Privacy Advocates Say Ad Auctions Leak Sensitive Data About Users

Complaint criticizes the building blocks of ad tech

The complaint charges that IAB and Google's ad auctioning systems fail to ensure that users personal data is protected from "unauthorized access." Getty Images

In a sign of potential woes to come in the U.S. media sector, privacy advocates in the European Union are going after the very fundamentals of online media monetization, claiming the ad auction process used by companies like Google broadcasts highly sensitive user information in a way that violates the member states’ General Data Protection Regulations.

In a new legal complaint filed in Poland Monday, privacy advocates charge that the Internet Advertising Bureau’s ad auctioning system RTB 3.0 and Google’s RTB “Publisher Verticals” may let advertisers profile and target users based on sensitive information, including religious affiliation, sexual orientation and medical conditions.

The complaint argues that much of the backbone of ad tech could be found to violate GDPR, underscoring ongoing confusion over how the GPDR hammer will come down on the industry. As more federal and statewide data privacy regulation come down the pike in the U.S., legal experts expect similar dynamics could soon be at play in North America.

When it comes to privacy, are the fundamentals of ad tech flawed?

The complaint, which the Warsaw-based Panoptykon Foundation filed with Poland’s data protection authority, charges that IAB and Google’s ad auctioning systems fail to ensure that users’ personal data—such as what kind of content they are consuming and their IP address—is protected from “unauthorized access” because of the way that personal information about users is broadcast through a bid request in an online ad auction. The complainants say the exposure of personal information without the prior consent of a website user is a violation of GDPR.

The Panoptykon Foundation also contends that some of the labels included in the two systems, when combined with the other personal data in the bid request, should be considered “special category personal data,” described in Article 9 of the GDPR.

For instance, one category defined by the IAB Tech Lab categorizes content based on “incest/abuse support,” which the complainants said could be used to both target and profile an internet user as a victim of incest or abuse.

Google’s “Publisher Verticals” is a similar list to the IAB’s RTB 3.0 that classifies web content based on keywords and allows advertisers to make decisions about their ad buys based on the content near which their advertisements will display. That list, which publishers can opt out of, includes categories like “eating disorders” and “substance abuse.” The complaint alleges that that information could be combined with users’ personal information in the bid request and that companies could target and profile internet users based on it.

The complaint joins earlier complaints filed by other privacy advocates, including from the Open Rights Group and the privacy-centric web browser Brave, in Ireland and the U.K.

Dr. Johnny Ryan, the chief policy and industry relations officer of Brave, said the only way for the industry to address the privacy issues the complaint raises is to institute a major overhaul of the ad-tech ecosystem that takes personal data out of the equation.

“The way forward is for ad auction companies to remove personal data from their bid requests,” Ryan told Adweek. “Marketers need to protect themselves from the risk they are exposed to by the ad auction system and press the IAB and Google to strip personal data from ad auctions. The use of personal data—such as your pseudonymous IDs, latitude & longitude, IP addresses [and] specific device details—needs to stop.”

Regulators are starting to issue heavy fines

The ad-tech sector has increasingly come under scrutiny and strain since the passage of GDPR, and complaints that ad-tech companies have failed to comply began rolling in since the opening day of its enforcement last year. Last week, France’s data protection authority CNIL handed Google a $57 million fine.

As online privacy and security takes on political implications, U.S. legislators and the general public alike have begun taking a closer look at the highly profitable advertising industry that makes up the backbone of huge swaths of the internet, prompting industry leaders to defend their business practices.

The IAB Tech Lab, a partner organization of the overarching trade body IAB, maintains that its Content Taxonomy and OpenRTB protocol—the two ad targeting methods criticized in the Monday filing—are compliant with GDPR. In a statement sent to Adweek, the IAB Tech Lab noted how its standards enable media organizations and other businesses to communicate and work with each other in ways that were not possible prior to their release.

“OpenRTB, as with HTTP or Wi-Fi, is a protocol that companies across the world can choose to use pursuant to applicable laws, regulations, and consumer preferences,” a spokesperson said. “The Content Taxonomy, OpenRTB, and other protocols are not themselves subject to GDPR, which regulates how organizations use such technologies to process or direct the processing of personal data for specific purposes.”

A Google spokesperson said the use of its “Publisher Verticals” list as explained in the complaint would be a clear violation of Google’s policies, which prohibit advertisers from targeting users based on categories “such as race, sexual orientation, health conditions [and] pregnancy status.” If Google found ads that used sensitive interest categories to target ads to users, the spokesperson added, Google “would take immediate action.”

Is greater clarity needed?

Some industry sources have complained that the wording of GDPR has made it difficult to interpret the role different companies should play under the legislation, including whose responsibility it is to collect user consent on behalf of ad-tech companies to process consumer data. That’s not a view shared among everyone—including Brave’s Dr. Ryan.

Nonetheless, a lack of consensus among industry stakeholders about who is responsible for obtaining consent for data access has led to some gridlock. Google, for instance, has yet to list as a vendor with the IAB’s Transparency Consent Framework. And although the company has agreed to list as TCF-compliant in principle, one source close to negotiations claimed this is unlikely to occur until 2H19.

The filing comes as industry players face similar scrutiny from policymakers. Regulations similar to the 2018 California Consumer Privacy Act are expected to come up for the debate in statehouses around the U.S., while federal legislators push for standardized data privacy rules.

Gary Kibel, a U.S.-based partner specializing in digital media at law firm Davis & Gilbert, noted how ad-tech companies in Europe are struggling with GDPR as local DPAs often interpret its distinctions differently.

“The ad-tech industry could soon be facing similar uncertainty in the U.S., as the new California Consumer Privacy Act has created much confusion and other states such as Washington and New York are proposing new laws with different standards, and the federal government [is] looking to get in on the act,” Kibel explained.

In other words, this is a phenomenon that could spread soon across the Atlantic.

@kelseymsutton Kelsey Sutton is the streaming editor at Adweek, where she covers the business of streaming television.
@ronan_shields Ronan Shields is a programmatic reporter at Adweek, focusing on ad-tech.