The Drum Awards Festival - Extended Deadline

-d -h -min -sec

GDPR Advertising IAB

IAB denies any GDPR wrongdoing as complaints are filed with regulators


By John McCarthy, Opinion editor

February 21, 2019 | 9 min read

Privacy campaigners have targeted the Interactive Advertising Bureau Europe (IAB) with further complaints to European regulators that its data practices are knowingly in breach of General Data Protection Regulation (GDPR).


IAB refutes 'false and intentionally damaging' real-time bidding privacy complaints

After making an initial complaint in December, adblocking web browser Brave, the Panoptykon Foundation and the Open Rights Group this week (20 February) provided additional evidence to the Information Commissioner’s Office (ICO) questioning the consumer protections afforded by IAB Tech Lab's OpenRTB system.

It’s not the first time the group has issued complaints to regulators. In September, it alleged that Google, and other ad tech firms, had used sensitive data, such as political interests, within bid requests in order to better target adverts.

This time, the group claim that the IAB Europe's own technical standards which have been designed to steer marketers' programmatic advertising practices actually expose sensitive user data to potentially hundreds of bidders every time they access a website.

IAB Europe has denied the allegations, saying they are “not only false but are intentionally damaging.”

The complaint

The crux of the complaint against IAB Europe is that it knew that users could not be informed about how their data is used in an RTB environment.

When browsing sites, internet users are assigned unique profiles comprised of identifiers like IP address, GPS location, and device type by adtech companies - all in the spirit of delivering relevant ads. The labels vary, from the mundane like sport, beauty and gadgets, to more personal labels signifying health conditions, religion and sexual orientation.

The complaint argues that real-time bidding, as guided by IAB standards, infringes article 5(1) f of GDPR. This is the requirement to ensure data is "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

Johnny Ryan, chief policy and industry relations officer at Brave, told The Drum that IAB documents, now shared with the UK ICO, have previously acknowledged that there was no way to control what happens with these user profiles after they have been sent to bidders.

"In the 1970s if you left your briefcase full of people's data in a train station, that was a data breach. Now if your business model is to take a dump truck and dump briefcases full of personal data into that station as fast as you can, [comparing that process to bid requests in the RTB process] that is a data breach too,” Ryan said.

"The categories can reveal your ethnicity, religion and political views, all covered in the GDPR as special category content, broadcasting this is a complete no-no. This happens hundreds of billions of times a day. Which means that shadowy companies who receive this data can build up a profile of what every person on the web reads, watches, and listens to online."

As many as 595 attributes of user data can be shared in bids, he claimed. Noting that some is more sensitive than others, he added: "Deleting or truncating 4% of these would allow the system to operate safely."

The IAB response

The IAB, however, has denied the allegations. It composed a lengthy response to assertions that the Tech Lab’s OpenRTB protocols are "inherently incompatible with EU data protection law" and the idea that its use "entailed large-scale, uncontrolled release of users’ personal data without their being aware or able to do anything about it".

It said: "These claims are not only false but are intentionally damaging to the digital advertising industry and to European digital media that depend on advertising as a revenue stream."

In January, responding to a complaint lodged to Polish authorities, the IAB said it could not be held to account for how its technical standards are used, or misused, by advertisers.

In the statement, Matthias Matthiesen, director, privacy and public policy of IAB Europe, likened itself to a road builder being held accountable for traffic infractions like speeding or illegal parking.

He said the standard may be misused to violate just as a car may be driven faster than the speed limit.

In its latest statement to The Drum, IAB Europe said the complaint is formed upon an outdated document from April 2017, in which IAB Europe was consulting with the European Commission to create robust GDPR and ePrivacy standards.

At the time, IAB Europe said: "It is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario.” This has since changed, claimed the IAB. Ryan said it again repeated the claim in a document released in May 2018 – a month after it launched the framework.

He said: "Before and after the launch of its consent mechanism, the IAB had acknowledged there was no way to control who receives what data, or what they do with those data once received."

IAB Europe responded: "The complainant attempts to twist this statement to mean an admission that their claims have merit. However, as the claimants are aware, in the years since this statement was made, IAB Europe has worked with its members making up a cross-section of the media and advertising industry to offer solutions to this challenge."

The IAB Europe Transparency & Consent Framework (TCF), launched in April 2018, now fully protects user data in the bidding process, it said. It offers web users transparency on how and by whom data is processed and "enables vendors engaged in programmatic advertising to know ahead of time whether their own and/or their partners’ transparency and consent status allows them to lawfully process personal data for online advertising and related purposes."

Addressing the charge that the standards don't do enough to protect user data, it added: "The complaints... take the view that their inherent incompatibility with the law stems from a hypothetical possibility for personal data to be processed unlawfully in the course of programmatic advertising processes. This hypothetical possibility arises because neither OpenRTB nor the TCF are capable of physically preventing companies using the protocol to unlawfully process personal data. But the law does not require them to.

"[A] company that shares or otherwise processes personal data without a lawful basis to do so, is in breach of the law. Companies who are found to do so will face consequences."

In a final swing at the complainants, the statement concluded: "IAB Europe has consistently tried to outline the counter arguments and correct information, mentioned above, to the claimants. However, they have consistently chosen to ignore the facts, bringing more inaccurate information to support their case. Their errors of omission could, therefore, be characterised as either misrepresentations or just fabrications."

A later statement issued by the complainants read: “There is a technical way to make RTB operate safely, which we suggest: to remove or truncate personal data, especially sensitive or highly identifying personal data, within a bid request that the IAB and Google standards prescribe or even ‘strongly recommend’. This is an essential tweak. If a system has insecurity at its core, regulators need to understand and assess how its core could be changed to make it compliant, not to try to add polish to a deeply flawed system.

"We have asked regulators to investigate the flaws at the heart of this entire ecosystem, which the IAB and Google both play the key roles in orchestrating. It is quite clear to us that the idea that the illegalities that might be found upon a detailed regulatory examination have struck a sensitive nerve with the IAB in this case — and that itself should motivate authorities to take a closer look at this pervasive and insecure piece of online infrastructure."

It comes after industry bodies ISBA and IAB clashed over the origin of the clicks as a valuable metric - following the IAB's provocative 'Clickheads' campaign.

Also this week, the body response to the Digital, Culture, Media and Sport Committee (DCMS) report into the spreading of disinformation (breakdown of that here).

Jon Mew, chief executive of the IAB told The Drum: “Having submitted written evidence back in March 2017 and sat before the Committee in January 2018, we’d echo the DCMS’ view that where it applies to digital advertising, increased transparency is absolutely critical to the future of our industry."

GDPR Advertising IAB

More from GDPR

View all


Industry insights

View all
Add your own content +