Ad customization technology used by Google and other companies is in violation of Europe’s new General Data Protection Regulation, according to a complaint filed yesterday in a case that could become a test of the scope of the still-new privacy law.
The complaint, filed by a cofounder of Mozilla and executive at secure browsing company Brave, a researcher at University College London and the executive director of the U.K.’s Open Rights Group, argues that real-time ad placement software violates the law by sharing people’s personal data, including what sites they’re accessing, information about their devices, their locations or IP addresses, and market segment identifiers with potentially hundreds of companies involved in bidding on ads.
That data is exposed to advertisers in the process of a “bid request,” when advertisers bid on the right to show ads in particular web page slots to particular users based on behavioral data about them and the pages they’re visiting.
“This is particularly egregious since the data concerned are very likely to be ‘special categories’ of personal data,” writes Johnny Ryan, the chief policy and industry relations officer for Brave, in a report. “The personal data in question reveal what a person is watching online, and often reveal specific location. These alone would reveal a person’s sexual orientation, religious belief, political leaning, or ethnicity. In addition, a ‘segment ID’ that denotes what category of person a data broker or other long-term profiler has discovered a person fits into.”
A call to investigate real-time bidding
The complaints point both to Google’s “Authorized Buyers” ad market software and to an industry standard called OpenRTB. (“RTB” stands for real-time bidding.) Citing a violation of Article 5, paragraph 1 of the GDPR, they argue that the bidding systems don’t comply with the requirement that data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Google’s system and OpenRTB fail to notify people when their data is disseminated, give users a formal way to object to third-party use of their data, or provide sufficient controls to prevent further use of the data, according to the complaints. The complainants hope to trigger an EU-wide investigation into the ad tech industry’s practices.
Google says that it takes steps to comply with the law and safeguard privacy.
“We build privacy and security into all our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation,” a Google spokesperson said in an email to Fast Company. “We provide users with meaningful data transparency and controls across all the services that we provide in the EU, including for personalized advertising.”
An optional feature enables users to alternatively reward publishers of sites they visit with blockchain-based tokens called basic attention tokens. Users can set up monthly contributions that are distributed among the sites they visit. Future versions of the software may replace ads on websites with Brave’s own ads if users opt in as a way to receive more of Brave’s tokens, a proposal that’s been controversial with web publishers.
In general, behavioral and demographic ad targeting has proven far more controversial in recent months, especially after revelations about companies like Cambridge Analytica using the technology to target voter population segments and Facebook enabling targeting of ads that critics say enabled illegal discrimination.
“Those complaints are significant and the consequences could be far-reaching,” says Ravi Naik, a partner at ITN Solicitors who is working on the case. “We are confident that any proper appraisal by the authorities of the concerns will lead to a fundamental shift in our relationship with the internet, for the better.”