Update on GDPR complaint (RTB ad auctions)

Privacy regulators in Poland, Ireland, and the UK urged to act against online ad auctions following new evidence about massive leakage of highly intimate data about web users.

  • Panoptykon Foundation filed a new complaint with the Polish Data Protection Authority today, joining the ad auction complaints already being examined in the UK and in Ireland.
  • New evidence submitted to UK, Ireland, and Polish data Protection Authorities today reveals how ad auction companies, including Google, unlawfully profile Internet users’ religious beliefs, ethnicities, diseases, disabilities, and sexual orientation.
  • Today, 28 January, is “International Data Protection Day”. 

Today, Panoptykon Foundation, the Warsaw based digital rights organization, has joined in the complaints filed in the UK and Ireland in September by Jim Killock of the Open Rights Group, Michael Veale of University College London, and Dr Johnny Ryan of Brave.

Together, the complainants in Ireland, Poland, and the UK, have also filed new evidence today with the national data protection authorities of Ireland, Poland, and the United Kingdom, that reveals how ad auction companies, including Google, unlawfully profile Internet users’ religious beliefs, ethnicities, diseases, disabilities, and sexual orientation.

Every time you visit a website that uses ad auctions, personal data about you is broadcast in “bid requests” to tens or hundreds of companies. Part of this process categorizes what you watch or read or listen to. The categories can be benign, such as “Tesla motors”, “bowling”, or “gadgets”. But, as the new evidence filed today shows, they can also be extraordinarily sensitive.

For example, one category is “IAB7-28 Incest/Abuse Support”. This could enable ad auction companies to target and profile a person as an incest or abuse victim. The letters “IAB” in this category title refer to the Interactive Advertising Bureau, the organization that defines the rules of the ad auction industry.

Other IAB categories relate to sensitive and embarrassing health conditions, religious denomination, sexual orientation, etc.

Google runs its own category list, which includes equally sensitive insights such as as “eating disorders”, “left-wing politics”, or “scientology”. There are hundreds of sensitive categories in the IAB’s and Google’s lists. These lists are linked at bottom of this note.

Unnecessary data

While it is acceptable for a library to mark an area with the words “substance abuse”, it would not be acceptable for a library to mark a person who enters that section with those words too. But online, these labels about what you read, watch, and listen to online can stick to you for a long time.

This stickiness is due to the tracking IDs and other information specific to you and your device, which is routinely included in ad auction “bid requests”. Tracking IDs and other personally specific information are not strictly necessary for ad targeting, but they make it easy for companies to re-identify and profile you.

“Ad auction systems are obscure by design”, said Katarzyna Szymielewicz, President of Panoptykon Foundation. “Lack of transparency makes it impossible for users to exercise their rights under GDPR. There is no way to verify, correct or delete marketing categories that have been assigned to us, even though we are talking about our personal data. IAB and Google have to redesign their systems to fix this failure”.

Loading a single web page can trigger several bid request broadcasts. The New Economics Foundation estimates that ad auction companies broadcast intimate profiles about an average UK internet user 164 times per day.[1]  These are received by thousands of companies, and there is no way of knowing what then is done with these intimate data.

Dr Johnny Ryan, Chief Policy & Industry Relations Officer of Brave, said “ad auction companies can fix this by simply excluding personal data, including their tracking IDs, from bid requests. If the industry makes some minor changes[2] then ad auctions can safely operate outside the scope of the GDPR. This would protect privacy, but would also protect marketers and publishers from very significant risk.”

Irish, UK, and Polish regulators are being urged to act on this matter, and more complaints are expected. Ravi Naik, a partner at ITN Solicitors instructed by the complainants, said “Panoptykon’s submissions add to the increasing focus on real time bidding. This new complaint builds on our work before the UK and Irish data protection authorities. We foresee a cascade of complaints to follow across Europe, and fully expect an EU-wide regulatory response”.

“Actors in this ecosystem are keen for the public to think they are dealing in anonymous, or at the very least non-sensitive data, but this simply isn’t the case”, said Michael Veale, technology policy researcher at University College London. “Hugely detailed and invasive profiles are routinely and casually built and traded as part of today’s real-time bidding system, and this practice is treated though it’s a simple fact of life online. It isn’t: and it both needs to and can stop.”

See Panoptykon Foundation’s English language statement here.

New evidence: IAB and Google category lists

Complaints to date 

Contact

Dr Johnny Ryan
Phone: +353 876725770
X (formerly Twitter): @johnnyryan
Email: johnny@brave.com

Press coverage 

  • Google and adtech body criticised over data protection, The Financial Times, 28 January 2019
  • Google and IAB ad category lists show “massive leakage of highly intimate data”, GDPR complaint claims, TechCrunch, 28 January 2019
  • Privacy groups claim online ads can target abuse victims, Wired, 28 January 2019
  • Ad Industry Accused Of ‘Massive’ Privacy Breach, Forbes, 28 January 2019
  • Google and Ad Industry Accused of “Massive” Abuse of Intimate Personal Data, Fortune, 28 January 2019
  • New documents back complaints about online advertising, The Irish Times, 28 January 2019
  • ‘Male impotence’: How tech firms classify what you read, Sky News, 28 January 2019
  • Gripe to UK, Ireland, Poland: Ad tech industry inhales, then ‘leaks’ sensitive info on our health, politics, religion, The Register, 28 January 2019
  • Google and IAB hit with fresh complaints over ‘intimate’ user profiling for adverts, City A.M., 28 January 2019
  • Polish Privacy Group Celebrates Data Protection Day With A Nastygram For RTB, Ad Exchanger, 28 January 2019
  • Google, online ad industry accused of abusing intimate personal data in GDPR complaint, Mashable, 28 January 2019
  • GDPR complaint blasts ‘highly intimate’ Google mental health and male impotence ad labels, The Drum, 28 January 2019
  • Privacy groups blast Google, IAB over data leak via ad auctions, CSO Online, 28 January 2019
  • GDPR can’t stop behavioral ads, but these bitcoin-friendly browsers can help, Bitcoininist, 28 January 2019
  • Privacy campaigners file new evidence to support claims that Google unlawfully profiles internet users, Computing, 28 January 2019
  • IAB Tech Lab And Google Criticized In EU By Privacy Advocates, MediaPost, 29 January 2019
  • Tech companies ‘using sensitive personal data to target users for ads’, Irish Independent, 29 January 2019
  • Google Accused Of Using Sensitive Data To Target Online Ads, Silicon UK, 29 January 2019
  • Google And Ad Tech Body Are Still Not Protecting Our Data, Digital Information World, 29 January 2019
  • Online ad industry rejects complaints of targeting users, The Irish Times, 30 January 2019
  • Ad-tech industry: GDPR complaint is like holding road builders to account for traffic violations, The Register, 31 January 2019
  • Google accused of sharing data about intimate personal details, The Times, 2 February 2019

Coverage of initial filing 

  • Mozilla co-founder’s Brave files adtech complaint against Google, Reuters (this report also ran in The New York Times, Yahoo! News, and DailyMailOnline), 12 September 2018 
  • Privacy browser Brave files Adtech complaint against Google, Daily Mail, 12 September 2018 
  • As Brave Gears Up to Weaponize Privacy, Google Becomes Its Primary Target, Ad Week, 12 September 2018 
  • Ad-blocking browser Brave says Google is breaking EU privacy law, Engadget, 12 September 2018 
  • How Google is breaking EU privacy law, according to a new complaint, Fast Company12 September 2018 
  • Brave browser files GDPR breach complaints against Google in the EU, ZD Net12 September 2018 
  • Brave browser dumps Google search in France, Germany, C Net12 September 2018 
  • So Brave: Browser biz sics Brit watchdogs on Google’s info slurpage, The Register12 September 2018 
  • Pro-privacy company Brave files GDPR complaint against Google, TechSpot12 September 2018 
  • Privacy-focused browser Brave sues Google, claims breach of Europe’s GDPR rules, Digital Trends12 September 2018 
  • Google Responds to Allegations That It Violates GDPR, Toms Hardware12 September 2018 
  • Privacy-browser Brave launches GDPR ad tech ‘test case’ against Google, Marketing Tech News12 September 2018 
  • Brave Launches Legal Offensive on Google Ads Data Collection Practices, CoinDesk12 September 2018 

Notes

[1]  Duncan McCann and Miranda Hall, “Blocking the data stalkers”, New Economics Foundation, December 2018 (URL: https://neweconomics.org/uploads/files/NEF_Blocking_Data_Stalkers.pdf), p. 9.

[2] See for example Sean Blanchfield, “Frequency capping and ad campaign measurement under GDPR”, PageFair, November 2017 (URL: https://pagefair.com/blog/2017/gdpr-measurement1/).

Related articles

Why Brave Disables FLoC

Brave opposes FLoC, a recent Google proposal that would have your browser share your browsing behavior and interests by default with every site and advertiser with which you interact.

Read this article →

Ready for a better Internet?

Brave’s easy-to-use browser blocks ads by default, making the Web faster, safer, and less cluttered for people all over the world.