“Real time bidding” is essentially a “just in time” delivery system for the online digital advertising industry. Companies looking to deliver their ads to a particular consumer profile place standing bids, which are filled when someone who meets that profile wanders into range of the ad network. This system is facing a smattering of privacy complaints in the EU based on a lack of required consumer consent under the terms of the General Data Protection Regulation (GDPR).
Real time bidding complaints allege proper consent can’t be collected
One of the cornerstones of the Adtech industry, real time bidding attempts to connect advertisers with members of their desired target demographics as these individuals are in the midst of browsing the web or using mobile apps. Underpinning the system is a collection of personal information and browsing history that makes industry critics uncomfortable.
The EU privacy complaints raise the issue of user consent in this process. Google is named in the complaints, along with members of the Interactive Advertising Bureau (IAB) that have internet-spanning ad networks. The end user is not always aware of how pervasive these networks are, or how much information they are collecting. For example, Google’s ad network allows participating websites to hide tracking code on each page that gathers browsing information for use in these real time bidding systems. The visitor may not be aware that the website even participates in Google’s advertising system; the information gathered could be used to serve them targeted ads when they visit other websites that participate in the network.
The privacy complaints were coordinated by the Berlin-based Civil Liberties Union for Europe, the UK-based Open Rights Group and freedom and human rights group the Panoptykon Foundation. Complaints were registered in six EU countries: Croatia, Cyprus, Greece, Malta, Portugal and Romania. However, this is not the first time that real time bidding systems have been challenged under EU law. Privacy complaints have been filed in 15 EU countries since 2018, with one of the biggest being the Irish Data Protection Commission’s (DPC) investigation into Google’s DoubleClick. Discussion of the potential death of real time bidding within the programmatic advertising due to regulation has been going on for over a year now, and some industry analysts feel that it cannot survive without switching to a context-only system that strips all personal data from the formula.
The DPA of Belgium is currently underway with an investigation of the IAB’s Transparency and Consent (TCF) framework, which has been adopted as an industry standard for real time bidding that was previously believed to satisfy the requirements of the GDPR. A legal challenge to its handling of “special category” data (extra sensitive personal information such as sexuality and religious affiliation) filed in October threatens to undermine the entire industry in the EU if the court ultimately goes along with it. The privacy complaints in this case characterize real time bidding as a massive and ongoing data breach, pointing to cases in which a data broker leaked the sexual orientations and medical conditions of individuals to political parties and government agencies as examples.
EU privacy complaints backlogged
While the real time bidding privacy complaints do have merit, they are immediately running into the reality of a backlog of cases in the EU that now date back years. The Irish data controller generally takes point on cross-border investigations that involve tech giants, since most of those giants are headquartered in Dublin due to favorable tax rules. For example, the DoubleClick investigation now dates back to May 2019 and it is still unclear when it will be resolved or even how much real progress has been made at this point. The EU data protection authorities that the complaints originate with are supposed to remain involved and must agree with whatever conclusion the Irish DPA ultimately reaches for it to be validated, but the lead agency has a great deal of leeway in how much time it can take in investigating the matter.
The first cross-border data processing case ruling by the Irish data authority, involving an older breach of Twitter’s “protected tweets” feature, was just handed down on December 15 with Twitter receiving a €450,000 (USD $544,600) penalty. This was much smaller than the potential maximum penalty of about €138 million, and though Twitter was not expected to receive anywhere near a maximum fine there was a general expectation that the eventual enforcement action would be somewhere in the low tens of millions of dollars. There has been some question about how hard the Irish DPC is willing to be on the online advertising industry companies that shore up its economy in response to privacy complaints, speculation that has been inflamed by the lengthy investigations and will not likely be quelled by this relatively small penalty.