Brave has revealed new evidence for a GDPR claim it filed against Google 12 months ago. Johnny Ryan, chief policy and industry relations officer at Brave, discovered that Google’s DoubleClock/Authorized Buyers was broadcasting his personal data, violating the GDPR.
In doing so, Google is circumventing the safeguards it had put in place to comply with the GDPR.
RELATED CONTENT: GDPR one year later: Slow compliance, lax enforcement
In September 2018, Ryan filed a formal complaint with the Irish Data Protection Commission (DPC), which is Google’s primary GDPR regulator. DPC is currently investigating Google’s real-time bidding (RTB) ad system. As of this writing, the DPC has not released an official statement on this new evidence.
According to Ryan, Google’s ad system is active on over 8.4 million websites and is broadcasting visitors’ personal data to those sites to over 2,000 companies.
Brave explained that the data obtained when a user browses a website that used RTB includes the category of what the user is reading, which can reveal their sexual orientation, political views, religion, and health conditions such as AIDs, other STDs, or depression. It also includes what that person is reading, watching, or listening to; their location; and a unique, pseudonymous ID code tied to that person.
“The ‘real-time bidding’ ad industry, of which Google is the biggest player, leaks what everybody is reading online,” Ryan told SD Times. “This allows companies you have never heard of to maintain intimate profiles about you and what makes you tick – and on everyone you have ever known. This data breach – happening hundreds of billions of times a day – is not necessary for smart advertising. The industry must reform.”
Google claims to prevent those companies who receive visitor data from combining that data with profiles about those visitors. Google also stated that it doesn’t share “pseudonymous identifiers that could help these companies more easily identify an individual,” Brave explained in a blog post.
But according to Brave’s research, Google is allowing many companies to match with Google identifiers. Additionally, Google has enabled multiple companies to match identifiers of data subjects with each other.
The latest research reveals that personal data is leaking through Google’s Push Pages mechanism, which invites companies to share profile identifiers about a user when that user load a web page. Push Pages include a unique code of almost 2,000 characters, and in combination with cookies supplied by Google, companies can identify people.
Brave had commissioned Zach Edwards to analyze the log of Ryan web browsing, and it was confirmed that his data was processed in Google’s RTB system. It was also confirmed that Google facilitated sharing of personal data about website visitors among companies.
“Real-time bidding in its current form is toxic. The speed and scale of the broadcast is incapable of complying with the GDPR’s security principle,” said Ravi Naik, a data rights solicitor acting for Ryan and Brave. “Now our client finds seemingly clandestine profile matching by Google. Deceptive and uncontrolled profile matching is the antithesis of the fairness and transparency principles of data protection. Unfortunately, the lawlessness at the heart of AdTech has [begotten] a culture of data exploitation above data protection. The DPC must act fast to put an end to such practices.”
According to Brave, Google doesn’t have any control of what happens to this data once it is broadcast. Google’s policy simply requires that the companies monitor that data with their own compliance.
For the past 12 months, Brave has been campaigning to reform the RTB industry, and that campaign now spans sixteen countries in the EU as well as privacy NGOs, academics, and others.
“Twelve months ago, I first complained to the Irish Data Protection Commission about this,” said Ryan. “I hope that the DPC will accelerate its work to stop this enormous and ongoing data breach.”
