Last September, a complaint was filed against Google and other ad auction companies about a data breach that “affects virtually every user on the web”. This complaint was made by a host of privacy activists and browser makers, alleging that tech companies broadcasted people’s personal data to dozens of companies, without proper security through a mechanism of “behavioural ads”. The complaint stated that every time a person visits a website and is shown a “behavioural” ad on a website; intimate personal data describing each visitor and what they are watching online is captured and broadcast to tens or hundreds of companies. This was done in order to request potential advertisers’ bids for the attention of the specific individual visiting the website.
The complaints were lodged by Jim Killock of the U.K.’s Open Rights Group, tech policy researcher Michael Veale of University College London, and Johnny Ryan of the pro-privacy browser firm Brave. They claimed that Google and other ad-tech firms were breaking the EU’s strict General Data Protection Regulation (GDPR) by unlawfully recording people’s sensitive characteristics.
Now, new evidence has been released by the very same organizations that filed last September’s complaint, showing the data broadcasted includes information about people’s ethnicity, disabilities, sexual orientation and more. This sensitive information allows advertisers to specifically target incest, abuse victims, or those with eating disorders. The irony of it being, yesterday was ‘International Data Protection Day”.
What is Behavioral advertising?
Yahoo finance has explained the concept of behavioral advertising very simply. The online ad industry tracks a person’s movements around the internet and builds a profile based on what the individual looks at/ sites the user visits. On visiting a webpage that runs behavioral ads, an automated auction takes place between ad agencies with the winner allowed being to show the user an ad that supposedly matches their profile.
This ultimately means that for the real-time bidding system to work, personal details of the users have to be broadcasted to the advertisers in so-called “bid requests”.
Evidence against Google and IAB
Joining the list of complainants is Poland’s Panoptykon Foundation, another rights group, that has complained to its local data protection authority about organizations including Google and the Interactive Advertising Bureau (IAB), which is the industry body that sets the rules for ad auctions.
The evidence submitted by the complainants comprises category lists from Google and IAB, including topics such as being an incest victim, having cancer, having a substance-abuse problem, being into a certain kind of politics or adhering to a certain religion or sect. Special needs kids, endocrine and metabolic diseases, birth control, infertility, diabetes, Islam, Judaism, disabled sports, bankruptcy- these serve as supplementary evidence for the two original complaints filed with the UK’s ICO and the Irish DPC last year.
A Google spokesperson told TechCrunch that the company has “strict policies that prohibit advertisers on our platforms from targeting individuals on the basis of sensitive categories” and that if they did find such ads violating said policies, they would take immediate action”.
The original IAB lists can be downloaded as a spreadsheet. The PDF versions of the IAB lists with special category and sensitive data highlighted by the complainants can be viewed here (v1) and here (v2). You can go ahead and download Google’s original document for more insights on this news.
French data regulator, CNIL imposes a fine of 50M euros against Google for failing to comply with GDPR
European Consumer groups accuse Google of tracking its users’ location, calls it a breach of GDPR
Twitter on the GDPR radar for refusing to provide a user his data due to ‘disproportionate effort’ involved