On 20 May 2019, complaints were filed with the competent Data Protection Authorities in Spain, the Netherlands, Belgium, and Luxembourg, in connection with one of the latest digital marketing practices called Real-Time Bidding (“RTB”). The complainants consider RTB a “vast scale personal data leakage by Google and other major companies” in the behavoiral advertising industry.
A typical RTB transaction begins with a user visits a website. This triggers a bid request that includes various pieces of data, such as the user’s demographic information, browsing history, location, and the page being loaded. The request goes from the publisher to an ad exchange, which submits the request, along with the accompanying data to a bid manager. Advertisers automatically submit their bids in real time, in order to place their ads and the advertising space goes to the highest bidder, who displays the winning ad on the website. Real-time bidding transactions typically happen within 100 milliseconds (including receiving the bid request and serving the ad) from the moment the ad exchange received the request.
The criteria for bidding on particular types of consumers can be very complex. The complainants, nevertheless, point out tha there is no control over what happens to the data, a situation similar to the Facebook data leakage that enabled Cambridge Analytica to profile people, but for the fact that it is far greater in scale.
For example, Google relies on self-regulatory guidelines that rely on the companies that receive its broadcasts to inform it if they are breaking its rules. Google claims that over 2.000 companies are certified in this way. Google DoubleClick / Authorized Buyers sends, however, intimate personal information about virtually every single online person to these companies, billions of times a day.
It is relevantly reminded that in accordance with the applicable GDPR provisions, a company is not permitted to use personal data unless it tightly controls what happens to that data. In fact, Art. 5 (1)(f) GDPR requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss”.