European Privacy Regulator Turns Up Heat on Ad Tactics Used by Google and Rivals
Belgium’s data-protection authority takes aim at collection of personal information in digital-ad auctions
Tactics Google and other large online-ad players use in digital ad auctions violate European Union privacy law, investigators for Belgium’s – a European privacy regulator – wrote in an internal report, a preliminary finding with implications across the continent. European privacy regulators are homing in on the electronic auctions that happen in milliseconds to determine which ads show up when you load a webpage. In that time, hundreds of potential advertising bidders can find out information about you, including your location, birthday and whether you have been reading about sexually-transmitted diseases or alt-right politics.
That process constitutes an illegal data breach under Europe’s General Data Protection Regulation, investigators at the Belgian data-protection authority – a European privacy regulator – wrote in a new internal report viewed by The Wall Street Journal.
The report focuses on the European arm of the Interactive Advertising Bureau, an online ad trade group that the investigators said is responsible for how its member companies buy, sell and use individuals’ data in digital ad transactions. IAB Europe is based in Belgium, so the country claims jurisdiction over the group; if that position is upheld by other EU privacy regulators and potentially in court, Belgium’s regulator would have authority over how companies across the EU conduct ad auctions.
That could impact a large segment of the digital ad economy. Some 6.7 billion euros, equivalent to $7.85 billion, were spent last year on real-time, online ad bidding, according to IAB Europe. Global players, including Google—by far the dominant force in online advertising—would have to choose whether to update their sites world-wide to meet the European standard or create a separate approach for Europe.
IAB Europe Chief Executive Townsend Feehan said the complaints that appeared to trigger the probe “contained some gross misunderstandings of the scope and functionality” of IAB Europe’s ad-auction protocol and role in ad auctions.
In a blog post Friday, IAB Europe also disputed the data-protection authority’s interpretation that it is a data controller with respect to member companies that implement its framework. IAB Europe called it “regrettable” that the authority had brought an enforcement action, rather than engaged in dialogue to reform the trade group’s framework.
The report is the product of the data-protection authority’s investigation into complaints submitted by activists led by Johnny Ryan, senior fellow at the Irish Council for Civil Liberties and the Open Markets Institute.
“We are plagued by consent pop-ups, tens of times a day,” Mr. Ryan said. “Supposedly this is to comply with the GDPR, but these findings confirm what I have said for over two years: These pop-ups are a thin legal veneer over a vast data breach.”
The Belgian data-protection authority – one of 29 European Privacy regulators, declined to comment, citing a policy against commenting on active cases.
The report is far from the final word in the case. Belgium’s investigators have forwarded their report to the agency’s so-called litigation chamber as evidence. The litigation chamber will hear the case and could take into next year to issue a decision.
The Belgian agency’s decision will…