Privacy Advocates Say Ad Auctions Leak Sensitive Data About Users

Complaint criticizes the building blocks of ad tech

The complaint charges that IAB and Google's ad auctioning systems fail to ensure that users personal data is protected from "unauthorized access."
Getty Images

In a sign of potential woes to come in the U.S. media sector, privacy advocates in the European Union are going after the very fundamentals of online media monetization, claiming the ad auction process used by companies like Google broadcasts highly sensitive user information in a way that violates the member states’ General Data Protection Regulations.

In a new legal complaint filed in Poland Monday, privacy advocates charge that the Internet Advertising Bureau’s ad auctioning system RTB 3.0 and Google’s RTB “Publisher Verticals” may let advertisers profile and target users based on sensitive information, including religious affiliation, sexual orientation and medical conditions.

The complaint argues that much of the backbone of ad tech could be found to violate GDPR, underscoring ongoing confusion over how the GPDR hammer will come down on the industry. As more federal and statewide data privacy regulation come down the pike in the U.S., legal experts expect similar dynamics could soon be at play in North America.

When it comes to privacy, are the fundamentals of ad tech flawed?

The complaint, which the Warsaw-based Panoptykon Foundation filed with Poland’s data protection authority, charges that IAB and Google’s ad auctioning systems fail to ensure that users’ personal data—such as what kind of content they are consuming and their IP address—is protected from “unauthorized access” because of the way that personal information about users is broadcast through a bid request in an online ad auction. The complainants say the exposure of personal information without the prior consent of a website user is a violation of GDPR.

The Panoptykon Foundation also contends that some of the labels included in the two systems, when combined with the other personal data in the bid request, should be considered “special category personal data,” described in Article 9 of the GDPR.

For instance, one category defined by the IAB Tech Lab categorizes content based on “incest/abuse support,” which the complainants said could be used to both target and profile an internet user as a victim of incest or abuse.

Google’s “Publisher Verticals” is a similar list to the IAB’s RTB 3.0 that classifies web content based on keywords and allows advertisers to make decisions about their ad buys based on the content near which their advertisements will display. That list, which publishers can opt out of, includes categories like “eating disorders” and “substance abuse.” The complaint alleges that that information could be combined with users’ personal information in the bid request and that companies could target and profile internet users based on it.

The complaint joins earlier complaints filed by other privacy advocates, including from the Open Rights Group and the privacy-centric web browser Brave, in Ireland and the U.K.

Dr. Johnny Ryan, the chief policy and industry relations officer of Brave, said the only way for the industry to address the privacy issues the complaint raises is to institute a major overhaul of the ad-tech ecosystem that takes personal data out of the equation.

“The way forward is for ad auction companies to remove personal data from their bid requests,” Ryan told Adweek. “Marketers need to protect themselves from the risk they are exposed to by the ad auction system and press the IAB and Google to strip personal data from ad auctions. The use of personal data—such as your pseudonymous IDs, latitude & longitude, IP addresses [and] specific device details—needs to stop.”

Regulators are starting to issue heavy fines

The ad-tech sector has increasingly come under scrutiny and strain since the passage of GDPR, and complaints that ad-tech companies have failed to comply began rolling in since the opening day of its enforcement last year. Last week, France’s data protection authority CNIL handed Google a $57 million fine.

Recommended articles