Google Accused Of Using Sensitive Data To Target Online Ads

Technical online advertising standards developed by Google and the Internet Advertising Bureau (IAB) have been accused of publicising users’ browsing habits, including information about their health, sexuality, politics, ethnicity and other areas, in contravention of new data protection rules.

A case against the two organisations by private browsing company Brave, along with the Open Rights Group and a researcher at University College London, is the latest move to increase scrutiny of online advertising practices in light of the General Data Protection Regulation (GDPR), which came into force last year.

The case involving the online advertising industry’s arcane real-time bidding (RTB) processes was filed last autumn, and Brave and the others have now filed additional evidence with the UK and Ireland data protection agencies, showing lists of ad categories comprise the systematic use of sensitive information categories.

The complaint has also now been joined by the Panoptykon Foundation, a Polish group that has filed a complaint with that country’s regulator, alleging “massive GDPR infringement”.

‘Systemic’ GDPR breaches

Brave’s complaint alleges “wide-scale and systemic breaches of the data protection regime by Google and others”.

In their drive to personalise advertisements, the ad industry has created a “mass data broadcast mechanism” that makes use of “a wide range of information on individuals going well beyond the information required to provide the relevant adverts”, the complaint says.

The industry then “provides that information to a host of third parties for a range of uses that go well beyond the purposes which a data subject can understand, or consent or object to”, the allegations say, adding that there is “no legal justification” for these practices.

The complainants submitted three content taxonomy documents as evidence, including one used by Google and two compiled by the IAB for use by publishers.

The categories cover areas such as “mental health”, “infertility” and “blood disorders”.

They are designed for use in automated real-time bidding processes, but are largely unknown to users.

In nearly all cases, the GDPR requires data processors to obtain explicit consent from users to handle sensitive data.

“Every time you visit a website that uses ad auctions, personal data about you is broadcast to tens or hundreds of companies in order to solicit bids for the opportunity to show you an ad,” stated Brave chief policy officer Johnny Ryan.

“The personal data are simply not secure once broadcast, and the technical and organisational safeguards that have been put in place serve to show that data breaches are inherent in the design of the industry.”

“Ad auction systems are obscure by design,” said Panoptykon Foundation president Katarzyna Szymielewicz. “Lack of transparency makes it impossible for users to exercise their rights under GDPR. IAB and Google have to redesign their systems to fix this failure.”

Technical standards

Google and the IAB have said the categories relate to content on a web page, and not to profiles of individual users.

They say their policies prohibit advertisers to target users on the basis of sensitive information.

The IAB’s Tech Lab added that it does not believe its technical standards are subject to the GDPR, comparing them to HTTP or the blockchain.

Google is currently preparing to appeal a 50m euro fine under the GDPR for lack of transparency in the way it processes data and for a lack of legal basis for its ad personalisation.

The Information Commissioner’s Office said it was engaged with other European regulators on that case and others related to Google and online advertising.

“The Information Commissioner’s Office and our partner authorities on the European Data Protection Board are already engaged on various issues relating to Google and we are engaging with the industry more widely,” the ICO said. “We are considering the concerns that have been raised with us.”

The regulator has made online ad targeting a priority, saying in its Technology Strategy that it is investigating areas including cross-device tracking, device fingerprinting and browser fingerprinting.

“These new online tracking capabilities are becoming more common and pose much greater risks in terms of systematic monitoring and tracking of individuals, including online behavioural advertising,” the ICO said in its strategy document. “The intrusive nature of the technologies in combination drives the case for this to be a priority area.”

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Google Ordered To Pay $43m By Australian Court

Search engine Google fined $43 million by Australian court for tracking Android users location data…

2 days ago

Hacker Touts Data Sale Of 48.5m Users Of Covid App – Report

Personal data of 48.5 million Chinese citizens who used Shanghai's Covid App, is being offered…

2 days ago

Facebook Tests Default End-to-End Encryption For Messenger

Privacy move. Platform tests secure storage of people's chats on Messenger, in a move sure…

3 days ago

UK’s CMA Begins Probe Of Viasat Acquisition Of Inmarsat

British competition regulator the CMA, begins phase one investigation of $7.3 billion merger between Inmarsat…

3 days ago

Cisco Admits ‘Security Incident’ After Breach Of Corporate Network

Yanluowang ransomware hackers claim credit for compromise of Cisco's corporate network in May, while Cisco…

3 days ago

Google Seeks To Shame Apple Over RCS Refusal

Good luck convincing Tim. Google begins publicity campaign to pressure Aple into adopting the cross…

3 days ago