Privacy activists target the IAB Europe’s GDPR approach
It’s no secret that the General Data Protection Regulation has opened a can of worms when it comes to how the digital ad industry uses personal data within real-time bidding.
The law’s core premise — that users must be informed of how and when their personal data is used, by whom and for what purpose — is on paper both a simple and reasonable expectation. But the messy state of today’s sprawling digital ad tech ecosystem has made the reality of executing this in a real-time bidding environment, far harder.
Johnny Ryan of private browser Brave; Jim Killock, director of the Open Rights Group; and Michael Veale, a data and policy researcher at University College London, have so far been among those leading the offensive. Last September, the group made an official complaint to European regulators, against Google and other ad tech firms for their use or personally sensitive data such as political interests within bid requests made for behavioral ad targeting.
On Feb. 20, they submitted new evidence to their existing complaints to U.K. and Irish data protection authorities. These documents were obtained from the European Commission under Freedom of Information requests. The complainants attested that the Interactive Advertising Bureau Europe has previously acknowledged there is no way to control who receives what data within the digital ad ecosystem due to its scale and volume of companies within it, or what those companies do with the data once received under GDPR. (Read the full complaint here.)
The new complaint also included a set of annotated sample bid requests from the IAB and Google’s own documentation for users of their systems. The bid request samples included information such as page URLs, pseudonymous identification codes, and GPS locations — data the privacy activists claim are a big GDPR no-no. Google has always maintained that it obfuscates the location information to make it less identifiable.
IAB Europe has dismissed the allegation that it knew it was impossible for users to be informed about how their data is used in an RTB environment, and said this was addressed in the creation of its Transparency and Consent framework. “It is possible to not just inform users about participants in real-time bidding ahead of time but also to signal the disclosure and/or consent status of a specific vendor participating in real-time bidding,” said Matthias Matthiesen, director of privacy and public policy at IAB Europe.
He also reiterated IAB Europe’s argument that addressed previous complaints from the same privacy activists: that the technology itself (in this case Open RTB) cannot be subject to GDPR, only a business’s use of the technology can be. But the privacy activists believe that argument dodges the real issue: that IAB Europe and Google, which they describe as the two “rule setters” of the industry, are encouraging the ad industry to violate GDPR.
Ad tech will continue to be in the firing range, and should regulators agree with the complaints, ad exchanges will be forced to make changes. “In the short term, exchanges might be forced to remove key targeting fields from bid requests; otherwise, publishers could be exposed to fines,” said Ratko Vidakovic, founder of AdProfs. “That personalized ad targeting would come under threat was the original fear around GDPR.”
French regulator CNIL has so far been the only regulator to come down hard on ad tech businesses such as mobile ad tech vendor Vecataury and Google. The fact no one had ever heard of Vectaury before it was fined for violating GDPR is indicative of just how impossible it is to enforce GDPR across the open auction due to the volume of businesses and the subsequent extent of the data leakage, according to Ryan.
IAB Europe’s Transparency and Consent framework — the body’s attempt to create an industry standard for GDPR compliance — has been criticized for facilitating ad tech’s use of personal data within the open exchanges. However, many in the industry, including publishers, are keen for an industry standard to prevail that isn’t owned by a singular business (meaning Google.)
“The industry is working together to ensure the Consent Framework does what is expected and required — as it still remains the closest thing to a solution that is governed by the industry and not a single proprietor,” said Richard Reeves, managing director of U.K. online publisher trade body AOP. “I am confident that when they release the TCF version 2 in July, many of these concerns will have been addressed.”
In response to the latest complaints, a Google spokesperson said, “Publishers who decide to fund their operations using real-time bidding via Google’s systems must also abide by our policies — including by obtaining consent from end users in Europe for personalized ads, not targeting overly narrow or specific audiences, and not collecting users’ sensitive information, including health conditions and pregnancy status.”
Although the complainants appear to be baying for blood, the group is not pushing for the death of RTB, according to Ryan. But they do want this type of sensitive data within bid requests wiped out.
“The solution to all of this is simple,” said Ryan. “The IAB RTB system allows 595 different kinds of data to be included in a bid request: 4 percent of these should be disallowed or truncated. The same applies to the Google system. It is an easy fix, long overdue, and will prevent the system from leaking the personal data, including location and interests, of every single person on the web.”
‘The pressure cooker is primed to explode’: How instant messaging tools are contributing to burnout
Despite their many benefits, instant-messaging tools like Slack have contributed to burnout over the last year — leading some businesses to drop them entirely.
Member ExclusiveGaming Advertising Forum Recap: Rapidly growing sector’s massive platforms and user diversity underestimated
Digiday’s Gaming Advertising Forum invited industry insiders and thought leaders from brands, gaming platforms and ad tech companies to take the industry’s pulse.
Heated founder Emily Atkin shows what it takes to make the transition from staff writer to Substacker
Substack is now a full-time job for Emily Atkin and her subscriber base has grown large enough for her to hire her first employee.
SponsoredWhat sustainable app monetization looks like in 2021
Apple’s iOS 14 changes are driving significant shifts in the app ecosystem. For gaming businesses, these new changes will make it challenging to show targeted ads. That said, the mobile game economy continues to boom, and analysts predict long-term growth; global in-app ad revenue in 2021 will rise by 6.2% for non-gaming apps, and 19.1% […]
‘As good a chance as anybody’: Verizon Media looks to build on its DSP hot streak
Verizon is hoping a spree of publisher and agency partnerships will help solidify its role as the top DSP that isn't owned by Google, Amazon or The Trade Desk.
TikTok-native publishers look to expand business on other platforms after building audiences
Media brands launching exclusively on TikTok have amassed large, Gen Z audiences. The next step is expanding to other platforms to build their businesses.