Privacy activists target the IAB Europe’s GDPR approach
It’s no secret that the General Data Protection Regulation has opened a can of worms when it comes to how the digital ad industry uses personal data within real-time bidding.
The law’s core premise — that users must be informed of how and when their personal data is used, by whom and for what purpose — is on paper both a simple and reasonable expectation. But the messy state of today’s sprawling digital ad tech ecosystem has made the reality of executing this in a real-time bidding environment, far harder.
Johnny Ryan of private browser Brave; Jim Killock, director of the Open Rights Group; and Michael Veale, a data and policy researcher at University College London, have so far been among those leading the offensive. Last September, the group made an official complaint to European regulators, against Google and other ad tech firms for their use or personally sensitive data such as political interests within bid requests made for behavioral ad targeting.
On Feb. 20, they submitted new evidence to their existing complaints to U.K. and Irish data protection authorities. These documents were obtained from the European Commission under Freedom of Information requests. The complainants attested that the Interactive Advertising Bureau Europe has previously acknowledged there is no way to control who receives what data within the digital ad ecosystem due to its scale and volume of companies within it, or what those companies do with the data once received under GDPR. (Read the full complaint here.)
The new complaint also included a set of annotated sample bid requests from the IAB and Google’s own documentation for users of their systems. The bid request samples included information such as page URLs, pseudonymous identification codes, and GPS locations — data the privacy activists claim are a big GDPR no-no. Google has always maintained that it obfuscates the location information to make it less identifiable.
IAB Europe has dismissed the allegation that it knew it was impossible for users to be informed about how their data is used in an RTB environment, and said this was addressed in the creation of its Transparency and Consent framework. “It is possible to not just inform users about participants in real-time bidding ahead of time but also to signal the disclosure and/or consent status of a specific vendor participating in real-time bidding,” said Matthias Matthiesen, director of privacy and public policy at IAB Europe.
He also reiterated IAB Europe’s argument that addressed previous complaints from the same privacy activists: that the technology itself (in this case Open RTB) cannot be subject to GDPR, only a business’s use of the technology can be. But the privacy activists believe that argument dodges the real issue: that IAB Europe and Google, which they describe as the two “rule setters” of the industry, are encouraging the ad industry to violate GDPR.
Ad tech will continue to be in the firing range, and should regulators agree with the complaints, ad exchanges will be forced to make changes. “In the short term, exchanges might be forced to remove key targeting fields from bid requests; otherwise, publishers could be exposed to fines,” said Ratko Vidakovic, founder of AdProfs. “That personalized ad targeting would come under threat was the original fear around GDPR.”
French regulator CNIL has so far been the only regulator to come down hard on ad tech businesses such as mobile ad tech vendor Vecataury and Google. The fact no one had ever heard of Vectaury before it was fined for violating GDPR is indicative of just how impossible it is to enforce GDPR across the open auction due to the volume of businesses and the subsequent extent of the data leakage, according to Ryan.
IAB Europe’s Transparency and Consent framework — the body’s attempt to create an industry standard for GDPR compliance — has been criticized for facilitating ad tech’s use of personal data within the open exchanges. However, many in the industry, including publishers, are keen for an industry standard to prevail that isn’t owned by a singular business (meaning Google.)
“The industry is working together to ensure the Consent Framework does what is expected and required — as it still remains the closest thing to a solution that is governed by the industry and not a single proprietor,” said Richard Reeves, managing director of U.K. online publisher trade body AOP. “I am confident that when they release the TCF version 2 in July, many of these concerns will have been addressed.”
In response to the latest complaints, a Google spokesperson said, “Publishers who decide to fund their operations using real-time bidding via Google’s systems must also abide by our policies — including by obtaining consent from end users in Europe for personalized ads, not targeting overly narrow or specific audiences, and not collecting users’ sensitive information, including health conditions and pregnancy status.”
Although the complainants appear to be baying for blood, the group is not pushing for the death of RTB, according to Ryan. But they do want this type of sensitive data within bid requests wiped out.
“The solution to all of this is simple,” said Ryan. “The IAB RTB system allows 595 different kinds of data to be included in a bid request: 4 percent of these should be disallowed or truncated. The same applies to the Google system. It is an easy fix, long overdue, and will prevent the system from leaking the personal data, including location and interests, of every single person on the web.”
‘We’re netting out with higher revenue’: Publishers reaping the benefits of Snapchat’s strong second half
With CPMs up as much as 20% year over year in the fourth quarter, many Discover publishers are bullish on the upstart platform for next year.
How Cosmo is building brand affinity with younger audiences through its focus on commerce
Cosmopolitan's focus on e-commerce through a line of branded wines and its own shopping holiday has led to a 254% increase in product sales.
‘Go to market faster’: The Washington Post’s Arc goes outside the tent for payment and data integrations
Subscriber revenue has become more of a priority to the Washington Post's Arc clients since it launched its subscription tools last year.
SponsoredPublishers will lead the charge as cookie-less advertising becomes the norm
Steve Wing, managing director, EMEA, Magnite As the advertising industry moves closer to a cookieless world — one in which browserless environments including connected TV (CTV) and mobile in-app are an increasingly large part of ad budgets — publishers will have an increasingly important role in developing the future of identity. Segment creation and identity […]
‘Profitability in the back half of next year’: BuzzFeed CEO Jonah Peretti (and Verizon Media CEO Guru Gowrappan) on their big merger
A special Digiday podcast episode features Interviews with BuzzFeed CEO Jonah Peretti and Verizon Media CEO Guru Gowrappan.
‘A digital Madison Square Garden’: How Complex reimagined the sponsorship opportunities for ComplexLand
The online event, which will combine music, conversation, gaming and shopping in an online world, will have 60 sponsors.