A GDPR complaint against Google and the IAB by privacy advocates claims that ad category listings allow for the mass distribution of intimate personal data


Male powerlessness, drug addiction, right-wing politics, left-wing politics, sexually transmitted diseases, cancer, mental health.

These are just a few of the ad tags that Google's adtech infrastructure regularly links to people who monitor and track their online activities to target them with behavioral ads.

Such intimate and highly sensitive inferences are then systematically disseminated and shared with thousands of third-party companies via the real-time auctioning process that feeds the modern system of programmatic online advertising. Basically, you're looking at the reality behind the operation of scary ads.

This practice is already the subject of a complaint in Europe, filed under the General Data Protection Regulation (GDPR).

Real-Time Auction (RTB) complaint filed last fall by Dr. Johnny Ryan of Private Browser Brave; Jim Killock, Director of the Open Rights Group; and Michael Veale, a data and policy researcher at University College London, alleges "systematic and large-scale violations of the data protection regime by Google and others" in the area of ​​behavioral advertising.

According to him, the personalized advertising industry has "created a massive data dissemination mechanism" that brings together "a wide range of information on individuals going far beyond the information required to provide the relevant advertising "; In addition, it "provides this information to a large number of third parties for a range of uses going well beyond the goals that an individual may understand, accept or object to."

"There is no legal justification for such invasive and pervasive profiling and processing of personal data for profit," the complaint says.

The complainants have now submitted additional evidence showing the lists of ad categories used by Google and the Internet Advertising Bureau (IAB), which they believe were systematically founded.

The documents, reviewed by TechCrunch, provide further evidence of the two initial complaints filed with the UK OIC and the Irish DPC last year.

The anti-Polish monitoring NGO, Panoptykon Foundation, also joined the complaint. She informed her local data protection authority of what she describes as a "massive GDPR violation."

"The auction systems are inherently obscure," said Katarzyna Szymielewicz, president of the NGO, in a statement. "The lack of transparency prevents users from exercising their rights under the GDPR. There is no way to verify, correct or delete the marketing categories that have been assigned to us, even if we are talking about our personal data. IAB and Google need to redefine their systems to address this failure. "

Ravi Naik, a partner at ITN Solicitors, who works with the plaintiffs, also added in a statement: "Panoptykon's submissions reinforce the growing focus on real-time bidding. The complaint is based on our work before the UK ILO and the Irish CPD. We expect a series of complaints to follow across Europe and we are fully awaiting an EU-wide regulatory response. "

The three taxonomy documents for the content submitted in evidence include a document used by Google and two others compiled by IAB to provide publishers with lists of categories of ads.

The pair makes the lists available to online publishers, but general Internet users are not encouraged to consider how their online business is divided into ad categories so that their attention is sold to the highest bidder. .

And while many categories of ads seem quite harmless (hatchbacks, pets, poetry, etc.), others, such as the ones we have mentioned above, can be very intimate and / or sensitive.

In Europe, these categories of sensitive data constitute what is considered as special category personal data, namely the most sensitive types of personal data, including medical information; political affiliation; religious or philosophical points of view; sexuality; and information revealing racial or ethnic origin.

Several types of these special category data appear to be included in the content taxonomy lists we examined.

In the PMPR, the processing of special category data generally requires the explicit consent of the users – with very few exceptions, for example to protect the vital interests of the individuals concerned (and, well, trying to sell Viagra will not be eligible ).

The initial complaints argue that it is unlikely that Internet users will know that such labels are stuck in them routinely, let alone the extent of the sharing of their personal data with third parties participating in programmatic auctions essentially balancing.

The RTB process does not offer Internet users the opportunity to consent to each transaction of personal data. If that happened, web browsers would be overwhelmed with scary requests for intimate information processing about them from dozens of unknown companies. And there is no reason to think that it would suit people.

"The rate at which RTB occurs means that such special category data may be disseminated without consent or control over the dissemination of that data. Since this data is likely to be disseminated to many organizations that would like to merge it with other data, extremely complex profiles of individuals can be generated without the knowledge of the individual concerned, let alone their consent, "writes the group in its initial complaint.

"The industry facilitates this practice and does not put in place adequate safeguards to ensure the integrity of this personal data (and special categories). In addition, it is unlikely that anyone will know that their personal data has been so disseminated and disseminated unless they can, in one way or another, submit requests for access to the website. subject to a wide range of societies. It is unclear whether these organizations have a history of compliance with these requests. Without regulatory action, it is impossible to guarantee the compliance of data protection regulations at the industry level. "

They cite an estimate from the New Economics Foundation that suggests auction companies to advertise intimate profiles about an average British surfer 164 times a day, adding: "Tracking IDs and other personal information are not actually necessary for targeting ads, but allow you to be re-identified and profile every day. "

Here are some more sensitive tags that are associated with the identities of web users and shared with thousands of auctioning companies candidates. In this case, the labels are the ones that IAB uses: Children with Special Needs, Endocrine and Metabolic Diseases, Birth Control, Infertility, Diabetes, Islam, Judaism, Sports for the Disabled, Bankruptcy.

These categories come from the V2 of the IAB Content Taxonomy.

The group also submitted v1 of the IAB taxonomy as evidence, and this list includes other extremely intimate categories – including a category of "support for incest / abuse".

The IAB claims to have depreciated the v1 list but the plaintiffs claim that it is still used in the last IAB auction system.

We solicited feedback from IAB Europe.

By filing this new evidence, the plaintiffs argue that it points to "the unreasonable degree of privacy of the personal data disseminated at auctions".

"The evidence we file today shows that the IAB and Google auction system can broadcast remarkably intimate details about what you watch, listen to and read online. "Special category" personal data such as this one benefit from special protections in the GPR. I think that raises the stakes of our complaint, "Ryan de Brave told TechCrunch.

"The players in this ecosystem are very keen on what the public thinks is anonymous, or at least non-sensitive data, but that's just not the case. Extremely detailed and invasive profiles are systematically built and exchanged as part of today's real-time bidding system. This practice is treated even if it is a simple fact of life online. This is not the case: and it must and can stop, "added Veale in a statement.

The original IAB lists can be downloaded as a spreadsheet here (see tab 2 for list v1, and tab 1 for v2). The PDF versions of the IAB lists containing a special category and sensitive data highlighted by the plaintiffs can be viewed here (v1) and here (v2).

The original Google document can be downloaded here from developers.Google.com. (An annotated version highlighting the special category data is also available from Brave here.)

We also asked Google to comment on the latest developments in the complaint. Update: A spokesman for the company sent us the following statement:

We apply strict rules that prohibit advertisers on our platforms from targeting people based on sensitive categories such as race, sexual orientation, health status, pregnancy status etc. If we found ads on our platform that violated our policies and were trying to use sensitive interest categories to target ads to users, we would take immediate action.

It should be emphasized that the crucial point of the complaint against RTB lies in the fact that the GDPR requires that personal data be processed "so as to ensure appropriate security of personal data". The argument is therefore that the current online auction system inherently endangers personal data.

And simply declaring that you have a policy prohibiting the processing of personal data "like that" is not the same as having a system that does not create and resize risks.

After receiving Google's category listings and IAB for review, an OIC spokesperson told us: "The ICO and our partners in the European Protection Committee data is already in place on various Google issues and we are more involved in the industry. We are looking at the concerns that have been expressed to us. "

The agency has made online behavioral advertising a top priority, noting in its technology strategy that it is deepening Web and cross-device tracking, citing examples such as the fingerprint of devices, browsers, and paintings.

"This should continue as more devices connect to the Internet (IoT, vehicles, etc.) and individuals use more devices for their online business," the strategy paper says. "These new online tracking capabilities are becoming more prevalent and pose much greater risks in terms of systematic monitoring and tracking of people, including online behavioral advertising. The combination of intrusive technologies makes this area a priority. "