Google accused of using 'GDPR workaround' to feed personal data to advertisers

Evidence submitted to Ireland’s Data Protection Commission this week raises questions about Google’s Authorized Buyers advertising exchange (previously called DoubleClick), which is active on 8.4 million websites.

Johnny Ryan, chief policy and industry relations officer at anti-ad-tracking browser Brave, said he has discovered secret web pages that contain data about him being fed by Google to third-party companies. Ryan said Google had labelled him with an identifying tracker based on his location and time of browsing. 

Google, the world’s biggest advertising company, is already under investigation by the Irish data watchdog for suspected GDPR infringement as the result of a formal complaint by Ryan.

The new claims come amid increasing scrutiny of the programmatic advertising system of real-time bidding in which data collected about users is broadcast to thousands of ad exchanges in real-time auctions to serve ads on websites.

Ryan said: "Google's 'DoubleClick/Authorized Buyers' ad system is active on 8.4-plus million websites. It broadcasts personal data about visitors to these sites to 2,000-plus companies, hundreds of billions of times a day.

"The evidence we have submitted to the Irish Data Protection Commission proves that Google leaked my protected data to an unknown number of companies. One cannot know what these companies then did with it, because Google loses control over my data once it was sent. Its policies are no protection." 

Violations of GDPR carry the risk of large fines, either 4% of annual turnover or €20m (whichever is higher). Google’s annual revenue last year was $136.22bn (£111.09bn), with 4% equating to $5.45bn.

In January, Google was fined €50m (£44.9m) by France's data regulator for improperly obtaining user consent over personalised advertising.

The new claims contradict Google assurances that it prevents companies using its real-time bidding system from combining their data profiles with sensitive data about website visitors. Google has also said that it no longer shares pseudonymous identifiers that could help advertisers more easily target individuals.

A Google spokesman said: "We do not serve personalised ads or send bid requests to bidders without user consent. The Irish DPC, Google's lead DPA and the UK ICO are already looking into real-time bidding in order to assess its compliance with GDPR. We welcome that work and are co-operating in full."

Brave’s claims against Google

Brave’s analysis refers to a mechanism called "push pages", through which Google invites multiple companies to share profile identifiers about a person when they load a web page. The company provided a sequence chart of the RTB and push page processes here and a sample Push Page here.

Google push pages are served from a Google domain (https://pagead2.googlesyndication.com) and all have the same name, "cookie_push.html". Each push page is made distinctive by a code of almost 2,000 characters, which Google adds at the end to uniquely identify the person that Google is sharing information about. This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible. 

All companies that Google invites to access a push page receive the same identifier for the person being profiled. This "google_push" identifier allows them to cross-reference their profiles of the person and they can then trade profile data with each other. 

The push pages are not shown to the person visiting a web page and will display no content if accessed directly. 

The evidence includes a network log of all items (including web pages and their component parts, files, etc) that Ryan’s device was instructed to load by the websites that he visited. Analysis of the network log shows that a user's personal data has been processed in Google’s Authorized Buyers RTB system. It further shows, Brave said, that Google has facilitated the sharing of personal data about the internet users between other companies.