A mechanism called “Push Pages” would make it possible to create a unique identifier for each Internet user. That would then be shared with customers of the Authorized Buyers advertising auction system.
Brave just put a few more fangs in Google’s calves. In September 2018, its legal director Johnny Ryan and two other people filed a complaint against the IT giant for non-compliance with the GPDR regulation. They believed that its online auction system for advertising placement (DoubleClick/Authorized Buyers) collects personal data from Internet users. It then disperses it to advertising agencies without the user being informed.
Johnny Ryan adds a layer to this complaint by revealing a new tracking mechanism previously unknown. They do so by creating a cookie for each Internet user, by loading empty pages called “Push Pages.” These pages, which the user does not see, have URLs that are unique to each user. According to the legal director, this identifier is then shared with different customers of Google’s auction system. It allows them to compare and share their data about this Internet user. And, therefore, to establish his behavioral profile: which pages does he visit, when, etc.?
Google would bypass its own protections
According to Brave, this hidden mechanism would bypass protections that Google itself had put in place to comply with the GDPR. In April 2018, the web giant had stopped communicating several identifiers linked to Internet users, including the “DoubleClick ID,” to its customers. That made it possible to track Internet users as soon as they came across an ad served by Google.
According to Brave, the Push Pages ID reintroduces this tracking capability and provides new evidence of the “toxicity” of real-time advertising auctions. As in September 2018, the publisher sent the technical elements of its investigation to the Irish Data Protection Authority.
A Google spokesman explains, “We do not run personalized ads or share auction requests without the user’s consent. The Irish Data Protection Commission (DPC) – which is the lead data protection authority for Google – and the ICO in the United Kingdom are already reviewing real-time auctions to assess their compliance with the GDPR. We welcome this work and cooperate fully.”
Google also believes that the process described by Brave respects the privacy of users and is following its privacy policy. The company also explains that this is a standard practice in the digital advertising industry that is not specific to Google.