The ad-tech industry gathered in Europe this week for the Dmexco trade show when Brave, the outfit behind a controversial web browser, took the opportunity to deal a GDPR-sized blow to the sector.
Earlier this week representatives of Brave, the Open Rights Group and University College London filed simultaneous complaints with Data Protection Authorities (DPA) in the U.K. and Ireland under GDPR rules. The concerned parties are seeking a pan-European investigation into the practices of just about every ad-tech company—Google, in particular—in a challenge that will have far-reaching implications for the media business if successful.
“The complaint notifies European regulators of a massive and ongoing data breach that affects virtually every user on the web,” according to a blog post noting the filing.
According to the complainants, every time a consumer visits a website and is shown a “behaviorally targeted ad,” the delivery process involves the broadcast of “intimate personal data to tens or hundreds of companies,” a practice that is no longer acceptable without specific user consent under GDPR rules.
Dr. Johnny Ryan, a complainant named in the filing and Brave’s policy chief, claims that tensions over reconciling Google and the IAB’s respective GDPR-compliance proposals are immaterial as ad tech’s fundamentals are simply at odds with the E.U. privacy laws that came into practice on May 25.
Citing a comprehensive study into the ad-tech sector’s use of personal data for behavioral targeting, he likens just about every online bid request to “scattering people’s data all over the internet.”
Ryan told Adweek that unique personal identifiers used by the entire ad-tech sector—such as consumer’s precise location data, IP address and what ISP they use—are in violation of the statute, which threatens fines of up to €20 million, or 4 percent of the global annual revenue of offending parties. His aim is to trigger an E.U.-wide investigation.
“The IAB’s consent proposals [for handling and processing consumers’ personal data] is an honor system, but GDPR clearly states that you trust no one,” he said. “The proposals are like saying, ‘Here’s a data breach,’ and that’s not legal.”
In particular, the complainants cite the proprietary real-time bidding (RTB) practices of Google behavioral advertising business that aggregates third-party demand and supply, which was known as DoubleClick until its June rebrand to Google Ad Manager. This part of Google’s business uses a series of identifiers to match supply and demand and is by far the most widely used in the digital media landscape.
Neither the U.K. or Irish DPAs were available for comment at time of writing. Under GDPR rules, both outfits must issue the complainants with either a progress report or resolution within three months of the original filing.
Meanwhile, the CEO of IAB Europe, Townsend Feehan, said the assertions made in the filings represented “a fundamental misunderstanding” of said laws, adding that the trade body’s GDPR-compliance framework is firmly keeping with GDPR principles.
When approached by Adweek, a Google spokesperson acknowledged that European DPA guidance makes it clear that consent is required for personalized ad targeting and issued the below statement.
“We build privacy and security into all our products from the very earliest stages and are committed to complying with the E.U. General Data Protection Regulation,” it read. “We provide users with meaningful data transparency and controls across all the services that we provide in the E.U, including for personalized advertising.”
Google is still at odds with the wider ad-tech sector
Meanwhile, in a separate briefing with journalists hosted at Dmexco—prior to the publication of Brave’s complaints—Philipp Schindler, svp and chief business officer at Google spoke of the complexities the entire industry is attempting to grasp.
“We’re not only responsible for our own business, we’re also responsible to help our advertiser partners and publishers through our DoubleClick business (a huge business of ours) and certain trade associations to successfully transition to this world,” said Schlinder.
However, “certain specificities” (which he declined to elaborate upon when probed by Adweek) mean that Google and the IAB’s consent-transfer proposals are still at odds with one another, despite the statute having been in effect for almost four months.
“Frankly speaking, we’ve seen challenges for them [the wider sector] in order to get ready for GDPR,” he said. “We have to be very, very careful; the devil is in the detail. You have to be careful that whatever you do, you don’t create collateral damages, especially for the smaller players with less resources.”
Google is now part of a working group with other industry players such as Adobe, AppNexus (now part of “AT&T AdCo”) Oath and media buying giant GroupM to resolve the differences between its own GDPR-compliance proposals and those put forward by the IAB, with a resolution expected by the close of September.
However, if this week’s GDPR complainants are successful in their challenge, any such policies will likely have to be scrapped. “This could be the end of RTB as we know it,” concluded Brave’s Dr. Ryan.