Noyb files complaint against Xandr for GDPR violations
Xandr, an advertising broker and Microsoft subsidiary, collects, combines and shares sensitive personal information of millions of Europeans to thousands of advertisers, without honoring the rules laid down in the General Data Protection Regulation (GDPR).
If a company wants to advertise on the internet, they have to undergo an automated process called Real Time Bidding or RTB. That basically means that an advertiser who’s willing to pay the highest price per click (PPC), gets to place a targeted ad. These kinds of virtual auctions happen constantly, are fully automated and take place in a fraction of a second.
Xandr is an advertising broker that runs such a RTB platform. Whenever a user visits a website, an algorithm decides what company can place an ad that fits the needs of the user. To determine what those needs are, Xandr collects and shares a massive amount of data to create user profiles for targeting purposes.
Although only one ad is shown to users, much of this data is bought by third-parties. This doesn’t just concern generic information like name and location, but also confidential and personal data such as health, sexuality, political opinions, religious beliefs and financial status.
To top things off, Xandr receives hundreds and hundreds of information access requests, but doesn’t respond to any of them.
“Xandr’s business is obviously based on keeping data on millions of Europeans and targeting them. Still, the company admits that it has a zero percent response rate to access and erasure requests. It is astonishing that Xandr even publicly illustrates how it breaches the GDPR,” Massimiliano Gelmi, data protection lawyer at Noyb, says in a statement.
In addition, the Austrian privacy organization claims that Xandr’s systems contain a lot of false information about users.
“It seems that parts of the advertising industry don’t really care about providing advertisers with accurate information. Instead, the data set contains a chaotic variety of conflicting information. This can potentially benefit companies like Xandr as they can sell the same user as young and old to different business partners,” Gelmi concludes.
For these GDPR violations, Noyb has filed a complaint with the Garante per la Protezione dei Data Personali (GPDP), the Italian data protection authority (DPA). Noyb wants the DPA to investigate Xandr’s business operation and to order it to comply with the GDPR’s principles of data minimization and accuracy.
In addition, Noyb asks the GPDP to impose a hefty fine to encourage Xandr and other advertising brokers to take European privacy rules more seriously.
Your email address will not be published. Required fields are marked