The battle against what is claimed to be the “the world’s largest data breach, every day” is moving to the courts with a lawsuit filed in Germany against adtech industry group IAB Tech Lab, which develops digital ad industry standards.
The action is the latest attempt by Johnny Ryan, a long-term crusader against the adtech industry and former Brave executive, who is now a senior fellow at the Irish Council for Civil Liberties.
The first complaint – filed with the Irish Data Protection Commissioner and the UK Information Commissioner’s Office – on behalf of tech start-up Brave, the Open Rights Group and University College London was lodged in September 2018, aimed at triggering an EU-wide GDPR investigation into the practice.
Among the allegations are that Google’s realtime bidding system sends data to 968 companies, while just three ad exchanges (OpenX, IndexExchange and PubMatic) have made around 113.9 trillion RTB broadcasts in the past year alone.
However, nearly three years later and both investigations look no closer to a conclusion, although an investigation by the Belgian data protection authority recently found serious GDPR infringements by IAB Europe.
The Autorité de la Protection des Donnés (APD), which is the EU lead enforcer for e-privacy, launched a probe into IAB Europe’s Transparency & Consent Framework following 22 complaints about the system, including one from the ICCL.
However, Ryan has now turned his sights onto IAB Tech Lab, a division of the industry body which provides industry-standard, two and three-digit codes which represent a huge number of categories – including subject areas like sexuality, religious views and whether the device appears to belong to someone with debts. They are attached to individual profiles.
In the legal challenge, being led by German law firm Spirit Legal, it is alleged that online users have never actively consented to this data being gathered or shared.
IAB TechLab’s members include tech giants Google, Facebook and Amazon, data brokers Equifax, Experian and Acxiom, and advertising and marketing agencies Group M, Publicis, and InterPublic Group among many others.
Ryan said: “Every time we load a page on a commercial website or use an app, the website or app tells tens or hundreds of companies all about us, so that their clients can decide whether to bid on the opportunity to show you an ad.
“These bid requests include inferences of your sexual orientation, religion, what you’re reading, watching, and listening to, your location. The law needs to apply and sweep the industry so you can still have your bid requests but without personal data changing hands.
“By challenging the online advertising industry’s standards, our lawsuit takes aim at Google, Facebook, Amazon, Twitter, Verizon, AT&T and the entire online advertising and surveillance industry. This industry tracks us, and builds hidden dossiers about our most intimate secrets. Starting today, we mean to change that.”
The IAB denied any knowledge of the case, although the court papers are dated May 18. A spokeswoman said: “We are reviewing the allegations in conjunction with our legal advisers and will respond in due course, if appropriate.”
‘Super-regulator’ puts TikTok, AI and adtech on notice
ICO gunning for data brokers as adtech probe resumes
DMA wades into ICO row over axed adtech investigation
Belgians rule IAB’s adtech system is in breach of GDPR
Adtech breach widens, two years after first complaints
Privacy groups hit out at fresh delay to adtech probe
‘Chicken’ ICO kicks adtech investigation into long grass
ICO ‘cosies up’ to industry in bid to tackle adtech issue
$273bn behavioural ad industry ‘is in breach of GDPR’