It’s no secret that the General Data Protection Regulation has opened a can of worms when it comes to how the digital ad industry uses personal data within real-time bidding.
The law’s core premise — that users must be informed of how and when their personal data is used, by whom and for what purpose — is on paper both a simple and reasonable expectation. But the messy state of today’s sprawling digital ad tech ecosystem has made the reality of executing this in a real-time bidding environment, far harder.
Johnny Ryan of private browser Brave; Jim Killock, director of the Open Rights Group; and Michael Veale, a data and policy researcher at University College London, have so far been among those leading the offensive. Last September, the group made an official complaint to European regulators, against Google and other ad tech firms for their use or personally sensitive data such as political interests within bid requests made for behavioral ad targeting.
On Feb. 20, they submitted new evidence to their existing complaints to U.K. and Irish data protection authorities. These documents were obtained from the European Commission under Freedom of Information requests. The complainants attested that the Interactive Advertising Bureau Europe has previously acknowledged there is no way to control who receives what data within the digital ad ecosystem due to its scale and volume of companies within it, or what those companies do with the data once received under GDPR. (Read the full complaint here.)
The new complaint also included a set of annotated sample bid requests from the IAB and Google’s own documentation for users of their systems. The bid request samples included information such as page URLs, pseudonymous identification codes, and GPS locations — data the privacy activists claim are a big GDPR no-no. Google has always maintained that it obfuscates the location information to make it less identifiable.
IAB Europe has dismissed the allegation that it knew it was impossible for users to be informed about how their data is used in an RTB environment, and said this was addressed in the creation of its Transparency and Consent framework. “It is possible to not just inform users about participants in real-time bidding ahead of time but also to signal the disclosure and/or consent status of a specific vendor participating in real-time bidding,” said Matthias Matthiesen, director of privacy and public policy at IAB Europe.
He also reiterated IAB Europe’s argument that addressed previous complaints from the same privacy activists: that the technology itself (in this case Open RTB) cannot be subject to GDPR, only a business’s use of the technology can be. But the privacy activists believe that argument dodges the real issue: that IAB Europe and Google, which they describe as the two “rule setters” of the industry, are encouraging the ad industry to violate GDPR.
Ad tech will continue to be in the firing range, and should regulators agree with the complaints, ad exchanges will be forced to make changes. “In the short term, exchanges might be forced to remove key targeting fields from bid requests; otherwise, publishers could be exposed to fines,” said Ratko Vidakovic, founder of AdProfs. “That personalized ad targeting would come under threat was the original fear around GDPR.”
French regulator CNIL has so far been the only regulator to come down hard on ad tech businesses such as mobile ad tech vendor Vecataury and Google. The fact no one had ever heard of Vectaury before it was fined for violating GDPR is indicative of just how impossible it is to enforce GDPR across the open auction due to the volume of businesses and the subsequent extent of the data leakage, according to Ryan.
IAB Europe’s Transparency and Consent framework — the body’s attempt to create an industry standard for GDPR compliance — has been criticized for facilitating ad tech’s use of personal data within the open exchanges. However, many in the industry, including publishers, are keen for an industry standard to prevail that isn’t owned by a singular business (meaning Google.)
“The industry is working together to ensure the Consent Framework does what is expected and required — as it still remains the closest thing to a solution that is governed by the industry and not a single proprietor,” said Richard Reeves, managing director of U.K. online publisher trade body AOP. “I am confident that when they release the TCF version 2 in July, many of these concerns will have been addressed.”
In response to the latest complaints, a Google spokesperson said, “Publishers who decide to fund their operations using real-time bidding via Google’s systems must also abide by our policies — including by obtaining consent from end users in Europe for personalized ads, not targeting overly narrow or specific audiences, and not collecting users’ sensitive information, including health conditions and pregnancy status.”
Although the complainants appear to be baying for blood, the group is not pushing for the death of RTB, according to Ryan. But they do want this type of sensitive data within bid requests wiped out.
“The solution to all of this is simple,” said Ryan. “The IAB RTB system allows 595 different kinds of data to be included in a bid request: 4 percent of these should be disallowed or truncated. The same applies to the Google system. It is an easy fix, long overdue, and will prevent the system from leaking the personal data, including location and interests, of every single person on the web.”
WPP’s Rob Reilly on the power of creative excellence
Under Rob Reilly's creative lead, WPP won most creative company at the 2022 Cannes Lions Festival of Creativity. He talks about that and more in this Q&A.
Member ExclusiveMedia Briefing: What Axios’ sale says about the valuation of digital media companies
In this week’s Media Briefing, senior media reporter Sara Guaglione looks at what Axios's sale to Cox Enterprises signals about the current investment market for media companies.
Amid gloomy forecasts can ad tech weather the storm?
The recent Q2 results suggest there is more resilience and runway in the ad tech sector. But how long before push comes to shove?
SponsoredWhat gaming habits reveal about media consumption
Jordan Shlachter, head of research, Activision Blizzard Media Entertainment choices have never been more abundant, and gaming has emerged as one of the biggest winners in the battle for audiences’ attention. While gaming’s exponential growth has been well documented — there are currently nearly 3 billion gamers worldwide spanning a diverse set of demographics, interests […]
Member ExclusiveDigiday+ Research deep dive: Twitter’s strength holds among publishers
There is perhaps no social media platform that is more appropriate for publishers than Twitter. In this Digiday+ Research deep dive, we look at why this is.
La razón por la que Google y Samsung se asociaron con la personalidad de TikTok Addison Rae para una campaña nostálgica de los años 90
Este verano, Google y Samsung han lanzado su último esfuerzo de marketing conjunto, en el que los gigantes de la tecnología y el hardware aprovechan la nostalgia de principios de los años 90 y utilizan a la TikToker Addison Rae como musa de la generación Z. En su nueva campaña publicitaria con Rae, Google cuenta […]