needs to obey the law. Leaving advertisers including Google to breach data protection in this way makes a mockery of privacy law. But fixing the ad industry means gaining trust and consumer confidence, which will ultimately benefit everyone.”

“Big adtech has spread the myth that the current way the system operates is the only way it ever could. This is simply untrue”, said Michael Veale of University College London. “A better, more secure and less invasive system is within reach, and regulators must be at the forefront of realising it. Online infrastructure must be designed with privacy and data protection deeply at its core.”

Ravi Naik, Partner at ITN Solicitors, said “The evidence is overwhelming. The IAB’s own documents contain admissions of concerns of the infringements of the GDPR. Those concerns that the IAB had are part of those as are detailed within our clients’ complaints and evidence. That evidence shows that the infringements can occur billions of times a day. The scale is widespread and the infringements systematic. Reform is needed and we trust that the regulators will act accordingly.”


PART 1: the IAB knew that real-time bidding would be “incompatible with consent under GDPR”, and would have no other legal basis.

1a Townsend Feehan email 26 June 2017.pdf“, an e-mail from Townsend Feehan, CEO of IAB Europe, to senior personnel at the European Commission Directorate General for Communications Networks, Content and Technology.

Her e-mail refers to a paper attached here as “1b IAB 2017 paper.pdf“, which was an attachment to her e-mail. These documents were obtained through a freedom of information request to the European Commission. On page 3 of this document, the IAB acknowledges that “it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario”. This is an incredible admission, and acknowledges the precise issue at the core of the complaint currently before European regulators.

Moreover, in the same section, the IAB acknowledges that “this would seem, at least prima facie, to be incompatible with consent under GDPR”. Despite the facts concerned by these admissions not changing, the IAB proceeded to launch a mechanism that purported to satisfy the GDPR’s consent requirement. Indeed, it was Ms. Feehan again who announced this “Consent and Transparency Framework” on 25 April 2018.

Then, in May 2018 – a month after the IAB consent mechanism is launched – the IAB again acknowledged that that “there is no technical way to limit the way data is used after the data is received by a vendor for … bidding” in “2 Publishers.json v1.0.pdf” (see highlighted text on page 5).

It also acknowledged that the bid request assumes “indiscriminate rights for vendors, … surfacing thousands of vendors  with broad rights to use data without tailoring those rights may be too many vendors/permissions”.

In other words, before and after the launch of its consent mechanism, the IAB had acknowledged there was no way to control who receives what data, or what they do with those data once received.

PART 2: sensitive data about people are broadcast in the online ad auction system, hundreds of billions of times a day. This makes it possible for shadowy companies to know what every person on the web reads, watches, and listens to online.

3 bid request examples.pdf” reproduces a set of annotated sample bid requests from the IAB and Google’s own documentation for users of their systems. The fourteen sample bid requests further prove that very personal data are contained in bid requests.


They include not only specific (sample) people’s browsing history, pseudonymous identification codes, and weighting of their interests, but also often include their GPS locations too. Clearly, this is highly sensitive stuff, and it is remarkable that these are offered as public documentation by the two rule setters of the industry as examples of what should be done.

4 bid request scale overview” shows that the seven largest advertising exchanges handle hundreds of billions of bid requests per day. This suggests that the New Economics Foundation’s estimate in December that bid requests broadcast data about the average UK internet user 164 times a day was a conservative estimate.

Note for reporters regarding “pseudonymous data”:

Data are only pseudonymous if “kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person” according to GDPR Article 4(5). In other words, replacing “Johnny Ryan” with “sdgdsg1231241245”, and then broadcasting that ID to hundreds of companies along with their browsing history and physical location, etc. is not sufficient to be considered pseudonymous. Even if it were, GDPR Recital 26 and Recital 28 make it clear that pseudonymous data do remain personal data, and must be protected.


New evidence filed today

Complaints to date 

Additional evidence filings 

Coverage to date 

  • Unearthed emails could be smoking gun in epic GDPR battle against Google, adtech giants, The Register, 20 February 2019
  • Online advertising body accused of knowingly breaking UK & EU data laws, Sky News, 20 February 2019
  • Privacy activists say online ad industry knowingly violated GDPR, Mashable, 20 February 2019
  • Google accused of sharing data about intimate personal details, The Times, 2 February 2019
  • Ad-tech industry: GDPR complaint is like holding road builders to account for traffic violations, The Register, 31 January 2019
  • Online ad industry rejects complaints of targeting users, The Irish Times, 30 January 2019
  • IAB Tech Lab And Google Criticized In EU By Privacy Advocates, MediaPost, 29 January 2019
  • Tech companies ‘using sensitive personal data to target users for ads’, Irish Independent, 29 January 2019
  • Google Accused Of Using Sensitive Data To Target Online Ads, Silicon UK, 29 January 2019
  • Google And Ad Tech Body Are Still Not Protecting Our Data, Digital Information World, 29 January 2019
  • Google and adtech body criticised over data protection, The Financial Times, 28 January 2019
  • Google and IAB ad category lists show “massive leakage of highly intimate data”, GDPR complaint claims, TechCrunch, 28 January 2019
  • Privacy groups claim online ads can target abuse victims, Wired, 28 January 2019
  • Ad Industry Accused Of ‘Massive’ Privacy Breach, Forbes, 28 January 2019
  • Google and Ad Industry Accused of “Massive” Abuse of Intimate Personal Data, Fortune, 28 January 2019
  • New documents back complaints about online advertising, The Irish Times, 28 January 2019
  • ‘Male impotence’: How tech firms classify what you read, Sky News, 28 January 2019
  • Gripe to UK, Ireland, Poland: Ad tech industry inhales, then ‘leaks’ sensitive info on our health, politics, religion, The Register, 28 January 2019
  • Google and IAB hit with fresh complaints over ‘intimate’ user profiling for adverts, City A.M., 28 January 2019
  • Polish Privacy Group Celebrates Data Protection Day With A Nastygram For RTB, Ad Exchanger, 28 January 2019
  • Google, online ad industry accused of abusing intimate personal data in GDPR complaint, Mashable, 28 January 2019
  • GDPR complaint blasts ‘highly intimate’ Google mental health and male impotence ad labels, The Drum, 28 January 2019
  • Privacy groups blast Google, IAB over data leak via ad auctions, CSO Online, 28 January 2019
  • GDPR can’t stop behavioral ads, but these bitcoin-friendly browsers can help, Bitcoininist, 28 January 2019
  • Privacy campaigners file new evidence to support claims that Google unlawfully profiles internet users, Computing, 28 January 2019
  • Mozilla co-founder’s Brave files adtech complaint against Google, Reuters (this report also ran in The New York Times, Yahoo! News, and DailyMailOnline), 12 September 2018
  • Privacy browser Brave files Adtech complaint against Google, Daily Mail, 12 September 2018
  • As Brave Gears Up to Weaponize Privacy, Google Becomes Its Primary Target, Ad Week, 12 September 2018
  • Ad-blocking browser Brave says Google is breaking EU privacy law, Engadget, 12 September 2018
  • How Google is breaking EU privacy law, according to a new complaint, Fast Company, 12 September 2018
  • Brave browser files GDPR breach complaints against Google in the EU, ZD Net, 12 September 2018
  • Brave browser dumps Google search in France, Germany, C Net, 12 September 2018
  • So Brave: Browser biz sics Brit watchdogs on Google’s info slurpage, The Register, 12 September 2018
  • Pro-privacy company Brave files GDPR complaint against Google, TechSpot, 12 September 2018
  • Privacy-focused browser Brave sues Google, claims breach of Europe’s GDPR rules, Digital Trends, 12 September 2018
  • Google Responds to Allegations That It Violates GDPR, Toms Hardware, 12 September 2018
  • Privacy-browser Brave launches GDPR ad tech ‘test case’ against Google, Marketing Tech News, 12 September 2018
  • Brave Launches Legal Offensive on Google Ads Data Collection Practices, CoinDesk, 12 September 2018

Related articles

Why Brave Disables FLoC

Brave opposes FLoC, a recent Google proposal that would have your browser share your browsing behavior and interests by default with every site and advertiser with which you interact.

Read this article →

Ready for a better Internet?

Brave’s easy-to-use browser blocks ads by default, making the Web cleaner, faster, and safer for people all over the world.


Almost there…

You’re just 60 seconds away from the best privacy online

If your download didn’t start automatically, .

  1. Download Brave

    Click “Save” in the window that pops up, and wait for the download to complete.

    Wait for the download to complete (you may need to click “Save” in a window that pops up).

  2. Run the installer

    Click the downloaded file at the top right of your screen, and follow the instructions to install Brave.

    Click the downloaded file, and follow the instructions to install Brave.

  3. Import settings

    During setup, import bookmarks, extensions, & passwords from your old browser.

Need help?

Get better privacy. Everywhere!

Download Brave mobile for privacy on the go.

Download QR code
Click this file to install Brave Brave logo
Click this file to install Brave Brave logo
Click this file to install Brave Brave logo