Google, online ad industry accused of abusing intimate personal data in GDPR complaint

Today is International Privacy Day! To celebrate, a group of online privacy activists have set their sites on Google and the online advertising industry.

New in a GDPR complaint by the group of activists discloses how Google and other online ad auction companies unlawfully profile internet users’ diseases, disabilities, sexual orientation, ethnicities, and religion.

When a user visits a website that serves advertising, their personal data is often shared with thousands of third-party companies that take part in an automated auction. The advertising systems categorize each user based on what they’re reading, watching, or searching for. This info is then shared with the third parties who bid to get their ads shown to these specific users. 

Some of the categories users are placed in, like “gadgets” and “bowling,” are harmless. However, other categories are extremely sensitive.

The evidence filed by the group shows that Google allows third-party advertisers to target users based on categories such as “eating disorders,” “left-wing politics,” or “scientology.” 

The Internet Advertising Bureau or IAB, which is the industry association that sets the standards and guidelines for online ad practices, has their own category list which is even more invasive. Categories users can be placed in for advertisers to target include “incest/abuse support,” “hate content,” and “AIDS/HIV.”

The complaint was originally filed in September with national data protection authorities of Ireland and the United Kingdom. Open Rights Group executive director Jim Killock, Dr. Johnny Ryan of the private web browser Brave, and University College London data and policy researcher Michael Veale filed the complaint.

The group claims that the profiling of users with this data is completely unnecessary for ad targeting. Also, they claim it’s unlawful.

Along with the new evidence filed today, the group also announced that Warsaw based digital rights organization, Panoptykon Foundation, has joined the complaint, filing it with the Polish Data Protection Authority.

Just last week, French regulators $57 million under the GDPR. France’s National Data Protection Commission found that the search giant violated the privacy laws in two ways. The commission found that Google wasn’t providing information to its users in a transparent way. They also fined the company for not validly obtaining users’ permission for data processing and ads personalization purposes.