Google is allegedly relaying your personal information to advertisers via hidden web pages, allowing it to circumvent the European Union privacy regulations, a Financial Times report said.
The Data Protection Commission began an investigation into Google’s practices in May 2019 after it received a complaint from privacy-focused browser maker Brave that Google was allegedly violating the EU’s General Data Protection Regulation (GDPR).
Johnny Ryan, chief policy officer for Brave, submitted the new evidence, and discovered that Google allegedly used a tracker containing web browsing information, location and other data and sent it to advertising companies via webpages that showed no content, the report said.
Ryan’s evidence showed that Google had labelled him with an identifying tracker that it fed to third-party companies that logged on to a hidden web page.
Using the tracker from Google, which is based on the user’s location and time of browsing, companies could match their profiles of Ryan and his web-browsing behaviour with profiles from other companies, to target him with ads.
Ryan found six separate pages pushing out his identifier after a single hour of looking at websites on Google’s Chrome browser. The identifier contained the phrase “google_push” and was sent to at least eight adtech companies.
Ryan’s experiment was reproduced by adtech analyst Zach Edwards, who runs technical consulting firm Victory Medium, after being commissioned by Brave. Zach Edwards recruited hundreds of people to test Google’s behaviours over a month. They found that the identifier was indeed unique and was shared between multiple advertising companies to enhance their targeting abilities.
Google responded, saying it doesn’t serve “personalized ads or send bid requests to bidders without user consent”.
According to the Data Protection Commission, the purpose of its inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the GDPR.
“The GDPR principles of transparency and data minimisation, as well as Google’s retention practices, will also be examined,” it said.
The US Federal Trade Commission (FTC) Wednesday directed Google to pay $170 million over YouTube’s child privacy violations.
The settlement requires Google and YouTube to pay $136 million to the FTC and $34 million to New York for allegedly violating the Children’s Online Privacy Protection Act (COPPA) Rule.