The complaints claim online behavioral ad targeting – which Google euphemizes as "personalized advertising" – gathers unnecessary information from internet users and broadcasts it to third-party companies without any justification, in violation of the UK's Data Protection Act (DPA) and Europe's General Data Protection Regulation (GDPR).
Brave, along with the UK-based Open Rights Group and Michael Veale, a technology policy researcher at University College London, have asked UK and Irish data minders to investigate the online ad industry, and Google in particular, for compliance with data privacy laws and to take the appropriate action.
"There is a massive and systematic data breach at the heart of the behavioral advertising industry," said Johnny Ryan, chief policy and industry relations officer for Brave, via Twitter. "This needs to change."
If it does, Google and many other ad tech companies will be starved of the personal data that fuels the ad industry and fattens their respective revenue streams.
In a report on behavioral advertising intended as a primer for data authorities, Ryan explains that whenever a behaviorally targeted advertisement is served to a website visitor, a real-time bidding (RTB) system is responsible for matching an ad with a targeted internet user. To do so, it solicits bids from advertisers who might want to reach that person by broadcasting personal information to hundreds or thousands of companies.
Ryan describes two major RTB systems: OpenRTB – run by a consortium of ad tech firms including Admeld, DataXu, MediaMath, PubMatic, The Rubicon Project, and Turn – and Authorized Buyers, Google's system that until recently was called DoubleClick Ad Exchange.
These ad bidding systems, Ryan says, offer up data points about the target, to the extent they're available, such as: what's being watched or read online, the target's location, IP address, device characteristics, unique tracking identifiers, and segmentation data like income bracket, age, gender, habits, ethnicity and so on.
The way this information gets handled, without adequate notice, consent or safeguards, violates data rules, the complaints claim.
GDPR kicks in
In an email to The Register, Ryan said the broadcast of personal information for real-time bidding requests was already unlawful under Europe's data protection rules. But with the arrival of GDPR, regulators have been empowered to act and to apply penalties.
"The GDPR also creates the new European Data Protection Board, and allows, under Article 62, for regulators to work together to investigate data misuse across the EU," he said. "This new joint supervisory investigation is one of the things that our complaint is intended to trigger."
Google risks mega-fine in EU over location 'stalking'READ MORE
The petitioners' goal is nothing less than the end of bad faith advertising.
"We want to see Europe's data protection regulators investigate the behavioral / programmatic ad tech industry as a whole, and shut down that industry's enormous data breach," said Ryan. "The industry can fix the problem by agreeing, across the entire industry, to put no personal data in the 'bid requests' that ad tech companies send to each other. We want to see regulators make this happen, so that the breach stops. Ads can still be relevant to the context of what people are reading, but they do not need to leak out peoples' data."
Asked what it thinks of the complaints, Google said it intends to comply with data protection rules, without stating whether it currently does.
"We build privacy and security into all our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation," a company spokesperson said in an email to The Register. "We provide users with meaningful data transparency and controls across all the services that we provide in the EU, including for personalized advertising." ®