On the same day it was handed a $170m fine for illegally harvesting the personal data of children, Google now stands accused of working around GDPR rules to secretly hand advertisers user data.
Giving evidence to the Data Protection Commission (DPC) on Wednesday, Dr Johnny Ryan, the chief policy & industry relations officer at Brave, said the tech giant was knowingly circumventing GDPR privacy protections.
An analysis of Dr Ryan’s own online behaviour revealed that Google used a tracker containing web browsing information, location and other personal data and allowed advertisers to collect the information via blank webpages that showed no content.
Dr Ryan said this circumvented both GDPR and Google’s own rules to allow advertisers to track a user’s Google profile and online activity.
“Google’s ‘DoubleClick/Authorized Buyers’ ad system is active on 8.4+ million websites,” said Dr Ryan. “It broadcasts personal data about visitors to these sites to 2,000+ companies, hundreds of billions of times a day.
“The evidence we have submitted to the Irish Data Protection Commission [Google’s primary GDPR regulator] proves that Google leaked my protected data to an unknown number of companies. One cannot know what these companies then did with it, because Google loses control over my data once it was sent. Its policies are no protection.”
Google claims to prevent the companies that use its real-time bidding ad (RTB) system – and who receive personal data about website visitors – from combining their profiles about those visitors.
It has also previously announced that it had stopped sharing pseudonymous identifiers that could help third-party businesses more easily identify an individual, apparently in response to the advent of GDPR.
However, Dr Ryan’s analysis revealed his own personal data was broadcast, confirming earlier warnings laid out in a complaint to the DPC in September 2018.
Responding to the claims, Google said on Wednesday it does not serve “personalised ads or send bid requests to bidders without user consent.”
The news comes after Google-owned YouTube was fined $170m (£139m) by US regulators for failing to protect children’s privacy.
Google had earned millions of dollars by illegally collecting the data of children on its video-sharing platform, said the Federal Trade Commission (FTC) and the New York attorney general.
By doing so, YouTube violated the 1998 Children’s Online Privacy Protection Act (Coppa), the FTC said. The act requires websites to gain parental consent before collecting the personal information of users who are under 13 years old.
Google agreed to pay $34m to New York and $136m to the FTC – the largest penalty ever received by the US agency in a child privacy case.