Google and IAB adtech targeted with more RTB privacy complaints


Private sign affixed to gate
Image Credits: Stewart Bremner/Moment / Getty Images

Another batch of complaints has been filed with European Union data protection agencies urging enforcement action against the adtech industry’s abuse of internet users’ information to target ads.

The complaints argue that behavioural ads are both harmful and unlawful.

Earlier complaints over the same Real-Time Bidding (RTB) programmatic advertising issue were filed across the EU in 2018 and 2019 but have yet to result in any substantive regulatory action.

Ireland did open a probe into Google’s ad exchange last year, while Belgium’s DPA has been progressing an investigation into a flagship industry tool that’s used for gathering consents to ad targeting — making a preliminary finding of non-compliance in October. But litigation to reach a final verdict on the IAB Europe’s “Transparency and Consent” (TCF) framework won’t take place until next year.

(Related: The U.K.’s data protection agency is facing a legal challenge over its failure to act on RTB complaints, despite repeatedly expressing concern about the industry’s lawfulness problem.)

Both Google and the IAB continue to deny any problems with their adtech. Last year Google said authorised buyers that use its systems are subject to “stringent policies and standards”. While the IAB Europe rejected the Belgium DPA’s findings — saying its preliminary report “fundamental[ly] misunderstand[s]” the TCF tech. (Update: The IAB Europe has sent a statement on the RTB complaints — which you can read at the end of this post.)

Ireland’s data watchdog slammed for letting adtech carry on ‘biggest breach of all time’

The latest GDPR complaints target how the RTB component of programmatic advertising broadcasts internet users’ personal data to scores of entities involved in these high-speed eyeball auctions — arguing it runs counter to core security requirements in the General Data Protection Regulation (GDPR), as well as being horrible for people’s privacy.

A key principle of the GDPR is security by design and default — with the regulation placing legal requirements on personal data handlers to make sure people’s information is properly secured.

The complaints, which target Google and the IAB in their capacity as RTB standard setters, have been filed by civil society groups in six European countries — namely: Asociatia pentru Tehnologie si Internet (ApTi), Romania; D3 – Defesa dos Direitos Digitais, Portugal; GONG, Croatia; Global Human Dignity Foundation, Malta; Homo Digitalis, Greece; and the Institute of Information Cyprus.

They’re being coordinated by a consortium led by the Civil Liberties Union for Europe (Liberties), the ORG (Open Rights Group) and the Panoptykon Foundation

“Real-time bidding, which is the bedrock of the online advertising industry, is an abuse of people’s right to privacy,” said Dr Orsolya Reich, senior advocacy officer at Liberties, in a supporting statement. “The GDPR has been in place since 2018 and it is there precisely to give people a greater say about what happens to their data online.

“Today, more civil society groups are saying enough with this invasive advertising model and are asking data protection authorities to stand up against the harmful and unlawful practices they use.”

The consortium is asking for a joint investigation by their respective national DPAs — and for regulators to join with ongoing adtech investigations in Ireland (into Google’s adtech) and Belgium (into the IAB Europe’s TCF framework).

IAB Europe’s ad tracking consent framework found to fail GDPR standard

It’s not clear how far the Irish DPC’s investigation of Google has progressed — but it continues to face criticism for the lack of decisions on cross-border GDPR cases, some 2.5 years after the regulation technically begun being applied.

A mechanism in the GDPR means cross-border cases (basically anything related to mainstream consumer tech) get passed to a lead agency to investigate. However, other agencies also remain involved, as interested parties, and must agree with any final decision made.

The system has led to a bottleneck of cases in certain EU locations, such as Ireland, where many tech giants base their European HQ. So the concern is this one-stop-shop mechanism is adding an unworkable level of friction to GDPR investigations — delaying decisions and enforcement action so much it risks the entire framework.

The Commission has acknowledged weakness in GDPR enforcement. Most obviously because it’s working on a massive package of new digital regulations. Though its strategy for fixing the enforcement problem is less clear as EU Member States look set to remain responsible for the bulk of this additional oversight, just as they’re responsible for resourcing their own DPAs now. (And yet more complaints have been filed this year accusing European governments of a GDPR resourcing failure.)

Ireland’s DPC is slated to issue its first cross-border GDPR decision in a case that relates to a Twitter security breach very shortly. But last year its commissioner, Helen Dixon, suggested it would come with its first such decisions early in 2020 — so the gap between GDPR expectation and reality is running almost 12 months late at this point.

GDPR enforcement must level up to catch big tech, report warns

The consortium filing the latest RTB complaints writes in a press release that while some of the earlier adtech complaints were referred to lead authorities it has no knowledge of “any meaningful cooperation or joint operations between national authorities and the lead authorities”.

“This suggests that cooperation and consistency mechanisms as envisioned in the GDPR are yet to be implemented fully,” the group adds, calling for a joint investigation into the RTB issue because the technology functions in the same way across borders — and “produces the same negative effects in all EU member states”, as they put it.

However it’s not clear how extra joint working — if indeed that’s really what’s being called for — would help to speed up GDPR enforcement. Nor how referring additional complaints to Ireland and Belgium would work to speed up their current investigations.

Most likely, the intent is to keep up pressure on the regulators to act.

Asked about the call for joint working, a Liberties spokesman told us: “The problem is that Google and IAB are big players, standard-setters in the market, and they affect all Internet users. Given the geographical scope of the issues raised in the complaints, we think it’s better for supervisory authorities to act in unison, not to be working alone in their corner.  This is why national partners are inviting their national DPAs to refer this complaint to the lead supervisory authorities who are already investigating Google’s and IAB’s compliance with the GDPR.”

Commenting in another supporting statement, Mariano delli Santi, legal and policy officer at the ORG, added: “These new complaints show that the GDPR is working. Individuals are increasingly aware of their rights, and they demand change. Now, it is up to the authorities to support this process, and make sure these laws are properly and consistently enforced against the widespread abuses of the adtech industry.”

At the time of writing, the only extant example of enforcement against a tech giant under the updated regulation was a January 2019 decision to fine Google $57 million by France’s CNIL. That investigation was limited to having a national scope, though, rather than being treated as a cross-border case.

Since then Google has shifted its legal base in Europe to Ireland — so now falls under the lead jurisdiction of the DPC.

This arrangement appears to suit big tech, enabling it to avoid the risk of speedier investigations conducted by single Member State agencies acting faster alone. (So it’s very interesting to see TikTok ramping up its business infrastructure and headcount in Ireland — as it’s also now on CNIL’s radar… )

TikTok is being investigated by France’s data watchdog

As noted earlier, EU lawmakers have conceded GDPR enforcement has been a weakness thus far.

In a review of the two-year-old regulation this summer, the Commission highlighted a lack of universally vigorous enforcement.

Last week the values and transparency commissioner, Vera Jourova, also raised the problem as she set out the bloc’s plan to bolster democratic values against a range of online risks, such as algorithmically amplified or microtargeted disinformation and election interference — acknowledging GDPR alone isn’t enough to fix myriad intersecting tech-fuelled problems.

“[After the Cambridge Analytica scandal] we said that we are relieved that after GDPR came into force we are protected against this kind of practice — that people have to give consent and be aware of that — but we see that it might be a weak measure only to rely on consent or leave it for the citizens to give consent,” she said.

“Enforcement of privacy rules is not sufficient — that’s why we are coming in the European Democracy Action Plan with the vision for the next year to come with the rules for political advertising, where we are seriously considering to limit the microtargeting as a method which is used for the promotion of political powers, political parties or political individuals.”

The European Commission is in the progress of drafting an ambitious and interlocking package of digital regulations, that it wants to fuel a regional data economy and set firm online rules to engender the necessary trust — and has said it wants this major digital policymaking effort to serve Europe for decades.

But without effective enforcement of its Internet rulebook it’s not clear how the bloc’s digital strategy will deliver as intended.

Europe’s data strategy aims to tip the scales away from big tech

Update: Here’s the IAB Europe’s statement on the latest RTB complaints:

IAB Europe is aware of new complaints having been lodged with DPAs in six countries today in relation to “real-time bidding” (RTB).

These complainants have a well established opposition to the real-time bidding process, which currently offers an essential business model for hundreds of thousands of websites and apps across the EU.

As their press release notes, they have already coordinated similar complaints against a variety of organisations in 15 European countries. The main request in this instance seems to be for “all the concerned national data protection authorities to consider the issue of real-time bidding in unison”. However, if the complainants believe that 21 authorities investigating real-time bidding in unison would lead to a more efficient process than the model established within the GDPR, then they are entitled to make that case.

As per the terms of the GDPR, all complaints have been referred to the relevant lead DPAs, who are investigating as appropriate and who have an established process for dealing with cross-border complaints.

IAB Europe is an industry association that represents the digital advertising and marketing ecosystem. It is not a business or commercial actor and does not engage in RTB or any other digital advertising itself. It is not a data controller in the context of RTB and processes no data whatsoever in that context (a pre-condition for the applicability of the GDPR).

There is no privacy or consumer protection objective to be gained by attacking a trade association and, in particular, the only body to have successfully developed a best practice standard enabling  greater GDPR compliance.

IAB Europe is proud to have developed and to manage the Transparency and Consent Framework, the most sophisticated and scrutinised model of GDPR compliance for digital advertising in the world. It’s disappointing to see that, because of the Framework’s uptake in the European market, it seems to have become a target for those seeking to undermine real-time bidding more broadly.

We are confident that the Transparency and Consent Framework will continue to provide an efficient way for organisations to offer their users greater transparency, choice and accountability in digital advertising, in full compliance with the GDPR.

More TechCrunch

Scale AI, a company that provides data-labeling services for training machine learning models, has raised a $1 billion Series F round from a slew of big-name institutional and corporate investors…

Data-labeling startup Scale AI raises $1B as valuation doubles to $13.8B

The new coalition, Tech Against Scams, will work together to find ways to fight back against the tools used by scammers and to better educate the public against financial scams.

Meta, Match, Coinbase and others team up to fight online fraud and crypto scams

It’s a wrap: European Union lawmakers have given the final approval to set up the bloc’s flagship, risk-based regulations for artificial intelligence.

EU Council gives final nod to set up risk-based regulations for AI

London-based fintech Vitesse has closed a $93 million Series C round of funding led by investment giant KKR.

Vitesse, a payments and treasury management platform for insurers, raises $93M to fuel US expansion

Zen Educate, an online marketplace that connects schools with teachers, has raised $37 million in a Series B round of funding. The raise comes amid a growing teacher shortage crisis…

Zen Educate raises $37M and acquires Aquinas Education as it tries to address the teacher shortage

“When I heard the released demo, I was shocked, angered and in disbelief that Mr. Altman would pursue a voice that sounded so eerily similar to mine.”

Scarlett Johansson says that OpenAI approached her to use her voice

A new self-driving truck — manufactured by Volvo and loaded with autonomous vehicle tech developed by Aurora Innovation — could be on public highways as early as this summer.  The…

Aurora and Volvo unveil self-driving truck designed for a driverless future

The European venture capital firm raised its fourth fund as fund as climate tech “comes of age.”

ETF Partners raises €285M for climate startups that will be effective quickly — not 20 years down the road

Copilot, Microsoft’s brand of generative AI, will soon be far more deeply integrated into the Windows 11 experience.

Microsoft wants to make Windows an AI operating system, launches Copilot+ PCs

Hello and welcome back to TechCrunch Space. For those who haven’t heard, the first crewed launch of Boeing’s Starliner capsule has been pushed back yet again to no earlier than…

TechCrunch Space: Star(side)liner

When I attended Automate in Chicago a few weeks back, multiple people thanked me for TechCrunch’s semi-regular robotics job report. It’s always edifying to get that feedback in person. While…

These 81 robotics companies are hiring

The top vehicle safety regulator in the U.S. has launched a formal probe into an April crash involving the all-electric VinFast VF8 SUV that claimed the lives of a family…

VinFast crash that killed family of four now under federal investigation

When putting a video portal in a public park in the middle of New York City, some inappropriate behavior will likely occur. The Portal, the vision of Lithuanian artist and…

NYC-Dublin real-time video portal reopens with some fixes to prevent inappropriate behavior

Longtime New York-based seed investor, Contour Venture Partners, is making progress on its latest flagship fund after lowering its target. The firm closed on $42 million, raised from 64 backers,…

Contour Venture Partners, an early investor in Datadog and Movable Ink, lowers the target for its fifth fund

Meta’s Oversight Board has now extended its scope to include the company’s newest platform, Instagram Threads, and has begun hearing cases from Threads.

Meta’s Oversight Board takes its first Threads case

The company says it’s refocusing and prioritizing fewer initiatives that will have the biggest impact on customers and add value to the business.

SeekOut, a recruiting startup last valued at $1.2 billion, lays off 30% of its workforce

The U.K.’s self-proclaimed “world-leading” regulations for self-driving cars are now official, after the Automated Vehicles (AV) Act received royal assent — the final rubber stamp any legislation must go through…

UK’s autonomous vehicle legislation becomes law, paving the way for first driverless cars by 2026

ChatGPT, OpenAI’s text-generating AI chatbot, has taken the world by storm. What started as a tool to hyper-charge productivity through writing essays and code with short text prompts has evolved…

ChatGPT: Everything you need to know about the AI-powered chatbot

SoLo Funds CEO Travis Holoway: “Regulators seem driven by press releases when they should be motivated by true consumer protection and empowering equitable solutions.”

Fintech lender SoLo Funds is being sued again by the government over its lending practices

Hard tech startups generate a lot of buzz, but there’s a growing cohort of companies building digital tools squarely focused on making hard tech development faster, more efficient and —…

Rollup wants to be the hardware engineer’s workhorse

TechCrunch Disrupt 2024 is not just about groundbreaking innovations, insightful panels, and visionary speakers — it’s also about listening to YOU, the audience, and what you feel is top of…

Disrupt Audience Choice vote closes Friday

Google says the new SDK would help Google expand on its core mission of connecting the right audience to the right content at the right time.

Google is launching a new Android feature to drive users back into their installed apps

Jolla has taken the official wraps off the first version of its personal server-based AI assistant in the making. The reborn startup is building a privacy-focused AI device — aka…

Jolla debuts privacy-focused AI hardware

The ChatGPT mobile app’s net revenue first jumped 22% on the day of the GPT-4o launch and continued to grow in the following days.

ChatGPT’s mobile app revenue saw its biggest spike yet following GPT-4o launch

Dating app maker Bumble has acquired Geneva, an online platform built around forming real-world groups and clubs. The company said that the deal is designed to help it expand its…

Bumble buys community building app Geneva to expand further into friendships

CyberArk — one of the army of larger security companies founded out of Israel — is acquiring Venafi, a specialist in machine identity, for $1.54 billion. 

CyberArk snaps up Venafi for $1.54B to ramp up in machine-to-machine security

Founder-market fit is one of the most crucial factors in a startup’s success, and operators (someone involved in the day-to-day operations of a startup) turned founders have an almost unfair advantage…

OpenseedVC, which backs operators in Africa and Europe starting their companies, reaches first close of $10M fund

A Singapore High Court has effectively approved Pine Labs’ request to shift its operations to India.

Pine Labs gets Singapore court approval to shift base to India

The AI Safety Institute, a U.K. body that aims to assess and address risks in AI platforms, has said it will open a second location in San Francisco. 

UK opens office in San Francisco to tackle AI risk

Companies are always looking for an edge, and searching for ways to encourage their employees to innovate. One way to do that is by running an internal hackathon around a…

Why companies are turning to internal hackathons