Google has been outspoken about its intention to create a more privacy-focused ad tech environment, but the company is now facing accusations of sneakily circumnavigating security protocols.
Brave, a company that offers a privacy-centric web browser, has released damning information which alleges the tech giant deploys “a mechanism by which Google appears to be circumventing its purported GDPR privacy protections”.
The EU introduced the General Data Protection Regulation (GDPR) last year to set a standard around data collection.
Brave’s chief policy officer Johnny Ryan claimed Google uses secret ‘Push Pages’, that are not visible to the users and show no content, to share profile identifiers about a person when they load a web page.
“This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible,” Ryan said.
This is despite the fact Google now claims it prevents the companies that use its DoubleClick/Authorized Buyers real-time bidding (RTB) ad system from combining sensitive data from website visitors with visitor profiles.
Under the GDPR, ‘personal data’ is defined as any information that can be used to identify an individual.
Any company that unlawfully destroys, alters, discloses or accesses personal data is in breach of the GDPR and could face fines of up to €20 million ($32.5 million) or four per cent of annual global turnover, whichever is greater.
Ryan said the ‘Push Pages’ were discovered after analysing a log of his web browsing history.
“Analysis of the network log shows that the Data Subject’s personal data has been processed in Google’s Authorized Buyers RTB system,” said Ryan.
“It further shows that Google has also facilitated the sharing of personal data about the Data Subject between other companies.
“Push Pages, therefore, appear to be a workaround of Google’s own stated policies for how RTB should operate under the GDPR.”
Google has responded, telling the Financial Times it doesn’t serve “personalized ads or send bid requests to bidders without user consent”.
Google is currently under investigation by the Irish Data Protection Commission (DPC) for allegedly violating the GDPR.