Google’s Authorised Buyers real-time bidding system, used by millions of websites to serve ads to users, deliberately leaks personal data about those visitors to thousands of advertisers 24/7 – without consent.
That is the latest claim made by Johnny Ryan, chief policy officer of tech start-up Brave, as the battle to prove that Google is riding roughshod over GDPR ratchets up yet another gear.
Official complaints – on behalf of Brave, the Open Rights Group and University College London – were lodged in September last year with the aim of triggering an EU-wide investigation.
Since then, the trio have presented further evidence to support their case and in May their demands were answered when the Irish Data Protection Commission announced the first ever statutory investigation into the Internet giant.
At the time, the DPC said: “The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of GDPR, including the lawful basis for processing, the principles of transparency and data minimisation, as well as Google’s retention practices.”
A month later Berlin-based campaign group Liberties rifled off complaints with data protection authorities across Europe that real-time bidding systems, and Google’s Authorised Buyers programme in particular, go against GDPR rules by failing to obtain users’ informed consent.
In the new evidence, which has been handed over to the DPC, Ryan said he had uncovered hidden web pages while tracking his personal data on Google’s ad exchange. He claimed the tech giant had tagged him with an identifying tracker, which could be used by companies to target ads based on his browsing history.
Ryan added: “This practice is hidden in two ways: the most basic way is that Google creates a page that the user never sees, it’s blank, has no content, but allows third parties to snoop on the user and the user is none the wiser. I had no idea this was happening. If I consulted my browser log, I wouldn’t have had an idea either.”
A spokesperson for Google responded: “We do not serve personalised ads or send bid requests to bidders without user consent. The [regulators] are already looking into realtime bidding in order to assess its compliance with GDPR. We welcome that work and are co-operating in full.”
In June, UK Information Commissioner’s Office published a damning report into adtech practices – specifically real-time bidding – which set out nine “systemic concerns” the regulator has with the level of compliance of RTB, programmatic and behavioural advertising systems. It gave the industry six months to get its house in order but then faced criticism that it risked being seen as “all mouth, no trousers” unless it launched enforcement action against the adtech industry’s mass abuse of consumer data.
ICO urged to act now on adtech or be seen as soft touch
ICO: online ad industry ‘leaving millions at risk of harm’
Germans unleash GDPR blitz on behavioural ad giants
Google Ad Exchange probe threatens online ad mayhem
Irish data regulator launches inquiry into adtech giant
New Govt probe to scrutinise behavioural data market
Lords report calls for new crackdown on marketing data
ICO taps up industry for probe into programmatic ads
IAB in dock over sector’s ‘systemic’ breaches of GDPR