New evidence to regulators: IAB documents reveal that it knew that real-time bidding would be “incompatible with consent under GDPR”.

Further new evidence drawn from sample bid requests in Google and IAB’s own documentation reveals the personal data in bid requests.

Campaign website launched at fixad.tech

Privacy watchdogs in the UK and in Ireland today received evidence of the data crisis at the heart of the online advertising industry.

The new evidence, taken from Google and IAB (an industry rule setting body) documents, shows that the online ad auction system broadcasts highly sensitive data about web users. This occurs hundreds of billions of times a day. There are no technical controls to prevent thousands of receiving companies who receive these data from monitoring what every person on the web reads, watches, and listens to online.

The IAB “transparency and consent framework” has become the de facto GDPR consent system for major websites. But the new evidence also reveals that the IAB knew that real-time bidding would be “incompatible with consent under GDPR”, before it even launched the system.

The evidence also shows that the IAB had concerns that its ad auction rules, which govern the €12 Billion “real-time bidding” online ad auction industry in Europe, were incompatible with the GDPR.

The evidence has been submitted by Jim Killock, Executive Director of the Open Rights Group, Michael Veale of University College London, and Dr Johnny Ryan of Brave, a private web browser. All three are represented by Ravi Naik of ITN Solicitors. This is part of a major complaint about the online ad auctions system that is ongoing in the UK, Poland, and Ireland. See previous evidence and all filings to date at https://brave.com/update-rtb-ad-auction-gdpr/

The solution to all of this is simple. The IAB RTB system allows 595 different kinds of data to be included in a bid request. 4% of these should be disallowed, or truncated. The same applies to the Google system. It is an easy fix, long overdue, and will prevent the system from leaking the personal data (including location and interests) of every single person on the Web.

“We want to reform adtech, not kill it”, said Dr Johnny Ryan of Brave. “This new evidence exposes the massive data breach at the heart of the online advertising system. The IAB and Google have it in their power to fix this”.

Jim Killock of Open Rights Group said: “The ad industry needs to obey the law. Leaving advertisers including Google to breach data protection in this way makes a mockery of privacy law. But fixing the ad industry means gaining trust and consumer confidence, which will ultimately benefit everyone.”

“Big adtech has spread the myth that the current way the system operates is the only way it ever could. This is simply untrue”, said Michael Veale of University College London. “A better, more secure and less invasive system is within reach, and regulators must be at the forefront of realising it. Online infrastructure must be designed with privacy and data protection deeply at its core.”

Ravi Naik, Partner at ITN Solicitors, said “The evidence is overwhelming. The IAB’s own documents contain admissions of concerns of the infringements of the GDPR. Those concerns that the IAB had are part of those as are detailed within our clients’ complaints and evidence. That evidence shows that the infringements can occur billions of times a day. The scale is widespread and the infringements systematic. Reform is needed and we trust that the regulators will act accordingly.”

THE NEW EVIDENCE

PART 1: the IAB knew that real-time bidding would be “incompatible with consent under GDPR”, and would have no other legal basis.

“1a Townsend Feehan email 26 June 2017.pdf“, an e-mail from Townsend Feehan, CEO of IAB Europe, to senior personnel at the European Commission Directorate General for Communications Networks, Content and Technology.