Privacy activists target the IAB Europe’s GDPR approach
It’s no secret that the General Data Protection Regulation has opened a can of worms when it comes to how the digital ad industry uses personal data within real-time bidding.
The law’s core premise — that users must be informed of how and when their personal data is used, by whom and for what purpose — is on paper both a simple and reasonable expectation. But the messy state of today’s sprawling digital ad tech ecosystem has made the reality of executing this in a real-time bidding environment, far harder.
Johnny Ryan of private browser Brave; Jim Killock, director of the Open Rights Group; and Michael Veale, a data and policy researcher at University College London, have so far been among those leading the offensive. Last September, the group made an official complaint to European regulators, against Google and other ad tech firms for their use or personally sensitive data such as political interests within bid requests made for behavioral ad targeting.
On Feb. 20, they submitted new evidence to their existing complaints to U.K. and Irish data protection authorities. These documents were obtained from the European Commission under Freedom of Information requests. The complainants attested that the Interactive Advertising Bureau Europe has previously acknowledged there is no way to control who receives what data within the digital ad ecosystem due to its scale and volume of companies within it, or what those companies do with the data once received under GDPR. (Read the full complaint here.)
The new complaint also included a set of annotated sample bid requests from the IAB and Google’s own documentation for users of their systems. The bid request samples included information such as page URLs, pseudonymous identification codes, and GPS locations — data the privacy activists claim are a big GDPR no-no. Google has always maintained that it obfuscates the location information to make it less identifiable.
IAB Europe has dismissed the allegation that it knew it was impossible for users to be informed about how their data is used in an RTB environment, and said this was addressed in the creation of its Transparency and Consent framework. “It is possible to not just inform users about participants in real-time bidding ahead of time but also to signal the disclosure and/or consent status of a specific vendor participating in real-time bidding,” said Matthias Matthiesen, director of privacy and public policy at IAB Europe.
He also reiterated IAB Europe’s argument that addressed previous complaints from the same privacy activists: that the technology itself (in this case Open RTB) cannot be subject to GDPR, only a business’s use of the technology can be. But the privacy activists believe that argument dodges the real issue: that IAB Europe and Google, which they describe as the two “rule setters” of the industry, are encouraging the ad industry to violate GDPR.
Ad tech will continue to be in the firing range, and should regulators agree with the complaints, ad exchanges will be forced to make changes. “In the short term, exchanges might be forced to remove key targeting fields from bid requests; otherwise, publishers could be exposed to fines,” said Ratko Vidakovic, founder of AdProfs. “That personalized ad targeting would come under threat was the original fear around GDPR.”
French regulator CNIL has so far been the only regulator to come down hard on ad tech businesses such as mobile ad tech vendor Vecataury and Google. The fact no one had ever heard of Vectaury before it was fined for violating GDPR is indicative of just how impossible it is to enforce GDPR across the open auction due to the volume of businesses and the subsequent extent of the data leakage, according to Ryan.
IAB Europe’s Transparency and Consent framework — the body’s attempt to create an industry standard for GDPR compliance — has been criticized for facilitating ad tech’s use of personal data within the open exchanges. However, many in the industry, including publishers, are keen for an industry standard to prevail that isn’t owned by a singular business (meaning Google.)
“The industry is working together to ensure the Consent Framework does what is expected and required — as it still remains the closest thing to a solution that is governed by the industry and not a single proprietor,” said Richard Reeves, managing director of U.K. online publisher trade body AOP. “I am confident that when they release the TCF version 2 in July, many of these concerns will have been addressed.”
In response to the latest complaints, a Google spokesperson said, “Publishers who decide to fund their operations using real-time bidding via Google’s systems must also abide by our policies — including by obtaining consent from end users in Europe for personalized ads, not targeting overly narrow or specific audiences, and not collecting users’ sensitive information, including health conditions and pregnancy status.”
Although the complainants appear to be baying for blood, the group is not pushing for the death of RTB, according to Ryan. But they do want this type of sensitive data within bid requests wiped out.
“The solution to all of this is simple,” said Ryan. “The IAB RTB system allows 595 different kinds of data to be included in a bid request: 4 percent of these should be disallowed or truncated. The same applies to the Google system. It is an easy fix, long overdue, and will prevent the system from leaking the personal data, including location and interests, of every single person on the web.”
Newsletter publishers cautiously plan to expand editorial and sales teams
Publishers with newsletter-focused businesses are looking to grow their editorial and sales teams this year — but cautiously, to keep spending down during a time of economic uncertainty.
Magna 2023 forecast paints a resilient U.S. market, thanks to retail media and streaming
In its latest ad forecast, Magna is expecting a resilient U.S. market this year – boosted by retail, streaming and the auto industry’s bounceback.
How agencies are shaping the future of DEI beyond their own walls
Agencies are acknowledging that diversity efforts don’t stop with their companies. In addition to improving employee representation, now agency efforts in diversity, equity and inclusion are aimed at supporting clients and external partners.
SponsoredHow advertisers are fostering more effective publisher partnerships
Michael Weaver, senior vice president, business development and growth, Al Jazeera Media Network An everyday conversation between publishers and advertisers goes like this: The publisher invites the advertiser to a meal to talk about their business, attempts to delve into specifics on what the media buyer is looking to achieve, their audience breakdown and how […]
Newsletter publishers say they continue to see uptick in revenue despite advertising slowdown
At a time when larger media companies are feeling the pressure of the economic downturn and advertising slowdown, newsletter businesses continue to be in a period of revenue growth.
TikTok’s CEO faces bipartisan skepticism in first Congressional hearing on security concerns
The hearing comes amid calls to remove TikTok from government devices and in some cases even ban it entirely.