June 21, 2019 at 19:58Situation: Do AdTech companies violate GDPR?
Regulators in Europe have faced a flood of complaints about companies operating in the field of advertising technology. We discuss the situation - the causes and potential consequences. Photos - ev - Unsplash
The appeals are related to RTB (Real-Time Bidding) technology. It is needed for ad auctions and is based on the OpenRTB protocol . Organizations such as IAB , Google, MediaMath, and DataXu are involved in its development . To display targeted advertising, the RTB system identifies website visitors by browsers, social media accounts and cookies. Representatives of large European organizations and universities note that RTB mechanisms violate the requirements of the General Data Protection Regulation (GDPR) and can lead to massive PD leaks. At the end of May, complaints were received by regulators in Spain, the Netherlands, Belgium and Luxembourg. They were sent
representatives of the non-profit organization Eticas Foundation, the Bits of Freedom Foundation, as well as the Universities of Amsterdam and Leuven.
At the beginning of the year, similar complaints were filed by regulators in the UK, Poland and Ireland. They were directed by the developers of the Brave browser, employees of the University of London and representatives of the organization Open Rights Group, which deals with the observance of human rights and freedoms in the digital world.
When a user opens a website page, the RTB system (and similar sites) analyzes his personal data (cookies, etc.) and sends them to hundreds of advertisers. Further, special algorithms on the side of companies decide whether to show ads to this person or not, and set a price for displaying a banner. A visitor to the site will see a banner of the company that offered the largest amount.
Such "auctions" process a huge number of transactions daily. Google’s Authorized Buyers system works with 8 million websites and 2,000 organizations. AT&T’s second most popular AppNexus service completes 130 billion personal data transactions daily. Moreover, according to estimates by The New Economics Foundation, one page can transmit information about the user to another 164 sites (page 4 ).
Experts note that this whole situation is contrary to the fifth article of the GDPR. It permits processing PD only if reliable protection is provided against their loss or compromise. The user must know who uses his data and why. Under current conditions, it is not possible to guarantee compliance with these requirements.
There are already precedents - in May Twitter discovered a bug in the AdTech system. The company accidentally disclosed the location information of some iOS users through RTB mechanisms (although they did not apply any sanctions for this violation).
Photos - Franki Chamaki - Unsplash
Another problem is the inability to control the contents of the behavioral profiles that make up the advertising platform. Some tags that the system “attaches” to users may disclose information that was not intended as public by the user himself — for example, data on potential health problems. Now the AdTech industry does not have special mechanisms by which it is possible to restrict data collection or prohibit their processing on the side of individuals, as required by Article 18 of the GDPR .
IAB says that complaints about the work of companies that provide AdTech tools only harm the development of the digital industry and have no foundation. According to them, the principles of RTB work are fully consistent with the GDPR - in order to meet the requirements of the law, the IAB association last year developed a special framework. With it, site visitors can find out which sites process their personal data. Google uses a list of rules and regulations to protect PD, which are mandatory for the organization itself and partners working in the field of programmatic marketing.
But at the beginning of the year, an anonymous source in the IAB reportedthat the company management is aware of violations by programmatic advertising of the requirements of the General Regulations. According to them, it is “technically impossible” to rectify the situation. Lawyers and public figures called this news evidence of numerous violations of European law by AdTech companies.
Several proceedings are already underway. In May, the Irish regulator launched an investigation into Quantcast. The company is accused of illegally collecting personal data and compiling behavioral profiles. Although representatives of Quantcast say that there are no violations on their part, and all business processes are carried out in accordance with the law. Google is also under investigation due to PD leaks in the Authorized Buyers service - the company runs the risk of receiving another fine in the amount of 4% of the annual turnover.
The Irish Data Protection Commission and other regulators most likely acknowledge violations of the GDPR. In addition, measures can be taken at the European Commission level, which will complicate the work of AdTech companies throughout the European Union.
What are the complaints related to
The appeals are related to RTB (Real-Time Bidding) technology. It is needed for ad auctions and is based on the OpenRTB protocol . Organizations such as IAB , Google, MediaMath, and DataXu are involved in its development . To display targeted advertising, the RTB system identifies website visitors by browsers, social media accounts and cookies. Representatives of large European organizations and universities note that RTB mechanisms violate the requirements of the General Data Protection Regulation (GDPR) and can lead to massive PD leaks. At the end of May, complaints were received by regulators in Spain, the Netherlands, Belgium and Luxembourg. They were sent
representatives of the non-profit organization Eticas Foundation, the Bits of Freedom Foundation, as well as the Universities of Amsterdam and Leuven.
At the beginning of the year, similar complaints were filed by regulators in the UK, Poland and Ireland. They were directed by the developers of the Brave browser, employees of the University of London and representatives of the organization Open Rights Group, which deals with the observance of human rights and freedoms in the digital world.
What does not suit RTB
When a user opens a website page, the RTB system (and similar sites) analyzes his personal data (cookies, etc.) and sends them to hundreds of advertisers. Further, special algorithms on the side of companies decide whether to show ads to this person or not, and set a price for displaying a banner. A visitor to the site will see a banner of the company that offered the largest amount.
Such "auctions" process a huge number of transactions daily. Google’s Authorized Buyers system works with 8 million websites and 2,000 organizations. AT&T’s second most popular AppNexus service completes 130 billion personal data transactions daily. Moreover, according to estimates by The New Economics Foundation, one page can transmit information about the user to another 164 sites (page 4 ).
Experts note that this whole situation is contrary to the fifth article of the GDPR. It permits processing PD only if reliable protection is provided against their loss or compromise. The user must know who uses his data and why. Under current conditions, it is not possible to guarantee compliance with these requirements.
There are already precedents - in May Twitter discovered a bug in the AdTech system. The company accidentally disclosed the location information of some iOS users through RTB mechanisms (although they did not apply any sanctions for this violation).
Photos - Franki Chamaki - Unsplash
Another problem is the inability to control the contents of the behavioral profiles that make up the advertising platform. Some tags that the system “attaches” to users may disclose information that was not intended as public by the user himself — for example, data on potential health problems. Now the AdTech industry does not have special mechanisms by which it is possible to restrict data collection or prohibit their processing on the side of individuals, as required by Article 18 of the GDPR .
What experts say
IAB says that complaints about the work of companies that provide AdTech tools only harm the development of the digital industry and have no foundation. According to them, the principles of RTB work are fully consistent with the GDPR - in order to meet the requirements of the law, the IAB association last year developed a special framework. With it, site visitors can find out which sites process their personal data. Google uses a list of rules and regulations to protect PD, which are mandatory for the organization itself and partners working in the field of programmatic marketing.
But at the beginning of the year, an anonymous source in the IAB reportedthat the company management is aware of violations by programmatic advertising of the requirements of the General Regulations. According to them, it is “technically impossible” to rectify the situation. Lawyers and public figures called this news evidence of numerous violations of European law by AdTech companies.
Experts expect regulators from Spain, Belgium and Luxembourg, who received complaints about RTB this year, will soon begin to write fines.
Several proceedings are already underway. In May, the Irish regulator launched an investigation into Quantcast. The company is accused of illegally collecting personal data and compiling behavioral profiles. Although representatives of Quantcast say that there are no violations on their part, and all business processes are carried out in accordance with the law. Google is also under investigation due to PD leaks in the Authorized Buyers service - the company runs the risk of receiving another fine in the amount of 4% of the annual turnover.
What's next
The Irish Data Protection Commission and other regulators most likely acknowledge violations of the GDPR. In addition, measures can be taken at the European Commission level, which will complicate the work of AdTech companies throughout the European Union.
Additional reading from our blogs and social networks:Screening electronic devices at the border - a necessity or violation of human rights?
How to protect a virtual server on the Internet
Snapshots: why do we need “snapshots”