Article 24.01.2022 3 min. read Text Image Following Panoptykon’s General Data Protection Regulation (GDPR) complaint against one of the biggest Polish news website, Interia.pl – the Polish Data Protection Authority has confirmed that online publishers should give users access to their advertising profiles generated for the purposes of delivering behavioural ads. The decision confirms that information about people inferred by tracking and profiling algorithms are indeed personal data, subject to all the protections provided by the GDPR. Despite this favourable decision, the website owner has claimed that they are unable to provide the user with their ad categories because they are generated by adtech companies and the website itself does not have access to them. This roadblock points to the wider problem of the digital advertising market: the dominance of advertising middlemen who track and profile people beyond the control of website publishers themselves, let alone that of users. You should be able to control your digital profile Panoptykon filed the complaint in January 2019, after an unsuccessful attempt to obtain the advertising profile generated about a user of one of the biggest Polish news websites – Interia.pl. The publisher claimed that it does not create such a profile, despite explicitly gathering consent for installing cookies which track users’ behaviour. In a decision from October 2021 the Polish DPA confirmed that an advertising profile comprised of categories attributed to the user based on the analysis of their online behaviour fulfils the definition of personal data and – following a GDPR access request – should be made available to the user. This ruling is momentous because many internet companies do not treat assumptions related to users’ demographics, interests or personal traits generated by algorithms as personal data. The sticky web of advertising middlemen Surveillance-based advertising consists of a system of interconnected intermediaries functioning behind the scenes and beyond the control of users, and – as it turns out – the control of publishers themselves. Website publishers serve as a gateway to this system by collecting ‘consent’ for tracking and profiling for advertising purposes (often without the option to refuse) by so-called ‘trusted partners’ – a myriad of advertising middlemen. Because users don’t know whom their data is ultimately shared with or which identifiers specific companies use to single them out (such as pseudonimised cookie IDs), they are practically unable to challenge this unending tracking. With an advertising system designed to be opaque, the rights granted by the GDPR to access, rectify or delete personal data, remain an illussion. For these reasons Panoptykon decided that going after individual websites or adtech companies were meaningless. Instead in coalition with other organisations, led by Dr Johnny Ryan from the Irish Council for Civil Liberties, Panoptykon complained against standard-setters that dictate the rules of the game for the whole industry: Google and the Interactive Advertising Bureau (IAB). The latter case will soon be resolved, as the Belgian DPA has already prepared a draft decision, currently submitted for opinion to DPAs in other countries, which is expected to find that IAB Europe violated the GDPR. If this falls through, it could be a true deal-breaker for the toxic online advertising market and a quantum leap towards better protection of online privacy and development of ethical, GDPR-compliant innovations in advertising. Karolina Iwańska The article was published in EDRi-gram, 19 January 2022 Fundacja Panoptykon Author Topic advertising Previous Next See also Article GDPR and online advertising – Panoptykon consults IAB Poland’s code of conduct We have taken part in the public consultations of the draft code of conduct which is supposed to help apply the GDPR to the internet advertising sector. The code was prepared by the Polish office of the Internet Advertising Bureau. 23.10.2018 Text Article Limits to harmful surveillance in online advertising? Joint statement ahead of the vote in the European Parliament next week “We don’t have to manipulate our customers or exploit their vulnerabilities to scale up” – European entrepreneurs and social organizations appeal to the MEPs to put an end to invasive and privacy-hostile practices related to surveillance-based advertising and thus open the market to ethical and… 13.01.2022 Text Article Belgian authority finds IAB Europe’s consent pop-ups incompatible with the GDPR Following a number of complaints filed in 2018 and 2019, including by Panoptykon and Bits of Freedom, and coordinated by the Irish Council for Civil Liberties, the Belgian Data Protection Authority has found that the consent system developed and managed by the adtech industry body IAB Europe, and… 16.02.2022 Text