AdTech is the answer to a need. Websites and apps have a range of places where ads can run - banners, pop-up windows (less so than in the past), videos, panels etc. and want to sell this space to the highest bidder. Advertisers, in turn, want to reach specific audiences across different platforms for a competitive price. This is where AdTech comes in. From companies like QuantcastCriteo or Tapad tracking users to profile them, to Ad Networks such as Google allowing advertisers to automatically bid on ad spaces and target audiences (see our explainer on Real Time Bidding), AdTech companies cover the entire advertising process.

What is the problem

On the surface, online advertising sounds like a great deal for everyone: people can use websites and services for free; publishers, websites and app developers can monetise their products; and advertisers can reach their audiences.

But here is the catch: over the past decade targeted advertisement has become exponentially more invasive. To enable targeted advertisement as it is common today, massive amounts of data about individuals are collected, shared and processed. In practice, this means that most of what you do online - such as the websites you visit, the apps that you use, what you do on them, what you watch, what you buy, what you read, your location and your interests etc. – is being tracked, shared and used to profile you. And this is not a one company problem, it's an entire complex and opaque ecosystem that includes data brokers and credit reference agencies. As a result, tracking and profiling has become virtually inescapable and the ecosystem is so leaky and complex, that it has become impossible to know where your data ends up. 

Why it Matters

Intrusive data collection is not the only reason why the current ad tech ecosystem comes at a hidden cost to all of us. Targeted ads can be discriminatory (you might not be not shown a job because you're a woman or a loan because you live in the wrong neighbourhood), they can seek to be manipulative  (you are served tailored information to target those that are most vulnerable), and you as a user have no control over how this data is shared and repurposed (say, with data brokers and others who are selling your personal information to people outside the advertising ecosystem, including political actors). 

Finally, collecting and sharing these personal data with innumerable third parties comes with a huge and growing security risk, for instance, if data is breached or insufficiently protected. In fact, this risk is the same, regardless of whether tracking is done for advertising or for other purposes. Tracking data can be very personal and reveal intimate information (such as when the gay dating app Grindr was found to have shared people’s HIV status with two analytics companies), which puts people and communities at risk of harassment, stalking, identify thief and more.

This all maters because there is no easy way to avoid this. Even with the best intentions and motivation, it is extremely difficult if not impossible to opt-out of all the existing tracking methods. And that's without getting to the point that this should not be the default and rather an opt-in. From endless opt-out buttons to invisible tracking pixels to cross device tracking and fingerprinting techniques, it is almost impossible to make companies respect your decision not to be tracked. 

With the expansion of ad tracking into smart devices, and the ability to perform cross-device tracking, it is more important than ever to hold the online advertisement ecosystem to account so that individuals, communities and societies are protected.

What is PI doing

You might be wondering how all of this tracking and data sharing is even legal, especially under the General Data Protection Regulation (GDPR). We do too! Privacy International has spent the last years looking at how our data is exploited, this includes investigating and challenging the hidden online data ecosystem built on tracking, profiling and targeting us. Using the new standards set by GDPR, Privacy International is seeking to promote regulatory scrutiny of the industry and hold specific actors to account. In November 2018, we complained about seven companies in the hidden data ecosystem to Data Protection Authorities in Ireland, the UK, and France. As a result of our submission, the Irish Data Protection Commission (DPC) has now opened a formal probe into Quantcast’s data practices. We believe AdTech companies' practices are in breach of GDPR and want to continue to hold these companies to account.

But this alone is not enough. We believe that people should be able to understand what's at stake. To contribute to this, we have written 3 explainers to simplify concepts and topics related to online advertisement:

  • Tracking: the reality and mechanism behind AdTech tracking how it turned the internet into a surveillance machine  
  • Cookie banners and consent boxes: why they are so annoying and deceptive 
  • Real-Time Bidding (RTB): a widely spread technology used for targeted advertisement that implies the sharing of your data with hundreds of companies

In addition to this, and because we are not the only ones concerned and working on these issues, we have created a resource page presenting initiatives led by other organisations and individuals tackling AdTech as well as a timeline of complaints against AdTech. This includes examples of harms, legal actions, research and explainers, illustrating the scale of the problem and the different action taken.