Today, on 14 January 2020, the Norwegian Consumer Council (NCC), a consumers group active on the field of digital rights, denounces in their report “Out of Control” current practices of the adtech industry, including systematic privacy breaches and unlawful behavioural profiling.
The report focuses on the analysis of data traffic from ten popular apps such as dating or period tracker apps. It shockingly exposes how a large number of mostly unknown third parties receive sensitive and personal data without the knowledge of the individual. Altogether, the ten analysed apps were found to transmit user data to at least 135 different third parties involved in advertising or behavioral profiling. These third parties then use the collected data to construct elaborate consumer profiles. In turn, these profiles can be used to personalise and target advertising, but also end up being tools for discrimination, manipulation and exploitation. Indeed, GPS location, personal attributes and various app activities can be used to infer attributes such as religious beliefs or sexual orientation. Worse, some dating apps were found to be sharing sensitive data about sexuality, drug use and political views.
Big Tech companies usually play a key role in this system. Google, with the Android Advertising ID, allows companies to track consumers across different services, and this data is often transmitted in combination with GPS location and IP address. Facebook is embedded in most of the analysed apps, while Twitter’s adtech subsidiary was used as a mediator for most of the data sharing, allowing for data to be shared with a large number of third parties.
The results of the technical tests also reveal the complexity and the practices of the adtech industry, which mostly operates outside of the public consciousness. As a result, consumers are rendered powerless and have no meaningful way to resist or protect themselves from the effects of profiling.
The report provides for necessary and useful background information about the different technologies and types of companies involved in the processes behind online ads. It also offers an overview of ongoing actions from civil society and regulatory authorities against unalwful practices, as further evidence that the practices of many actors in the industry are legally questionable.
In the European Union, the collection and processing of personal data is regulated by the General Data Protection Regulation (GDPR). The GDPR provides people with greater control over their personal data and limits how and under what circumstances personal data can be collected and used.
According to NCC, the apps or third parties appear to be lacking a legal basis under the GDPR for processing the personal data they were observed to receive. It seems that these companies can neither demonstrate that they have valid legal consent nor a legitimate interest that overrides the consumer’s fundamental right to privacy. The report concludes therefore that “the system in its current form is based on the comprehensive and systemic illegal collection and use of personal data”.
The report goes further and explains that, “in addition to undermining the right to privacy, the comprehensive surveillance many of these companies engage in poses a systemic threat to fundamental rights such as the freedom of opinion and expression, freedom of thought, and the right to equality and non-discrimination” and describes the direct and indirect harms such as manipulation, discrimination, chilling effects and the propagation of misleading information as being by-products of the adtech system.
As well as the enforcement of the GDPR, the report advocates for the adoption of a strong ePrivacy Regulation to complement the GDPR to ensure the protection of consumers from online tracking and profiling.
This report highlights many of the issues that EDRi has been advocating to fight against with a strong ePrivacy Regulation. The evidence gathered shows, once again, the urgent need to protect privacy and confidentiality of communications online. One of the key tasks for Commissioner Breton, during his first months in the position of Commissioner for the Internal Market, should be to liaise with EU Member States to tackle this problem and unlock the ePrivacy reform as soon as possible.
Out of Control – How consumers are exploited by the adtech industry – and what we are doing to make it stop