In the wake of GDPR, Google made (some) effort to stop publishers from using Google’s tools to engage in real-time bidding (RTB), which is a method of broadcasting as much user information as possible to as many advertisers as possible (hundreds at once), upon visiting a single website — all in a matter of milliseconds.
Just so we’re clear: the information Google have and will share during RTB is not just ‘likes riding bikes’. It’s a complex web of data points which helps them understand who you are, ranging from religion to sexual orientation. Just look at this handy list of codes they use.
Real-time bidding in its current form is toxic. The speed and scale of the broadcast is incapable of complying with the GDPR’s security principle Ravi Naik, data rights solicitor
Under GDPR (and under common sense), RTB isn’t exactly a stellar example of ethical data practices, which is why Google stopped sharing unique user IDs with advertisers — these would help advertisers more easily know who is who, and therefore what ads to serve. In their ‘cookie matching’ documentation they even say this: “Google does not accept any user information provided by the buyer (such as the cookie, user demographics, etc.)”
Translation: “you, the publisher, can engage in RTB if you want, but we will not be matching the user data we have with the data that you have.”
Making such a match would obviously be extremely useful if what you want is even more data and even more ad revenue. So here’s how they got around their own ‘rules’ and the GDPR:
What Push Pages does is, upon a user visiting a site, load another hidden HTML page that the user cannot see. How this secret invisible web page acts as a workaround
A mastery of de-anonymisation: advertisers can now look at these IDs and the associated data, match it with data they have, and continue to do real-time bidding on you, the unsuspecting user.
How is this even allowed?
Get your fining boots on: the Irish Data Protection Commission is going to start an investigation. If they don’t like what they find, they’ll likely fine the full amount, which in this case is $27 billion. That would massively over-shadow any fine we’ve seen so far.
This fine sort of really needs to happen; so far businesses have been very choosy about how they handle their GDPR compliance, including coming up with clever workarounds like this one. There are many others out there, but the thing that sets this one apart is that Google did it, and the regulators know about it.