Next Event: The Future of Identity, March 18th: Register Your Place>

The IAB Privately Believed RTB Would Violate GDPR, Claim Privacy Campaigners

Tim Cross  20 February, 2019

Privacy campaigners today filed new evidence in a complaint with data protection regulators in the UK and Ireland, claiming that industry body the IAB believed real-time bidding (RTB) would be incompatible with consent under the EU’s General Data Protection Regulation (GDPR). The IAB created the ‘Transparency and Consent Framework’ to help digital publishers and ad tech companies comply with Europe’s new data laws, but the campaigners claim that the IAB itself feared that real-time bidding as a practice is fundamentally irreconcilable with GDPR.

The campaigners claim to have accessed an email from IAB Europe CEO Townsend Feehan (via a freedom of information request) where she states that the ‘prior information’ requirement of GDPR would “break” programmatic trading. “Consent under the GDPR must be ‘informed’, that is, the user consenting to the processing must have prior information as to the identity of the data controller processing his or her personal data and the purposes of the processing,” the email allegedly says. “As it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario, programmatic trading, the area of fastest growth in digital advertising spend, would seem, at least prima facie to be incompatible with consent under GDPR”.

“The evidence is overwhelming,” said Ravi Naik, a partner at ITN Solicitors who is representing the complainants. “The IAB’s own documents contain admissions of concerns of the infringements of the GDPR. That evidence shows that the infringements can occur billions of times a day. The scale is widespread and the infringements systematic. Reform is needed and we trust that the regulators will act accordingly,” he said.

The claims are presented as new evidence in an ongoing privacy complaint which seeks to reform the way auctions are run in programmatic trades. The case, filed by privacy groups the Open Rights Group and Panoptykon Foundation alongside privacy-focussed browser Brave, argues that digital ad auctions leak “highly intimate data” about web users and violate individuals’ data rights.

Dr Johnny Ryan, chief policy and industry relations officer at Brave, said the campaigners’ aim is “to reform ad tech, not kill it.” Writing in a blog post, he said his concerns would be addressed if both the IAB and Google updated the rules they use to govern real-time bidding. “The IAB RTB system allows 595 different kinds of data to be included in a bid request,” he said. “Four percent of these should be disallowed, or truncated. The same applies to the Google system. It is an easy fix, long overdue, and will prevent the system from leaking the personal data (including location and interests) of every single person on the Web.”

But so far, regardless of what might have been said behind closed doors, the IAB has publicly contested the claims made. Writing in MediaPost last week, IAB SVP and general counsel Michael Hahn argued that “OpenRTB [IAB’s protocol for real-time bidding] is merely a communication protocol that supports real-time bidding […] companies that choose to implement the protocol must do so in a manner that complies with the laws of the jurisdictions they operate in”.

Go to Top