New journalistic insights into a database published by the world's largest marketplace for personal data raise concerns about intrusive marketing strategies against European citizens. The company's document, Xandr, contains hundreds of thousands of target segments, many of which are based on highly sensitive personal data of an unknown number of data subjects. The response from regulators nevertheless remains cautious.
Xandr, a global marketplace for advertising, made headlines last year after Microsoft acquired it from U.S. telecom giant AT&T, for about $1 billion. Now the company is back on the radar because of a document published on its website, in which it has collected more than 650,000 audience segments.
A segment is a category of potential ad targets linked by one or more common characteristics, such as "middle-class fathers" or "vegetarian women." Xandr's customers can then choose which audiences to target with their ads based on one or more segments.
These segments are not created out of thin air. They are generated based on information people leave on the Internet when we visit a web page, buy a product or talk to friends next to a smart speaker (1).
The recurring problem here is whether that information is legitimately collected, and at the same time how it is subsequently used. An investigation by journalists at the German news organization Netzpolitik (2) focuses on the latter question and warns of the potential violations of fundamental rights committed by the data brokerage industry.
The researchers are analyzing a sample of about 2,000 segments, which they find alarming because of the sensitivity of the parameters used. These include mostly sensitive categories of data, the processing of which for marketing purposes without the explicit consent of data subjects is prohibited under the AVG.
With respect to the Netherlands, the analysis identifies a fairly broad spectrum of segments with which to target a potentially large number of Dutch citizens:
- 136 segments based on personal financial data. These include information such as home value. An interesting fact, given that over the past week the recent Land Registry data breach came out. It turned out that millions of addresses and the value of individual plots were visible to everyone.
- 219 segments based on household composition data, with information such as the number of children or the age of the oldest child;
- 21 segments based on data revealing political orientation.
These three segments alone can provide an intimate picture of a targeted person's private life. Xandr's clients can use that to refine their targeting strategies. And not only at the expense of citizens' privacy, but also their personal autonomy and right to non-discrimination.
What is even more troubling, according to the researchers, is that they could not determine whether the vast majority of the remaining segments, including several health-based data, might be related to more EU citizens.
In recent years, we have seen many examples of large-scale data processing operations that undermine the privacy of EU citizens, from the Cambridge Analytica scandal to the Surcharge Affair. But these have since led to unprecedented legislative developments at the European level, which subject the processing of personal data for marketing purposes to strict consent criteria. Notable examples include the AVG, the ePrivacy Directive and the recent ban on online platforms placing targeted advertisements based on special categories of personal data under the Digital Services Act.
However, the German study shows that the data brokerage industry does not seem to have learned much from these developments. This is also on top of the supervisory difficulties experienced by data protection authorities in Europe to immediately check such behavior(3). Indeed, among all the regulators involved, only the Germans have launched official investigations (4).
When asked, the Autoriteit Persoonsgegevens told Pont | Data&Privacy it could not comment on the German investigation because it did not conduct its own research.
1.https://netzpolitik.org/2023/europa-vergleich-wie-eng-uns-datenhaendler-auf-die-pelle-ruecken/
2. https://www.nytimes.com/wirecutter/blog/amazons-alexa-never-stops-listening-to-you/
3. https://www.iccl.ie/digital-data/iccl-2023-gdpr-report/
4. https://netzpolitik.org/2023/nach-unserer-berichterstattung-datenschutzbehoerden-stellen-werbefirmen-auf-den-pruefstand/
