It’s no secret that the General Data Protection Regulation has opened a can of worms when it comes to how the digital ad industry uses personal data within real-time bidding.

The law’s core premise — that users must be informed of how and when their personal data is used, by whom and for what purpose — is on paper both a simple and reasonable expectation. But the messy state of today’s sprawling digital ad tech ecosystem has made the reality of executing this in a real-time bidding environment, far harder.

Johnny Ryan of private browser Brave; Jim Killock, director of the Open Rights Group; and Michael Veale, a data and policy researcher at University College London, have so far been among those leading the offensive. Last September, the group made an official complaint to European regulators, against Google and other ad tech firms for their use or personally sensitive data such as political interests within bid requests made for behavioral ad targeting.

On Feb. 20, they submitted new evidence to their existing complaints to U.K. and Irish data protection authorities. These documents were obtained from the European Commission under Freedom of Information requests. The complainants attested that the Interactive Advertising Bureau Europe has previously acknowledged there is no way to control who receives what data within the digital ad ecosystem due to its scale and volume of companies within it, or what those companies do with the data once received under GDPR. (Read the full complaint here.)

The new complaint also included a set of annotated sample bid requests from the IAB and Google’s own documentation for users of their systems. The bid request samples included information such as page URLs, pseudonymous identification codes, and GPS locations — data the privacy activists claim are a big GDPR no-no. Google has always maintained that it obfuscates the location information to make it less identifiable.

IAB Europe has dismissed the allegation that it knew it was impossible for users to be informed about how their data is used in an RTB environment, and said this was addressed in the creation of its Transparency and Consent framework. “It is possible to not just inform users about participants in real-time bidding ahead of time but also to signal the disclosure and/or consent status of a specific vendor participating in real-time bidding,” said Matthias Matthiesen, director of privacy and public policy at IAB Europe.

He also reiterated IAB Europe’s argument that addressed previous complaints from the same privacy activists: that the technology itself (in this case Open RTB) cannot be subject to GDPR, only a business’s use of the technology can be. But the privacy activists believe that argument dodges the real issue: that IAB Europe and Google, which they describe as the two “rule setters” of the industry, are encouraging the ad industry to violate GDPR.

Ad tech will continue to be in the firing range, and should regulators agree with the complaints, ad exchanges will be forced to make changes. “In the short term, exchanges might be forced to remove key targeting fields from bid requests; otherwise, publishers could be exposed to fines,” said Ratko Vidakovic, founder of AdProfs. “That personalized ad targeting would come under threat was the original fear around GDPR.”

French regulator CNIL has so far been the only regulator to come down hard on ad tech businesses such as mobile ad tech vendor Vecataury and Google. The fact no one had ever heard of Vectaury before it was fined for violating GDPR is indicative of just how impossible it is to enforce GDPR across the open auction due to the volume of businesses and the subsequent extent of the data leakage, according to Ryan.



IAB Europe’s Transparency and Consent framework — the body’s attempt to create an industry standard for GDPR compliance — has been criticized for facilitating ad tech’s use of personal data within the open exchanges. However, many in the industry, including publishers, are keen for an industry standard to prevail that isn’t owned by a singular business (meaning Google.)

“The industry is working together to ensure the Consent Framework does what is expected and required — as it still remains the closest thing to a solution that is governed by the industry and not a single proprietor,” said Richard Reeves, managing director of U.K. online publisher trade body AOP. “I am confident that when they release the TCF version 2 in July, many of these concerns will have been addressed.”

In response to the latest complaints, a Google spokesperson said, “Publishers who decide to fund their operations using real-time bidding via Google’s systems must also abide by our policies — including by obtaining consent from end users in Europe for personalized ads, not targeting overly narrow or specific audiences, and not collecting users’ sensitive information, including health conditions and pregnancy status.”

Although the complainants appear to be baying for blood, the group is not pushing for the death of RTB, according to Ryan. But they do want this type of sensitive data within bid requests wiped out.

“The solution to all of this is simple,” said Ryan. “The IAB RTB system allows 595 different kinds of data to be included in a bid request: 4 percent of these should be disallowed or truncated. The same applies to the Google system. It is an easy fix, long overdue, and will prevent the system from leaking the personal data, including location and interests, of every single person on the web.”