Update on GDPR complaint (RTB ad auctions)
Privacy regulators in Poland, Ireland, and the UK urged to act against online ad auctions following new evidence about massive leakage of highly intimate data about web users.
Panoptykon Foundation filed a new complaint with the Polish Data Protection Authority today, joining the ad auction complaints already being examined in the UK and in Ireland.
New evidence submitted to UK, Ireland, and Polish data Protection Authorities today reveals how ad auction companies, including Google, unlawfully profile Internet users’ religious beliefs, ethnicities, diseases, disabilities, and sexual orientation.
Today, 28 January, is “International Data Protection Day”.
Today, Panoptykon Foundation, the Warsaw based digital rights organization, has joined in the complaints filed in the UK and Ireland in September by Jim Killock of the Open Rights Group, Michael Veale of University College London, and Dr Johnny Ryan of Brave.
Together, the complainants in Ireland, Poland, and the UK, have also filed new evidence today with the national data protection authorities of Ireland, Poland, and the United Kingdom, that reveals how ad auction companies, including Google, unlawfully profile Internet users’ religious beliefs, ethnicities, diseases, disabilities, and sexual orientation.
Every time you visit a website that uses ad auctions, personal data about you is broadcast in “bid requests” to tens or hundreds of companies. Part of this process categorizes what you watch or read or listen to. The categories can be benign, such as “Tesla motors”, “bowling”, or “gadgets”. But, as the new evidence filed today shows, they can also be extraordinarily sensitive.
For example, one category is “IAB7-28 Incest/Abuse Support”. This could enable ad auction companies to target and profile a person as an incest or abuse victim. The letters “IAB” in this category title refer to the Interactive Advertising Bureau, the organization that defines the rules of the ad auction industry.
Other IAB categories relate to sensitive and embarrassing health conditions, religious denomination, sexual orientation, etc.
Google runs its own category list, which includes equally sensitive insights such as as “eating disorders”, “left-wing politics”, or “scientology”. There are hundreds of sensitive categories in the IAB’s and Google’s lists. These lists are linked at bottom of this note.
Unnecessary data
While it is acceptable for a library to mark an area with the words “substance abuse”, it would not be acceptable for a library to mark a person who enters that section with those words too. But online, these labels about what you read, watch, and listen to online can stick to you for a long time.
This stickiness is due to the tracking IDs and other information specific to you and your device, which is routinely included in ad auction “bid requests”. Tracking IDs and other personally specific information are not strictly necessary for ad targeting, but they make it easy for companies to re-identify and profile you.
“Ad auction systems are obscure by design”, said Katarzyna Szymielewicz, President of Panoptykon Foundation. “Lack of transparency makes it impossible for users to exercise their rights under GDPR. There is no way to verify, correct or delete marketing categories that have been assigned to us, even though we are talking about our personal data. IAB and Google have to redesign their systems to fix this failure”.
Loading a single web page can…