from Hacker News

GDPR complaint claims Google and IAB ad category lists leak intimate data

by imbiased on 1/28/19, 8:51 AM with 67 comments

by dessant on 1/28/19, 9:33 AM
We should also be able to access our marketing categories without a Google account, since sensitive data is collected and a profile is built even if you don't have a Google account.
by manigandham on 1/28/19, 1:43 PM
These categories apply to the content, not the cookie (when a cookie is even available which it isnt in many places).
This is not personal, it's the contextual targeting everyone wants. These blog posts never understand adtech.
by nopriorarrests on 1/28/19, 12:30 PM
I'm familiar with RTB (real-time bidding protocol) details, so I can assess this from the technical POV.
Most ironical thing here -- IAB categories applied not to user profiles but to URL's.
So, their goal is to facilitate ads targeting not to user profile, but to page content. This is the use case which is often discussed on HN as ethical and "right" way of showing ads -- you get the bid request with "Nature, travel" IAB categories and you show ad about outdoor gear. You don't need to crunch user data to make this simple decision.
However, I have to admit this complaint has it's own merit. Bid request usually contains not just page URL and IAB categories, but user cookie as well. So, by data-mining bidstream, you can theoretically find people (well, at least their unique cookies) who are looking for a cure for impotence, and this is against GDPR, for sure.
by ckastner on 1/28/19, 10:57 AM
Key quotes:
> Lack of transparency makes it impossible for users to exercise their rights under GDPR. There is no way to verify, correct or delete marketing categories that have been assigned to us, even though we are talking about our personal data.
and
> Under GDPR, processing special category [medical information; political affiliation; religious or philosophical views; sexuality; and information revealing racial or ethnic origin] data generally requires explicit consent from users — with only very narrow exceptions, such as for protecting the vital interests of the data subjects
The last quote is particularly troublesome, as Article 9 GDPR [1] is explicit about this: processing this data is prohibited by default, and none of the exemptions seem to apply even by a stretch of imagination.
Assigning such labels may be the norm from the Ad industry's point of view, but that is simply no longer possible under the GDPR.
[1] https://gdpr-info.eu/art-9-gdpr/
by seren on 1/28/19, 9:21 AM
I am curious, if you ask for a dump of your data from Google, where do you have to look to find your ad category ? As far I know, this is not directly accessible from your profile or privacy settings.
Looking at the data selection to export, I am not even sure this is included somewhere.
by Tsubasachan on 1/28/19, 10:06 AM
Advertising and marketing is a trillion dollar industry that employs millions of people across the globe and I want nothing to do with it.
Advertising atheism and I wouldn't be entirely surprised if in the future people will be prosecuted for it.
by a_imho on 1/28/19, 11:44 AM
Google is the elephant, but it is very rare to see compliant services/sites. The interesting question is when/if EU is going to flex its GDPR muscles.
by mancerayder on 1/28/19, 2:46 PM
Here’s a few more highly sensitive labels that are being attached to web users’ identities and shared with potentially thousands of bidding ad companies — in this case the labels are ones which the IAB uses: Special needs kids, endocrine and metabolic diseases, birth control, infertility, diabetes, Islam, Judaism, disabled sports, bankruptcy.
I'm jealous that at least Europeans can complain legally.
In the U.S., we believe that the free market knows best and that's freedom and such. Meanwhile, we're being profiled by these vile companies (FB, Google) and our data resold. Aside from individual rights being violated (hint, individual rights aren't just rights against government intervention), there's a huge societal threat here: what happens when this data is used to pit us against one another? Are we still free, then?
In the U.S. it will take a cataclysmic event to reach a GDPR-like desire by the population. The sad reality is that the EU has its citizens' interests generally in mind (consumer protections, GDPR), while in the U.S. Big Brother has the interests of large corporations at heart (namely by allowing them to run roughshod over our rights).
by chronotis on 1/28/19, 12:07 PM
Setting aside penalties for a moment, what is the minimum set of changes to programmatic advertising practices that would bring it into compliance with GDPR? Would removing the targeting categories that relate to intimate data be sufficient? Or is something deeper, more structural in the crosshairs?
by w_t_payne on 1/28/19, 9:25 AM
Not just Google though, is it?
by onetimemanytime on 1/28/19, 9:42 AM
I think Google and FB have met their match, EU! Not only penalties but crippling changes to their existing, everything goes, business model. Penalties they can afford...
by throw2016 on 1/28/19, 11:49 AM
It just gets creepier and creepier and to think there are hundreds of thousands of people involved in this sordid endeavour who think nothing of and stalking, profiling and dehumanizing others for personal gain.
More evidence there is zero moral compass in SV and given enough money people are willing to do whatever away from public view and posture and pretend to care about niceties like ethics in public. And these are educated folks who are not starving and desperate.
Discussions should move from a default human base ethical position to any discussion about ethics is posturing and empty, its only by actions that any sense of ethics can be gleaned.
But people who behave unethically cannot then expect an ethical society or ethical behavior from others. These others too have a right to exchange their values for money and attempt to normalize, redefine or hand wave away their actions.