Updates & timeline for Brave's work to fix "RTB" adtech

Brave has gathered evidence on the biggest data breach in history. Every day, the online ad industry broadcasts what every Internet user reads and watches to thousands of companies, hundreds of billions of times a day. Together with 21 privacy activists and organizations, Brave is using the GDPR to end it.


12 September 2018 Formal GDPR complaints, accompanied by an overview of RTB that details evidence from Google and IAB technical documentation (the ‘Ryan Report’), are submitted to Irish Data Protection Commission (DPC) and UK Information Commissioner’s Office (ICO) by Johnny Ryan of Brave, and Jim Killock of Open Rights Group and Michael Veale of UCL. Read more.

28 January 2019 Further evidence on “content categories” is submitted. The complaint is also submitted to Polish Data Protection Authority by Katarzyna Szymielewicz of Pakoptykon Foundation. Read more.

20 February 2019 Further evidence is submitted, including sample bid requests, IAB correspondence, and material on the scale of and lack of control in RTB system. Read more. 

20 May 2019 The complaint is extended to four more countries. The new complaints are filed by Gemma Galdon Clavell of Eticas Foundation, David Korteweg of Bits of Freedom, Jef Ausloos of University of Amsterdam, Pierre Dewitte of University of Leuven, and Jose Belo of Exigo Luxembourg. Read more.

22 May 2019 The Irish Data Protection Commission announces a statutory investigation into Google’s RTB business under Section 110 of the Irish Data Protection Act, which relates to “suspected infringement”. Read more. 

4 June 2019 The complaint is extended to France, Germany, Italy, the Netherlands, Poland, Bulgaria, the Czech Republic, Estonia, and Hungary. This is coordinated through Liberties.eu. The new complainants are the Society for Civil Rights, Digitale courage, Digitale Gesellschaft, Netzwerk Datenschutzexpertise, Deutsche Vereinigung für Datenschutz, the Italian Coalition for Civil Rights and Freedoms, the Bulgarian Helsinki Committee, the Association for the Defense of Human Rights in Romania, the Italian Coalition for Civil Rights and Freedoms, the Estonian Human Rights Centre, the Peace Institute. Read more (external link). 

20 June 2019 The UK Information Commissioner’s Office publishes a report that confirms and vindicates the complaint and accompanying evidence. However, the ICO fails to take any action. Read more. 

4 September 2019 Further evidence, demonstrating the misuse of personal data in Google’s RTB system, is submitted to the Irish Data Protection Authority. Read more. 

8 October 2019 The Belgian Data Protection Authority confirms in writing to Ausloos and Dewitte that it is investigating the IAB. 



Sign up for updates.

Selected evidence submitted to data protection authorities.


Related Updates

Ad Tech GDPR complaint is extended to four more European regulators

Ad Tech GDPR complaint is extended to four more European regulators

GDPR complaints about Real-Time Bidding (RTB) in the online advertising industry were filed today with Data Protection Authorities in Spain, the Netherlands, Belgium, and Luxembourg. The complaints detail the vast scale of personal data leakage by Google and other major companies in the “Ad Tech” industry.
French regulator shows deep flaws in IAB’s consent framework and RTB

French regulator shows deep flaws in IAB’s consent framework and RTB

French regulator's decision against Vectaury confirms that IAB “Transparency & Consent Framework” does not obtain valid consent, and illustrates how even tiny adtech companies can unlawfully gather millions of people’s personal data from the online advertising “real time bidding system” (RTB).