On May 2019 GDPR complaints about Real-Time Bidding (RTB) in the online advertising industry were filed with Data Protection Authorities in Spain, the Netherlands, Belgium, and Luxembourg. The complaints detail the vast scale of personal data leakage by Google and other major companies in the Ad Tech industry.
The complaints have been filed by Gemma Galdon Clavell (Eticas Foundation) and Diego Fanjul (Finch) in Spain, David Korteweg (Bits of Freedom) and Jef Ausloos (University of Amsterdam) in the Netherlands, Pierre Dewitte (University of Leuven) in Belgium, PatriciaMacedo Alves (Antas da Cunha Ecija & Associados) in Portugal, and Jose Belo (International Association of Privacy Professionals) in Luxembourg. These are in addition to those previously filed in Ireland, the United Kingdom and Poland, thus reaching 8 countries and data protection authorities.
Under the GDPR, a company is not permitted to use personal data unless it tightly controls what happens to that data. Article 5 (1)(f) requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss”.
Visit the webpage of Fix AdTech campaign for more updates and to see press coverage.
Every time a person visits a website that uses RTB systems, intimate personal data about them and what they are viewing is broadcast in a “bid request” to tens or hundreds of companies, to solicit bids from potential advertisers’ for the opportunity to show an ad to this specific visitor. The data can include people’s exact locations, inferred religious, sexual, political characteristics, what they are reading, watching, and listening to online, and unique codes that allow long term profiles about each person to be built up over time.
As GDPR complaints show, this occurs hundreds of billions of times every day, and is the most massive leakage of personal data recorded so far.