Update on GDPR complaint (RTB ad auctions)
Privacy regulators in Poland, Ireland, and the UK urged to act against online ad auctions following new evidence about massive leakage of highly intimate data about web users.
- Panoptykon Foundation filed a new complaint with the Polish Data Protection Authority today, joining the ad auction complaints already being examined in the UK and in Ireland.
- New evidence submitted to UK, Ireland, and Polish data Protection Authorities today reveals how ad auction companies, including Google, unlawfully profile Internet users’ religious beliefs, ethnicities, diseases, disabilities, and sexual orientation.
- Today, 28 January, is “International Data Protection Day”.
Today, Panoptykon Foundation, the Warsaw based digital rights organization, has joined in the complaints filed in the UK and Ireland in September by Jim Killock of the Open Rights Group, Michael Veale of University College London, and Dr Johnny Ryan of Brave.
Together, the complainants in Ireland, Poland, and the UK, have also filed new evidence today with the national data protection authorities of Ireland, Poland, and the United Kingdom, that reveals how ad auction companies, including Google, unlawfully profile Internet users’ religious beliefs, ethnicities, diseases, disabilities, and sexual orientation.
Every time you visit a website that uses ad auctions, personal data about you is broadcast in “bid requests” to tens or hundreds of companies. Part of this process categorizes what you watch or read or listen to. The categories can be benign, such as “Tesla motors”, “bowling”, or “gadgets”. But, as the new evidence filed today shows, they can also be extraordinarily sensitive.
For example, one category is “IAB7-28 Incest/Abuse Support”. This could enable ad auction companies to target and profile a person as an incest or abuse victim. The letters “IAB” in this category title refer to the Interactive Advertising Bureau, the organization that defines the rules of the ad auction industry.
Other IAB categories relate to sensitive and embarrassing health conditions, religious denomination, sexual orientation, etc.
Google runs its own category list, which includes equally sensitive insights such as as “eating disorders”, “left-wing politics”, or “scientology”. There are hundreds of sensitive categories in the IAB’s and Google’s lists. These lists are linked at bottom of this note.
While it is acceptable for a library to mark an area with the words “substance abuse”, it would not be acceptable for a library to mark a person who enters that section with those words too. But online, these labels about what you read, watch, and listen to online can stick to you for a long time.
This stickiness is due to the tracking IDs and other information specific to you and your device, which is routinely included in ad auction “bid requests”. Tracking IDs and other personally specific information are not strictly necessary for ad targeting, but they make it easy for companies to re-identify and profile you.
“Ad auction systems are obscure by design”, said Katarzyna Szymielewicz, President of Panoptykon Foundation. “Lack of transparency makes it impossible for users to exercise their rights under GDPR. There is no way to verify, correct or delete marketing categories that have been assigned to us, even though we are talking about our personal data. IAB and Google have to redesign their systems to fix this failure”.
Loading a single web page can trigger several bid request broadcasts. The New Economics Foundation estimates that ad auction companies broadcast intimate profiles about an average UK internet user 164 times per day. These are received by thousands of companies, and there is no way of knowing what then is done with these intimate data.
Dr Johnny Ryan, Chief Policy & Industry Relations Officer of Brave, said “ad auction companies can fix this by simply excluding personal data, including their tracking IDs, from bid requests. If the industry makes some minor changes then ad auctions can safely operate outside the scope of the GDPR. This would protect privacy, but would also protect marketers and publishers from very significant risk.”
Irish, UK, and Polish regulators are being urged to act on this matter, and more complaints are expected. Ravi Naik, a partner at ITN Solicitors instructed by the complainants, said “Panoptykon’s submissions add to the increasing focus on real time bidding. This new complaint builds on our work before the UK and Irish data protection authorities. We foresee a cascade of complaints to follow across Europe, and fully expect an EU-wide regulatory response”.
“Actors in this ecosystem are keen for the public to think they are dealing in anonymous, or at the very least non-sensitive data, but this simply isn’t the case”, said Michael Veale, technology policy researcher at University College London. “Hugely detailed and invasive profiles are routinely and casually built and traded as part of today’s real-time bidding system, and this practice is treated though it’s a simple fact of life online. It isn’t: and it both needs to and can stop.”
New evidence: IAB and Google category lists
Although the IAB describes the “content taxonomy v1” list as “depreciated”, this list is actually widely used, and is included in the latest version of the IAB’s ad auctioning system (OpenRTB 3.0 and AdCOM v1), which were updated in the last three months.
- Excerpt of IAB’s official “content taxonomy v1” list.
See also the full document with highlighting of special category data highlighted and the original spreadsheet list from IAB.com (see tab 2).
- Excerpt of IAB’s official “content taxonomy v2” list.
See also the full list with sensitive data highlighted and the original spreadsheet list from IAB.com (see tab 1).
- Excerpt of IAB’s official “content taxonomy v1” list.
Complaints to date
- Filing with the Polish data protection authority against Google 1/2019 (PDF)
- Filing with the Polish data protection authority against IAB 1/2019 (PDF)
- Filing with the UK Information Commissioner against IAB Europe and Google 9/2018 (PDF)
- Filing with the Irish Data Protection Commissioner against IAB Europe and Google 9/2018 (PDF)
- Report on behavioural advertising and personal data 9/2018 (PDF)
Dr Johnny Ryan
Phone: +353 876725770
- Google and adtech body criticised over data protection, The Financial Times, 28 January 2019
- Google and IAB ad category lists show “massive leakage of highly intimate data”, GDPR complaint claims, TechCrunch, 28 January 2019
- Privacy groups claim online ads can target abuse victims, Wired, 28 January 2019
- Ad Industry Accused Of ‘Massive’ Privacy Breach, Forbes, 28 January 2019
- Google and Ad Industry Accused of “Massive” Abuse of Intimate Personal Data, Fortune, 28 January 2019
- New documents back complaints about online advertising, The Irish Times, 28 January 2019
- ‘Male impotence’: How tech firms classify what you read, Sky News, 28 January 2019
- Gripe to UK, Ireland, Poland: Ad tech industry inhales, then ‘leaks’ sensitive info on our health, politics, religion, The Register, 28 January 2019
- Google and IAB hit with fresh complaints over ‘intimate’ user profiling for adverts, City A.M., 28 January 2019
- Polish Privacy Group Celebrates Data Protection Day With A Nastygram For RTB, Ad Exchanger, 28 January 2019
- Google, online ad industry accused of abusing intimate personal data in GDPR complaint, Mashable, 28 January 2019
- GDPR complaint blasts ‘highly intimate’ Google mental health and male impotence ad labels, The Drum, 28 January 2019
- Privacy groups blast Google, IAB over data leak via ad auctions, CSO Online, 28 January 2019
- GDPR can’t stop behavioral ads, but these bitcoin-friendly browsers can help, Bitcoininist, 28 January 2019
- Privacy campaigners file new evidence to support claims that Google unlawfully profiles internet users, Computing, 28 January 2019
- IAB Tech Lab And Google Criticized In EU By Privacy Advocates, MediaPost, 29 January 2019
- Tech companies ‘using sensitive personal data to target users for ads’, Irish Independent, 29 January 2019
- Google Accused Of Using Sensitive Data To Target Online Ads, Silicon UK, 29 January 2019
- Google And Ad Tech Body Are Still Not Protecting Our Data, Digital Information World, 29 January 2019
- Online ad industry rejects complaints of targeting users, The Irish Times, 30 January 2019
- Ad-tech industry: GDPR complaint is like holding road builders to account for traffic violations, The Register, 31 January 2019
- Google accused of sharing data about intimate personal details, The Times, 2 February 2019
Coverage of initial filing
- Mozilla co-founder’s Brave files adtech complaint against Google, Reuters (this report also ran in The New York Times, Yahoo! News, and DailyMailOnline), 12 September 2018
- Privacy browser Brave files Adtech complaint against Google, Daily Mail, 12 September 2018
- As Brave Gears Up to Weaponize Privacy, Google Becomes Its Primary Target, Ad Week, 12 September 2018
- Ad-blocking browser Brave says Google is breaking EU privacy law, Engadget, 12 September 2018
- How Google is breaking EU privacy law, according to a new complaint, Fast Company, 12 September 2018
- Brave browser files GDPR breach complaints against Google in the EU, ZD Net, 12 September 2018
- Brave Joins Formal Privacy Complaints Against Google, Others, Bits Online, 12 September 2018
- Brave browser dumps Google search in France, Germany, C Net, 12 September 2018
- So Brave: Browser biz sics Brit watchdogs on Google’s info slurpage, The Register, 12 September 2018
- Pro-privacy company Brave files GDPR complaint against Google, TechSpot, 12 September 2018
- Privacy-focused browser Brave sues Google, claims breach of Europe’s GDPR rules, Digital Trends, 12 September 2018
- Google Responds to Allegations That It Violates GDPR, Toms Hardware, 12 September 2018
- Privacy-browser Brave launches GDPR ad tech ‘test case’ against Google, Marketing Tech News, 12 September 2018
- Brave Launches Legal Offensive on Google Ads Data Collection Practices, CoinDesk, 12 September 2018
 Duncan McCann and Miranda Hall, “Blocking the data stalkers”, New Economics Foundation, December 2018 (URL: https://neweconomics.org/uploads/files/NEF_Blocking_Data_Stalkers.pdf), p. 9.
Brave has filed a GDPR complaint v Google for infringing the GDPR “purpose limitation” principle. Enforcement would be tantamount to a functional separation of Google’s business.
Brave’s submission to the UK Competition & Markets Authority shows how to fix the RTB market and end Google’s advertising monopoly.
Brave uncovers widespread surveillance of UK citizens by private companies embedded on UK council websites
Brave has uncovered widespread surveillance of UK citizens by private companies embedded on UK council websites. “Surveillance on UK council websites”, a new report from Brave, reveals the extent of private companies’ surveillance of UK citizens when they seek help for addiction, disability, and poverty from their local government authorities.