Privacy activists say online ad industry knowingly violated GDPR

Privacy advocates claim that an organization that represents the online ad industry knew they would be violating privacy laws, but did so anyway, in an updated complaint filed against the group as well as Google.

On Tuesday, the group filed new evidence with data protection authorities in the UK and Ireland against Google and the Internet Advertising Bureau (IAB), the industry association that creates standards and guidelines for online ad practices. 

The new filing includes documents which allegedly show that the IAB knew its ad system would be illegal under the General Data Protection Regulation, or GDPR, a law that protects personal data and privacy for individuals within the European Union.

At the heart of the GDPR complaint is the real-time bidding (RTB) system deployed by virtually every internet advertising company. The filings claim to show evidence that the ad system used by Google and the IAB shares sensitive personal data hundreds of billions of times a day. 

Before a user is served with an ad on a website, their personal data is often shared with third-party companies that take part in an automated auction. These systems share each user’s personal info — like what they’re reading or searching for online — with these third parties, who bid in order to determine what ad is displayed.

According to new evidence obtained from the European Commission, IAB Europe CEO Townsend Feehan knew as early as 2017 that the RTB system would violate GDPR laws. This was before the EU’s sweeping privacy law went into effect in 2018.

In an email to the European Commission Directorate General for Communications Networks, Content and Technology, Feehan sent a document which laid out how such an ad bidding system may simply not work under the GDPR.         

“Consent under the GDPR must be ‘informed’, that is, the user consenting to the processing must have prior information as to the identity of the data controller processing his or her personal data and the purposes of the processing,” says the IAB document. “As it is technically impossible […] in a real-time bidding (RTB) scenario, programmatic trading, the area of fastest growth in digital advertising spend, would seem, at least prima facie, to be incompatible with consent under GDPR.”

Regardless, the IAB claimed it satisfied the GDPR’s consent requirement.

Google has been working with IAB Europe to implement IAB’s Transparency & Consent Framework, which is the association’s technical requirements for GDPR.

“There is no technical way to limit the way data is used after the data is received by a vendor …”

Another IAB document from May 2018 confirms that “there is no technical way to limit the way data is used after the data is received by a vendor for decisioning/bidding on/after delivery of an ad.”

Further evidence filed against Google and the IAB shows that the seven largest online advertising platforms send out users’ personal data — which could include browsing history and GPS locations —hundreds of billions of times per day.

The original complaint against Google and the IAB was filed in September by the same group of activists, including Brave’s chief policy advisor Dr. Johnny Ryan, Open Rights Group executive director Jim Killock, University College London researcher Michael Veale, and Panoptykon Foundation CEO Katarzyna Szymielewicz.

Last month, the group filed to their complaint which showed that Google and the IAB unlawfully profiled internet users by sexual orientation, medical condition, religion, and ethnicity. According to the group’s documents, the IAB even went so far as to putting internet users into categories such as “incest/abuse support” and “AIDS/HIV.”

The privacy activists say that the RTB system currently allows 595 different types of data in a bid request. They say that “four percent of these should be disallowed or truncated.”

Earlier this year, France’s National Data Protection Commission Google $57 million under the GDPR for not providing user information in a transparent manner. The search giant is the first U.S. tech company to receive a penalty under the privacy law.