Filings submitted to U.K., Irish, and Polish regulators allege that Google was aware that its advertising network business model broke E.U. GDPR laws.
The Register reports that privacy advocates filed new evidence that alleges that both Google and the industry body the Interactive Advertising Bureau (IAB) are aware that their advertising network business model violates the E.U.’s GDPR laws but are doing nothing to make their systems compliant with the law.
These latest filings were submitted shortly after the UK Information Commissioner’s Office (ICO) announced plans to begin investigating programmatic ads; which use personal information and users browsing habits to serve them with ads suited towards their interests. The investigation by the ICO will aim to discover how well-informed Internet users are about this process and how their personal information is used for this type of advertising.
The majority of advertising systems work by allowing advertisers to bid on space on particular web pages in real-time, based on the type of user visiting the page. Ad network code runs on a page triggering an auction between advertisers competing to display their ad on the page, this all happens within a fraction of a second. The winning advertiser’s ad is then placed on the page; this process is called real-time bidding or RTB and takes place automatically when an ad is needed.
The latest complaint alleges that RTB breaks GDPR laws because users have no control over their ad-related personal data being thrown back and forth between advertisers, sites and services. Much of this information is highly personal and can even include the user’s current location. The complaints point to IAB’s openRTB and Google’s Authorized Buyers systems as the key offenders in the case.
The IAB appeared to acknowledge the issue saying in a statement: “As it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario, programmatic trading, the area of fastest growth in digital advertising spend, would seem, at least prima facie, to be incompatible with consent under GDPR.”
The filings were made in the UK by Jim Killock and Michael Veale of the Open Rights Group; in Ireland, Dr. Johnny Ryan, the Chief Policy & Industry Relations Officer of the browser Brave filed a complaint; a complaint was also filed in Poland by the Panoptykon Foundation.