This note highlights the inadequacies of Google and IAB proposals to reform RTB, and summarises the market problems of regulatory failure.
In June 2019, the ICO published a damning report on “real-time bidding”. It completely vindicated the evidence produced by Brave, and submitted with the complaints from Jim Killock and Dr Michael Veale, in parallel with Dr Johnny Ryan’s complaints to the Irish Data Protection Commission.
The ICO agreed with Brave and the complainants that the RTB system broadcasts what everyone in the UK is reading and watching online every day to thousands of companies, without any security over what happens to the data.
“Once data is out of the hands of one party, essentially that party has no way to guarantee that the data will remain subject to appropriate protection and controls. … Thousands of organisations are processing billions of bid requests in the UK each week…”
The ICO gave the RTB industry, led by Google and the IAB, six months to fix the enormous data breach, even though ten months had already passed since the ICO had received Brave’s evidence.
But in that time the Google and the IAB failed to make any substantial proposals to fix the problem. We have analysed their proposals in detail. They will have no material impact to reduce the ongoing data RTB data breach.
The ICO’s six month grace period elapsed in December 2019.
Last week, in mid January, the ICO surprised the complainants by announcing that the Google and IAB proposals will “result in real improvements to the handling of personal data within the adtech industry”.
No sensible analysis can agree with the ICO’s statement.
Google’s proposals do not stop the RTB data breach
Removing content categories from RTB is immaterial.
Google announced that it will remove one element of the RTB data breach: contextual categories, that denote the subject of the webpage or app that a person is loading. Many of these categories are highly sensitive. Their removal, however, will have no material impact on the RTB data breach, because Google’s RTB system will continue to broadcast other personal data that reveals the same information.
This includes URLs. The title of a URL can reveal special category data such as sexuality, religious faith, health condition, etc. For example, the URLs “Gay.co.uk”, “Islam.org.uk”, or “NHS.uk/Conditions/Cancer/” can reveal special category data.
Furthermore, automatic analysis of the pages designated by URLs can reveal special contextual categories, even if the RTB system does not include the category names in a broadcast. The IAB says that many RTB companies rely on “external contextual targeting services” to do this, instead of using the contextual categories built in to its own RTB system. Doing this with the following example URL “dailymail.co.uk/health/article-4574230/Postpartum-depression-guide-women-men.html” returns contextual categories: “postpartum depression”, “postpartum period”, “anxiety disorder”, and “major depressive disorder”.
Therefore, removing content categories is an empty gesture, so long as Google continues to broadcast other personal data in its RTB broadcasts that can reveal contextual categories.
Auditing appears to be impossible.
Second, Google’s proposal to audit what happens to data in its RTB system is inadequate.
Google currently has no controls in place to protect RTB data after it broadcasts it to 2,000+ companies. The companies are merely told to “notify Google in writing” if they intend to misuse it.
Google now proposes to attempt to audit some of these companies. It is unclear how it will be able to investigate what happens to the many hundreds of trillions of records that it continuously puts into the hands of these thousands of companies. This is an impossible task.
What the IAB announced does not address the RTB data breach
IAB UK published various proposals in a response to the ICO’s questions. But aside from promises to send (non-binding) guidance to members, the IAB’s lenghty proposals contained only one action that directly engaged with the data breach at the heart of our complaint:
“IAB UK and IAB Europe have initiated a joint workstream (subject to TCF governance processes) to develop additional commitments in relation to data security for future integration into the TCF policies”.
Not only does this statement lack substance and urgency, it also relies on a system that is incapable of correcting RTB’s security flaws. The TCF (“transparency and consent framework”) merely sends “please do not use” requests to the many companies receiving RTB broadcasts in the IAB system. It is not able to control what happens to the data.
Regulatory failure and the online advertising market
The only way to ensure security of personal data in the RTB system is to stop broadcasting personal data to thousands of companies. The ICO has not acted to enforce this, or any other substantive measure to stop the continuing RTB data breach.
It may be that the ICO is concerned that enforcement would set the conditions for Google (or someone else) to take over the RTB market, by becoming an omni-DSP/SSP. Its hypothesis may be that although this may adequately protect data because it would end the broadcast of personal data to thousands of companies, it might harm a market of thousands of companies.
In a lawless market, it is inevitable that enforcement of the law may reward companies that can operate lawfully. However, Google (and Facebook) can only continue to dominate the digital market if the ICO continues to fail to enforce the GDPR. It would require the continuation of three regulatory failures to hand Google the competitive advantage:
1. Failure to enforce of Article 5(1)b of the GDPR (the purpose limitation principle). This failure allows Google to continue its unlawfully use of any personal data, from any of its businesses, for ad targeting. Enforcement would force Google to compete on the merits in all lines of business, and stop it from automatically opting users in to all of its services and data collection. Google would lose its enormous data advantage.
2. Failure to enforce Article 9(2) of the GDPR, against the unlawful use of contract or legitimate interest as legal bases to process “special category data”. This failure allows Google to continue to unlawfully use personal data for any purpose without asking for proper consent. Enforcement would help to put Google at the mercy of its users.
3. Failure to enforce the “ease of withdrawal” of consent provided for in Article 7(3) of the GDPR. This failure allows Google to continue to unlawfully fail to show people simple withdrawal of consent messages for its different uses of their data. Enforcement of this aspect of the GDPR, combined with the previous two elements, would put users in control of what parts of Google are able to do what with their data.
The GDPR can only give large companies a market advantage if regulatory failure to enforce the GDPR continues.
 “Update report into adtech and real time bidding”, Information Commissioner’s Office, 20 June 2019, p. 20-23.
 Simon McDougall, “Adtech – the reform of real time bidding has started and will continue”, 17 January 2020 (URL: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/01/blog-adtech-the-reform-of-real-time-bidding-has-started/).
 The IAB refers to DSPs, “demand side partners”.
 “IAB UK response to the ICO’s ‘Update report into adtech and real time bidding’”, IAB UK, 20 December 2019 (URL: https://iabuk.com/news-article/iab-uks-response-icos-adtech-and-real-time-bidding-update-report), p. 12.
 Using an automatic system called DiffBot. There are many tools that perform this automatic analysis. For example, see a list of tools at “Alternatives to DiffBot for all platforms with any license” (URL: https://alternativeto.net/software/diffbot/).
 “Authorized Buyers Program Guidelines”, Google (URL: https://www.google.com/doubleclick/adxbuyer/guidelines/).
 with IAB TechLab and IAB Europe.
 “IAB UK response to the ICO’s ‘Update report into adtech and real time bidding’”, IAB UK, 20 December 2019 (URL: https://iabuk.com/news-article/iab-uks-response-icos-adtech-and-real-time-bidding-update-report), p. 20. There is more detail on p. 22-23 about “guidance” on security for members.
 The Competition & Markets Authority mistakenly shares this concern at present. See “Online platforms and digital advertising: Market study interim report”, December 2019 (URL: https://assets.publishing.service.gov.uk/media/5dfa0580ed915d0933009761/Interim_report.pdf), paragraphs 4.150-4.152, 4.159.
 The purpose limitation principle is strangely absent from the CMA’s interim report, appearing in a summary of the GDPR principles and only discussed in a footnote (number 223).