New documents filed by privacy advocates claim the Internet Advertising Bureau (IAB) Europe and Google knowingly violated General Data Protection Regulation (GDPR) privacy laws.
The
evidence focuses on the IAB Tech Lab’s OpenRTB ad system, claiming that it is illegal under GDPR, which is intended to protect personal data and privacy for individuals in the European
Union.
The complaints allege that programmatic advertising using real-time auctions, specifically the IAB Tech Lab’s OpenRTB protocol, are inherently incompatible with EU data
protection law.
They allege that the use of OpenRTB entailed large-scale and uncontrolled release of personal data without the user being aware. It also suggested that IAB
Europe’s Transparency & Consent Framework (TCF) facilitates the breaches.
The documents were filed Tuesday with data protection authorities in the UK and Ireland.
In a response to the filing, the IAB Europe said in a blog post:
advertisement
advertisement
“These claims are not only false but are intentionally damaging to the digital advertising industry and to
European digital media that depend on advertising as a revenue stream.”
The post suggests that IAB Europe has consistently tried to outline the arguments and correct information,
but that privacy advocates have chosen to ignore the facts, bringing more inaccurate information to support their case.
“Their errors of omission could therefore be characterized as
either misrepresentations or just fabrications,” states IAB Europe.
It’s not clear whether those who make the claim truly understand the process of sharing data from searches or
clicks, as well as data collection and ad serving, or whether the system really does violate the rules.
One report points to new evidence that IAB Europe CEO Townsend Feehan knew back in
2017 that the RTB system would violate GDPR laws, which went into effect in 2018.
But in an email to the European Commission Directorate General for Communications Networks, Content and
Technology, Feehan wrote that it would be “technically impossible” to “be incompatible with consent under GDPR.”