This note presents new evidence of the scale of the vast RTB data breach, and of the consequences of two years of failure to enforce.
September 2020 is the two year anniversary of my formal complaint to the Irish Data Protection Commission about the Real-Time Bidding privacy crisis. In these two years, RTB has been allowed to continue to infringe Article 5(1)f of the GDPR, which requires security of personal data. In fact, this vast data breach appears to have worsened.
Today, we at the ICCL submitted evidence to the DPC that show the consequence of failure to enforce the GDPR to stop the vast RTB data breach at the heart of the online advertising industry.
This evidence includes a proven case of electoral influence, profiling of people with AIDS and cancer, and a list of 968 companies that Google sends information to about the private things that we do and watch online.
Key insights in the submission
- Real-Time Bidding operates behind the scenes on websites and apps. It constantly broadcasts the private things we do and watch online, and where we are in the real-world, to countless companies. As a result, we are all an open book to data broker companies, and others, who can build intimate dossiers about each of us. Google’s RTB system sends this data to 968 companies (see Appendix F for a 25 page list of these companies).
- A data broker company that uses RTB data to profile people influenced the 2019 Polish Parliamentary Election by targeting LGBTQ+ people. See page 5.
- Google’s RTB system allows users to target 1,200 people in Ireland profiled in a “Substance abuse” category, based on a data broker profile built with RTB data. Other health condition profiles from the same data broker available via Google included “Diabetes”, “Chronic Pain”, and “Sleep Disorders”. See page 6.
- The IAB’s RTB system allows users to target 1,300 people in Ireland profiled in a “AIDS & HIV” category, based on a data broker profile build with RTB data. Other categories from the same data broker include “Incest & Abuse Support”, “Brain Tumor”, “Incontinence”, and “Depression”. See page 6.
- A data broker that gathers RTB data tracked the movements of people in Italy to see if they observed the Covid-19 lockdown. See page 11-12.
- A data broker that illicitly profiled Black Lives Matters protesters in the United States has also been allowed to gather RTB data about Europeans. See page 9.
- The industry template for profiles includes intimate personal characteristics such as “Infertility”, “STD”, and “Conservative” politics. See pages 13-15.
- RTB is the most massive data breach yet recorded, involving millions of websites and apps, and hundreds of billions of individual data leaks per day. Google’s RTB system now sends people’s private data to more companies, and from more websites than when the DPC was notified two years ago. A single ad exchange using the IAB RTB system now sends 120 billion RTB broadcasts in a day, an increase of 140% over two years ago when the DPC was notified. See pages 16-18.