Fresh GDPR Complaints Take Aim at Targeted AdvertisingBrowser Upstart Alleges Ad Firms Are Seeing Too Much Personal Data
A web browser startup, Brave, filed complaints on Wednesday in Europe alleging that Google and other behavioral advertising companies are violating the region's strict, newly enforced data protection regulation.
Brave filed one complaint each to the U.K. Information Commissioner's Office and Ireland's Data Protection Commissioner. The complaints notify "European regulators of a massive and ongoing data breach that affects virtually every user on the web," Brave alleges.
The complaints allege that online advertising systems that funnel to ad buyers behavioral and technical data about those who visit a website violate the General Data Protection Regulation, which went into full force on May 25.
Brave contends that the data is passed to hundreds of companies looking to place ads, and there are no safeguards to ensure that the personal data is not misused or lost. The company claims this violates Article 5 of GDPR.
Together with Jim Killock of the U.K.-based Open Rights Group as well as Michael Veale, a data protection and policy researcher at University College London, Brave is asking authorities in the U.K. and Ireland to investigate Google as well as the broader targeted advertising sector.
"The problem is inherent in the design of the industry," according to the complaint submitted to the U.K.'s ICO.
Brave's Self Interest
GDPR has already reshaped the data collection and processing procedures of companies around the world. Microsoft and Facebook, for example, have said they will apply its principles worldwide in anticipation of other jurisdictions adopting similar rules (see Europe's Strong GDPR Privacy Rules Go Into Full Effect).
Regulatory experts have predicted the emergence of GDPR complaints will trigger confrontations with technology giants such as Google, Facebook and others. The companies have built staggering fortunes by attracting users with free products and building targeted advertising systems underpinned by personal data (see GDPR Effect: Data Protection Complaints Spike).
The Brave browser blocks virtually all web "trackers" and beacons that transmit data used for targeted advertising. Instead, Brave is experimenting with a privacy-focused model that rewards users for interacting with ads.
That reward is paid in the Basic Attention Token, a type of digital currency created by Brave. It is also experimenting with rewarding publishers with BATs based on how long someone spends on a website, a model that doesn't rely on using personal data.
Bidding For Ad Slots
Brave's GDPR complaint takes aim at "programmatic" advertising, a type of advertising system that emerged about eight years ago. It relies on a type of auctioning system that's often referred to as real-time bidding.
There are two major technology platforms for ad auctioning: OpenRTB, created by the Internet Advertising Bureau, and Google's Authorized Buyers, which formerly was known as DoubleClick Ad Exchange, according to a position paper from Johnny Ryan, Brave's chief policy and industry relations officer. Ryan's paper was submitted to regulators along with the complaints.
Many websites sign up with ad exchanges, or brokers such as Google, to fill their ad inventory. When someone visits a website, the ad exchange puts the available ad inventory up for an auction.
Before the auction takes place, the ad exchange sends data that it knows about the person and device used to view the website. The data can include what the person has viewed before, their location or IP address, tracking IDs that have been set on the computer using cookies and a variety of device-specific data. Ryan's paper says OpenRTB's specification also can include such data as a person's year of birth and gender.
As part of the auction, the data is transmitted to potentially hundreds of other companies in order for them to determine whether they want to bid on the ad space. The online advertising industry has usually maintained that the data it collects during an individual's web browsing has been sufficiently anonymized in ways that it couldn't be linked to an actual person.
But Brave contends the data is much more than what is needed to serve relevant advertising. The data that goes to third parties also goes "well beyond the purposes which a data subject can understand, or consent or object to."
GDPR mandates that European consumers must know what data is collected prior to it being collected and how the data is used, and it also grants the right to request that data be deleted.
The Sharing Problem
Brave's complaints also contend once that data has been transmitted to those other parties, there are no controls to ensure that the data is protected and isn't misused.
Ryan's paper acknowledges that IAB Europe has recommended that to comply with GDPR, companies should only share personal data with other companies if there's a legal basis for processing it. But Ryan contends there's no way to protect the data once it's transferred.
"There are no technical measures in place to adequately protect the data," he writes. "In other words, once DSPs [demand-side partners, or ad buyers] receive personal data, they can freely trade these personal data with business partners, however they wish."
In many ways, it's the problem Facebook faced with Cambridge Analytica, the now-defunct voter profiling firm, that resulted in regulatory inquiries and deep questions over how the social networking site protects the personal data it collects (see Facebook: 87M Accounts May Have Been Sent To Cambridge Analytica).
Before it changed its policies in 2014, Facebook allowed app developers using its platform to collect a variety of potentially sensitive personal information about its users. A Cambridge University professor, Aleksandr Kogan, did this when he deployed a personality quiz on the site in 2014.
Against Facebook's rules, Kogan later passed the data onto Cambridge Analytica, which at one time worked on developing digital campaigns for U.S. President Donald Trump. After the controversy erupted, Facebook pledged to see if other app developers had violated its rules and improperly shared data. In August, it said it had so far suspended 400 apps and was still investigating thousands more.
The picture that has emerged is that while Facebook contractually prohibited the sharing of personal data, it had no way of enforcing the rules or knowing if app developers had violated them.
Whether Brave's complaint will gain currency with regulators remains to be seen. But it could potentially set up one of the largest-ever battles, and one that online advertising companies are likely to fiercely contest.