Microsoft ad subsidiary Xandr accused of violating GDPR

Access, deletion requests go ignored, and consumer profiles contradict themselves, complaint alleges

Updated Microsoft's advertising subsidiary is the target of a complaint from EU privacy advocates accusing it of "highly intrusive data processing" as well as breaking several General Data Protection Regulation (GDPR) rules.

The complaint [PDF], filed today in Italy by the perennial privacy defenders at noyb (none of your business), claims that Xandr, in its role as Microsoft's demand-side platform used by advertisers to bid for eyeballs, has violated GDPR in two ways. Firstly, noyb claims that it has failed to minimize data collection or ensure the accuracy needed for targeted advertising. Secondly, it has failed to comply with any consumer requests for data access or erasure.

According to the complaint, Xandr, which Microsoft acquired from AT&T in 2022 to serve as its own cloud-based targeted advertising platform, allegedly collects a ton of data from the public – much of which is unnecessary to serve ads, and a considerable portion of which noyb contends contradicts itself.

"The GDPR requires data about individuals to be 'accurate'. However, the available information suggests that Xandr's system uses tonnes of false information about users," noyb said. Finding that out required a bit of digging, it claims, because Xandr allegedly won't provide any of it.

Pseudonymous data

Noyb's lead complainant is an Italian citizen who approached a Xandr data broker partner with an access request for data on ad segments they were associated with and information on who was purchasing their data. Access and erasure requests were also made to Xandr, which the complaint alleges refused to share his data, or delete any of it, on the grounds that data it stored was pseudonymized and unable to be confirmed as his.

Noyb alleges Xandr's claim is untrue because the Italian citizen provided the Microsoft subsidiary with a uuid2 cookie and relevant data, which noyb claims is more than enough for "Xandr to single out a specific user and to ascertain that the latter is not pretending to be someone else."

"The attribution of profiles and other information to a single user through their uuid2 is at the very core of Xandr's business model," noyb claims in the complaint. "It is therefore ludicrous that the Defendant claims to process pseudonymous data."

This is seemingly not a unique incident in Xandr's history. The company even provides its own data (as of December 2022) indicating that, of the nearly 2,000 access and deletion requests it received in all of 2022, not a single one was complied with – even in part. Xandr justified its blanket refusal using the same pseudonymous explanation it gave to the Italian subject of noyb's complaint.

Microsoft's acquisition of Xandr closed in June 2022, and Xandr's privacy center where those compliance numbers can be found hasn't been updated since the end of that year. Noyb told us it hasn't been able to find any newer data on GDPR compliance at Xandr or Microsoft's advertising arm. Microsoft hasn't responded to our questions for this story either.

"Given Xandr's handling of the data subject's access request, it is unlikely that the procedure has changed," a noyb spokesperson told The Register. "We have even tried this process with multiple data subjects, and the result was always the same."

This runs afoul of articles 15 and 17 of the GDPR, noyb alleges.

Noyb says in the complaint that Emetriq, the data broker partner contacted by the Italian subject of the complaint, fulfilled his data access request and sent a list of more than 200 market segments linked to the individual. This is where the other half of the document comes in, which includes allegations that the data collected is inaccurate.

According to data shared by Emetriq, "the complainant is both male and female," and "has an estimated age between [16 and 60]." 

"The complainant also has an income between €500 - €1,500, €1,500 - €2,500 and €2,500 - €4,000," noyb continued. "Furthermore, the same person is looking for a job, is employed, a student, a pupil and works in a company. That company, in turn, employs 1-10, 1,000+ and 1,100-5,000 people at the same time."

Noyb is asking Italian data protection authorities to investigate Xandr for GDPR violations, require it to comply with future access and erasure requests, limit future data collection, and erase all inaccurate profiles and market segments. Noyb is also asking for a fine to be levied against Xandr, which under GDPR could equate to €20 million ($21.6 million), or 4 percent of its global turnover, whichever is greater.

Italian data protection officials have nine months from the filing of a complaint to make a determination. ®

Updated to add

Microsoft has said it's ready and waiting for action.

"We stand ready to answer any questions from the regulatory authority," a spokesperson told The Register.

More about


Send us news

Other stories you might like