Updates & timeline for Brave’s work to fix “RTB” adtech

Brave has gathered evidence on the biggest data breach in history. Every day, the online ad industry broadcasts what every Internet user reads and watches to thousands of companies, hundreds of billions of times a day. Together with 21 privacy activists and organizations, Brave is using the GDPR to end it.

Timeline

12 September 2018 Formal GDPR complaints, accompanied by an overview of RTB that details evidence from Google and IAB technical documentation (the ‘Ryan Report’), are submitted to Irish Data Protection Commission (DPC) and UK Information Commissioner’s Office (ICO) by Johnny Ryan of Brave, and Jim Killock of Open Rights Group and Michael Veale of UCL. Read more.

28 January 2019 Further evidence on “content categories” is submitted. The complaint is also submitted to Polish Data Protection Authority by Katarzyna Szymielewicz of Pakoptykon Foundation. Read more.

20 February 2019 Further evidence is submitted, including sample bid requests, IAB correspondence, and material on the scale of and lack of control in RTB system. Read more.

20 May 2019 The complaint is extended to four more countries. The new complaints are filed by Gemma Galdon Clavell of Eticas Foundation, David Korteweg of Bits of Freedom, Jef Ausloos of University of Amsterdam, Pierre Dewitte of University of Leuven, and Jose Belo of Exigo Luxembourg. Read more.

22 May 2019 The Irish Data Protection Commission announces a statutory investigation into Google’s RTB business under Section 110 of the Irish Data Protection Act, which relates to “suspected infringement”. Read more.

4 June 2019 The complaint is extended to France, Germany, Italy, the Netherlands, Poland, Bulgaria, the Czech Republic, Estonia, and Hungary. This is coordinated through Liberties.eu. The new complainants are the Society for Civil Rights, Digitale courage, Digitale Gesellschaft, Netzwerk Datenschutzexpertise, Deutsche Vereinigung für Datenschutz, the Italian Coalition for Civil Rights and Freedoms, the Bulgarian Helsinki Committee, the Association for the Defense of Human Rights in Romania, the Italian Coalition for Civil Rights and Freedoms, the Estonian Human Rights Centre, the Peace Institute. Read more (external link).

20 June 2019 The UK Information Commissioner’s Office publishes a report that confirms and vindicates the complaint and accompanying evidence. However, the ICO fails to take any action. Read more.

4 September 2019 Further evidence, demonstrating the misuse of personal data in Google’s RTB system, is submitted to the Irish Data Protection Authority. Read more.

8 October 2019 The Belgian Data Protection Authority confirms in writing to Ausloos and Dewitte that it is investigating the IAB.

31 December 2019 The ICO’s six month grace period for the RTB industry ends. No substantive action is taken or proposed by the industry to end the RTB data breach.

17 January 2020 The ICO announces that it will take no immediate action to stop the ongoing RTB data breach. Read more.

Links

Selected evidence submitted to data protection authorities.

Update (Six Months of Data): lessons for growing publisher revenue by removing 3rd party tracking

Jul 24, 2020

This note analyses additional granular data from Dutch publisher NPO, and presents lessons for the publishing industry about privacy and revenue based on six months of data from a publishing group that removed 3rd party tracking.

New data shows publisher revenue impact of cutting 3rd party trackers

Jul 1, 2020

This note shares new data on publisher revenue impact from switching off 3rd party ad tracking.

Johnny Ryan’s privacy keynote for P&G

Jun 15, 2020

Procter & Gamble invited Dr Johnny Ryan of Brave to give a (remote) keynote about how advertisers should adapt to the privacy-first future.

Industry discussion on the GDPR at 2 years old, and future EU regulatory development

May 20, 2020

Senior representatives of advertisers, publishers, and intermediaries discuss two years of the the GDPR in a discussion hosted by Brave.

Failure to enforce the GDPR enables Google’s monopoly

Feb 18, 2020

Brave has written to the US Senate and Congress Homeland Security Committees about a serious national security vulnerability.

Google and IAB’s inadequate proposals to reform RTB

Jan 21, 2020

This note highlights the inadequacies of Google and IAB proposals to reform RTB, and rebuts the argument for inaction.

The ICO’s failure to act on RTB, the largest data breach ever recorded in the UK

Jan 17, 2020

The ICO has today announced that it will be taking no substantive action to fix "RTB", the largest data breach ever recorded in the UK. Regulatory ambivalence cannot continue. We are considering all options to put an end to the systemic breach, including direct challenges to the controllers and judicial oversight of the ICO.

Why marketers must conduct GDPR Data Protection Impact Assessments of RTB

Sep 24, 2019

This note examines the GDPR requirement that marketers conduct data protection impact assessments (DPIAs) when buying digital media using “real-time bidding” advertising.

Brave uncovers Google’s GDPR workaround

Sep 4, 2019

Brave presents new RTB evidence, and has uncovered a mechanism by which Google appears to be circumventing its purported GDPR privacy protections.

IAB Europe fails to answer Irish Data Protection Commission

Aug 9, 2019

Formal GDPR complaint against IAB Europe’s “cookie wall” and GDPR consent guidance.

A summary of the ICO report on RTB – and what happens next

Jun 26, 2019

This note summarizes the ICO report on real-time bidding, which vindicates the GDPR complaints initiated by Brave, and points toward the solution.

Major publisher group DCN tells regulators “the sky won’t fall” if RTB switches to safe, non-personal data.

Jun 19, 2019

DCN's CEO, Jason Kint, says removing personal data from bid requests might disadvantage adtech companies, but the sky won’t fall for publishers.

Google faces first investigation by its European lead authority for “suspected infringement” of the GDPR, following formal complaint from Brave

May 22, 2019

Today, Ireland’s Data Protection Commission (DPC) has announced a major GDPR probe into “suspected infringement” by Google’s DoubleClick/Authorized Buyers advertising business. The probe was triggered by a formal complaint from Dr Johnny Ryan, Chief Policy Officer at Brave, the private web browser.

Ad Tech GDPR complaint is extended to four more European regulators

May 20, 2019

GDPR complaints about Real-Time Bidding (RTB) in the online advertising industry were filed today with Data Protection Authorities in Spain, the Netherlands, Belgium, and Luxembourg. The complaints detail the vast scale of personal data leakage by Google and other major companies in the “Ad Tech” industry. This week marks one year since the introduction of the GDPR.

Formal GDPR complaint against IAB Europe’s “cookie wall” and GDPR consent guidance.

Apr 1, 2019

Formal GDPR complaint against IAB Europe’s “cookie wall” and GDPR consent guidance.

New evidence to regulators: IAB documents reveal that it knew that real-time bidding would be “incompatible with consent under GDPR”.

Feb 20, 2019

New evidence to regulators: IAB documents reveal that it knew that real-time bidding would be “incompatible with consent under GDPR”.

Update on GDPR complaint (RTB ad auctions)

Jan 28, 2019

Brave and co-complainants in Poland, Ireland, and the UK submit new evidence about massive adtech leakage of highly intimate data.

French regulator shows deep flaws in IAB’s consent framework and RTB

Nov 20, 2018

French regulator's decision against Vectaury confirms that IAB “Transparency & Consent Framework” does not obtain valid consent, and illustrates how even tiny adtech companies can unlawfully gather millions of people’s personal data from the online advertising “real time bidding system” (RTB).