The world of online advertising continues to come under closer scrutiny, especially in regard to the sheer amount of personal data that is being shared within a complex, shadowy ecosystem populated by big tech giants and smaller data brokers. Recently, the Irish Data Protection Commission (DPC) announced the launch of an investigation into Google’s processing of personal data as part of the company’s highly popular Ad Exchange online ad system. If the Irish privacy regulator finds evidence of a GDPR violation, Google could be facing substantial penalties.
The case for a GDPR violation at Google
Pursuant to Section 110 of the General Data Protection Regulation, the Irish DPC – which acts as the lead investigator for any possible GDPR violations involving Silicon Valley tech giants – will take a closer look at how much data Google is collecting on users in order to deliver targeted ads to them later as part of its Ad Exchange system. This Ad Exchange system, which is run by Google’s DoubleClick/Authorized Buyers advertising unit, is active on 8.4 million websites worldwide.
The investigation by the Irish DPC follows a 2018 complaint filed by Dr. Johnny Ryan, the Chief Privacy Officer (CPO) of the privacy-centric web browser Brave, in coordination with the Open Rights Group and University College London. As Ryan suggests, the Ad Exchange system is “leaking” the personal data of users to more than 1,000 companies, all without the consent of users or any ability of them to take action to stop this from happening. Moreover, most users are blissfully unaware that their personal data is being leaked all over the Web, where other companies can capture it and use it to create sophisticated profiles about them.
The important part of this complaint, of course, is the fact that Google is not obtaining consent from users. Theoretically, if you asked the average Web user whether they wanted to be part of the Google Ad Exchange system in return for no compensation and a lot of unwanted tracking, the answer would be a swift and unequivocal “No.” Without obtaining consent in advance and informing users of how and why their data is being collected, Google is at risk of being cited for a GDPR violation. Since Google has its European headquarters in Ireland (as do most U.S. tech giants), the DPC case will specifically look into the practices of the subsidiary Google Ireland Ltd.
This GDPR violation could be quite costly for the Silicon Valley tech giant. According to the May 2018 GDPR, the maximum penalty could be as much as 4 percent of the annual global turnover of Google. Given the fact that Google makes billions of dollars every quarter from its online advertising activities, it’s easy to see how a GDPR violation fine could have a significant impact on the company’s overall profitability. Earlier in January 2019 Google was fined €50 million by the French privacy regulator CNIL, a record at the time. Thus, it’s clear that the old days of Google being able to slip through the cracks of the regulatory landscape are coming to a close very soon.
Online advertising ecosystem under siege
More broadly, the entire online advertising ecosystem – and not just Google’s Ad Exchange advertising system – is under serious scrutiny these days. People are finally waking up to the fact that big Silicon Valley companies are making literally billions of dollars by trafficking in their personal data. On an annual basis, for example, Google makes close to $20 billion from online ads, or about $5 billion per quarter.
According to Dr. Johnny Ryan of Brave, the situation has spiraled out of control, which eventually led to the company filing a complaint against Google for a potential GDPR violation. When talking about Google (which offers a rival Chrome browser), Brave likes to use the term “surveillance capitalism” to describe the depth and degree to which Google collects data about users. This data includes not just your website behavior (e.g. purchases you make online), but also your personal location information. Now that mobile phones are ubiquitous, Google can literally track you wherever you go.
In the past, Ryan has testified in front of the U.S Congress in order to lay out the dirty details of how Google has been able to create such a profitable advertising system. The so-called “Ryan Report,” for example, details the link between personal data and the online marketing system used on millions of websites worldwide, clearly highlighting all of the advertising transactions that take place (including how Google’s DoubleClick authorizes advertising transactions). As part of the Ad Exchange system, for example, Google essentially “broadcasts” out personal data about users in real-time, so that companies can bid on the right to show an ad to that user. The more information that Google is able to show these bidders on the user, the more likely that they will pay a higher price to show a very targeted ad. Personal data, in the context of website behavior, is very valuable to online advertisers.
New alternatives to the current online advertising system
Since the start of 2018, ad tech firms have started to feel the heat from regulators. Previously, the whole business of ads personalization operated very much under the radar of both consumers and regulators. People might have known that websites had “cookies” that followed them around, but had no idea of how much data was actually being collected on them, and then packaged up and sold to other companies, all without their consent. But then came the big Facebook Cambridge Analytica scandal in March 2018 and the arrival of the European General Data Protection Regulation in May 2018. That opened the door to regulators fining big tech giants for GDPR violations and holding them accountable for their actions.
In the second half of 2019, expect the processing of personal data to receive even more attention. Now that European privacy regulators have shown the willingness to take on Silicon Valley tech giants directly, it could open the floodgates for even more privacy complaints against these companies, and hence, the potential for even more fines to be handed out for egregious GDPR violations.