The online ad industry is facing one of the biggest threats to its current business model after the Irish privacy regulator confirmed it is launching a statutory inquiry into whether Google Ad Exchange – which accounts for a huge slice of the firm’s $136bn (£108bn) revenues – is in breach of GDPR.
Official complaints – on behalf of tech start-up Brave, the Open Rights Group and University College London – were lodged in September last year with the aim of triggering an EU-wide investigation.
Since then, the trio have presented further evidence to support their case.
Ad Exchange is a real-time marketplace linked to the Google Display Network for buying and selling advertising. Unsurprisingly, the company bigs up its performance: “If you go butterfly hunting during the height of summer, the bigger your butterfly net, the more butterflies you’ll be able to catch. The same goes for your customers: if you use a wider net, you might be able to capture customers from high-traffic parts of the web that weren’t previously available to you. That’s why showing your ads on Ad Exchange publisher sites can help you bring in new customers that you weren’t able to reach before.”
However, the complainants argue that when users search on Google, personal information on their online behaviour is broadcast to multiple companies interested in targeting them with ads without users’ consent.
The system is one of the biggest behavioural advertising programmes in the world. According to IHS Market, 86% of programmatic advertising uses behavioural data, with the overall market estimated to be worth $273bn (£216bn).
The Irish Data Protection Commission (DPC) probe is the first such investigation of this kind launched by the data watchdog into the Internet giant.
In a statement, the DPC said: “The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation (GDPR), including the lawful basis for processing, the principles of transparency and data minimisation, as well as Google’s retention practices.”
In a statement, Google said it would fully engage with the DPC’s investigation. Previous investigations by the Irish DPC have reached a draft decision in about seven to eight months, though this probe could take longer.
Google became the first major tech giant to be fined under GDPR when French regulator CNIL ruled in January that it had failed to provide transparent and easily accessible information on its consent policies.
The company has since launched an appeal against the €50m (£44m) fine, insisting that its consent process was in line with guidance provided by data regulators.
IAB in dock over sector’s ‘systemic’ breaches of GDPR
Google appeals €50m fine, insisting it followed guidance
Google ruling puts digital marketing industry on alert
Google hit for €50m as French issue first GDPR fine
$273bn behavioural ad industry ‘is in breach of GDPR’
Let battle commence: first GDPR complaints are filed