Updates & timeline for Brave's work to fix "RTB" adtech
Brave has gathered evidence on the biggest data breach in history. Every day, the online ad industry broadcasts what every Internet user reads and watches to thousands of companies, hundreds of billions of times a day. Together with 21 privacy activists and organizations, Brave is using the GDPR to end it.Timeline
12 September 2018 Formal GDPR complaints, accompanied by an overview of RTB that details evidence from Google and IAB technical documentation (the ‘Ryan Report’), are submitted to Irish Data Protection Commission (DPC) and UK Information Commissioner’s Office (ICO) by Johnny Ryan of Brave, and Jim Killock of Open Rights Group and Michael Veale of UCL. Read more.
28 January 2019 Further evidence on “content categories” is submitted. The complaint is also submitted to Polish Data Protection Authority by Katarzyna Szymielewicz of Pakoptykon Foundation. Read more.
20 February 2019 Further evidence is submitted, including sample bid requests, IAB correspondence, and material on the scale of and lack of control in RTB system. Read more.
20 May 2019 The complaint is extended to four more countries. The new complaints are filed by Gemma Galdon Clavell of Eticas Foundation, David Korteweg of Bits of Freedom, Jef Ausloos of University of Amsterdam, Pierre Dewitte of University of Leuven, and Jose Belo of Exigo Luxembourg. Read more.
22 May 2019 The Irish Data Protection Commission announces a statutory investigation into Google’s RTB business under Section 110 of the Irish Data Protection Act, which relates to “suspected infringement”. Read more.
4 June 2019 The complaint is extended to France, Germany, Italy, the Netherlands, Poland, Bulgaria, the Czech Republic, Estonia, and Hungary. This is coordinated through Liberties.eu. The new complainants are the Society for Civil Rights, Digitale courage, Digitale Gesellschaft, Netzwerk Datenschutzexpertise, Deutsche Vereinigung für Datenschutz, the Italian Coalition for Civil Rights and Freedoms, the Bulgarian Helsinki Committee, the Association for the Defense of Human Rights in Romania, the Italian Coalition for Civil Rights and Freedoms, the Estonian Human Rights Centre, the Peace Institute. Read more (external link).
20 June 2019 The UK Information Commissioner’s Office publishes a report that confirms and vindicates the complaint and accompanying evidence. However, the ICO fails to take any action. Read more.
4 September 2019 Further evidence, demonstrating the misuse of personal data in Google’s RTB system, is submitted to the Irish Data Protection Authority. Read more.
8 October 2019 The Belgian Data Protection Authority confirms in writing to Ausloos and Dewitte that it is investigating the IAB.
31 December 2019 The ICO’s six month grace period for the RTB industry ends. No substantive action is taken or proposed by the industry to end the RTB data breach.
17 January 2020 The ICO announces that it will take no immediate action to stop the ongoing RTB data breach. Read more.
Links
Selected evidence submitted to data protection authorities.
Related Updates
Update (Six Months of Data): lessons for growing publisher revenue by removing 3rd party tracking
This note analyses additional granular data from Dutch publisher NPO, and presents lessons for the publishing industry about privacy and revenue based on six months of data from a publishing group that removed 3rd party tracking.
New data shows publisher revenue impact of cutting 3rd party trackers
This note shares new data on publisher revenue impact from switching off 3rd party ad tracking.
Johnny Ryan’s privacy keynote for P&G
Procter & Gamble invited Dr Johnny Ryan of Brave to give a (remote) keynote about how advertisers should adapt to the privacy-first future.
Industry discussion on the GDPR at 2 years old, and future EU regulatory development
Senior representatives of advertisers, publishers, and intermediaries discuss two years of the the GDPR in a discussion hosted by Brave.
Failure to enforce the GDPR enables Google’s monopoly
Brave’s submission to the UK Competition & Markets Authority shows how to fix the RTB market and end Google’s advertising monopoly.
Google and IAB’s inadequate proposals to reform RTB
This note highlights the inadequacies of Google and IAB proposals to reform RTB, and rebuts the argument for inaction.
The ICO’s failure to act on RTB, the largest data breach ever recorded in the UK
The ICO has today announced that it will be taking no substantive action to fix “RTB”, the largest data breach ever recorded in the UK. Regulatory ambivalence cannot continue. We are considering all options to put an end to the systemic breach, including direct challenges to the controllers and judicial oversight of the ICO.
Why marketers must conduct GDPR Data Protection Impact Assessments of RTB
This note examines the GDPR requirement that marketers conduct data protection impact assessments (DPIAs) when buying digital media using “real-time bidding” advertising.
Brave uncovers Google’s GDPR workaround
Brave presents new RTB evidence, and has uncovered a mechanism by which Google appears to be circumventing its purported GDPR privacy protections.
IAB Europe fails to answer Irish Data Protection Commission
IAB Europe fails to answer questions from Irish Data Protection Commission arising from formal GDPR complaint by Brave’s Dr Ryan against IAB Europe’s “forced consent” and consent walls.
A summary of the ICO report on RTB – and what happens next
This note summarizes the ICO report on real-time bidding, which vindicates the GDPR complaints initiated by Brave, and points toward the solution.
Major publisher group DCN tells regulators “the sky won’t fall” if RTB switches to safe, non-personal data.
DCN’s CEO, Jason Kint, says removing personal data from bid requests might disadvantage adtech companies, but the sky won’t fall for publishers.
Google faces first investigation by its European lead authority for “suspected infringement” of the GDPR, following formal complaint from Brave
Today, Ireland’s Data Protection Commission (DPC) has announced a major GDPR probe into “suspected infringement” by Google’s DoubleClick/Authorized Buyers advertising business. The probe was triggered by a formal complaint from Dr Johnny Ryan, Chief Policy Officer at Brave, the private web browser.
Ad Tech GDPR complaint is extended to four more European regulators
GDPR complaints about Real-Time Bidding (RTB) in the online advertising industry were filed today with Data Protection Authorities in Spain, the Netherlands, Belgium, and Luxembourg. The complaints detail the vast scale of personal data leakage by Google and other major companies in the “Ad Tech” industry.
Formal GDPR complaint against IAB Europe’s “cookie wall” and GDPR consent guidance.
A formal complaint has been filed with the Irish Data Protection Commissioner against IAB Europe, the tracking industry’s primary lobbying organization.
New evidence to regulators: IAB documents reveal that it knew that real-time bidding would be “incompatible with consent under GDPR”.
New evidence to regulators: IAB documents reveal that it knew that real-time bidding would be “incompatible with consent under GDPR”.
Update on GDPR complaint (RTB ad auctions)
Brave and co-complainants in Poland, Ireland, and the UK submit new evidence about massive adtech leakage of highly intimate data.
French regulator shows deep flaws in IAB’s consent framework and RTB
French regulator’s decision against Vectaury confirms that IAB “Transparency & Consent Framework” does not obtain valid consent, and illustrates how even tiny adtech companies can unlawfully gather millions of people’s personal data from the online advertising “real time bidding system” (RTB).
Regulatory complaint concerning massive, web-wide data breach by Google and other “ad tech” companies under Europe’s GDPR
Latest updates: read more about the RTB complaints. Mail list: receive updates & research notes in your inbox. Dublin, Ireland and London, United Kingdom, Wednesday, 12 September 2018 -- Simultaneous complaints have been filed with European data protection...
Critical data protection problems in the IAB’s new OpenRTB 3.0 Spec
A ruling of the European Court of Justice this month in the “Facebook fan page case” exposes marketers to severe legal risk from programmatic advertising.
Europe’s top court signals new risk for marketers from ad tech
A ruling of the European Court of Justice this month in the “Facebook fan page case” exposes marketers to severe legal risk from programmatic advertising.