Advertising broker Xandr (a subsidiary of Microsoft) collects and shares the personal data of millions of Europeans for detailed targeted advertising. This allows Xandr to auction ad space to thousands of advertisers. But: although only one ad is ultimately shown to users, all advertisers receive their data. This could be personal data about their health, sexuality or political opinions. And despite selling its service as "targeted," the company has rather random information: the complainant is apparently both a man and a woman, is employed and unemployed. This would allow Xandr to sell advertising space to multiple companies that believe they are targeting a specific group. Some details are still unknown, as Xandr also refused to comply with the complainant's request to access and delete the data. noyb has now filed a GDPR complaint. The article continues in English.
Background: targeted advertising. If companies want to use targeted advertising to promote their products or services online, they must use so-called Real Time Bidding (RTB) platforms. One such platform is run by Microsoft subsidiary Xandr, which allows advertisers to buy ad space on Web sites or in mobile apps in a fully automated fashion. When a user visits a Web site, an algorithmic auction takes place to determine which company gets to display an ad. Because a user's interests and characteristics ultimately determine whether an advertiser is willing to display an ad, Xandr collects and shares a huge amount of personal data to profile users and enable targeting. Much of that data is purchased by outside parties such as emetriq, a subsidiary of Germany's Telecom.
Unable to work? Pregnant? LGBT? Previous research has shown that Xandr hundreds of sensitive profiles of Europeans collected containing information about their health, sex life or sexual orientation, political or philosophical views, religious beliefs or financial status. Specific segments include "french_disability," "pregnant," "lgbt," "gender_equality" and "jewishfrench.
0% compliance with GDPR requests. According to the GDPR, everyone has the right to access their data. But despite collecting vast amounts of detailed information about people, Xandr reports an astonishing 0% response rate to access and deletion requests in 2022. Xandr even publishes these internal statistics on a hidden website for all to see. The complainant experienced this approach firsthand: When he asked for access to his data, Xandr claimed it could not identify him - and refused his request for access and deletion. In reality, the company has all the information it needs to identify specific individuals. After all, identifying and targeting individuals is their core business.
Massimiliano Gelmi, data protection lawyer at noyb: "Xandr's business is clearly based on tracking data on millions of Europeans and targeting them. Yet the company admits it has a 0% response rate to requests for access and deletion. It is amazing that Xandr even publicly illustrates how it violates the GDPR."
(Un)targeted advertising. Moreover, the GDPR requires that data about individuals be "accurate. However, available information suggests that Xandr's system uses tons of false information about users. Even from a business standpoint, Xandr seems to mock the idea of targeted advertising. Thanks to a perusal request to the data broker - and Xandr vendor - emetriq, we know that at least part of Xandr's database consists of highly inaccurate and contradictory personal information about people: According to emetriq, the complainant is both male and female, has an estimated age between 16-19, 20-29, 30-39, 40-49, 50-59 and 60+. The complainant also has an income between €500 - €1,500, €1,500 - €2,500 and €2,500 - €4,000. Furthermore, the same person is looking for a job, has a job, is a student, scholar and works in a company. That company, in turn, simultaneously employs 1-10, 1,000+ and 1,100-5,000 people. It is hard to imagine how these data categories could be used for accurate ad targeting. Although emetriq is not the only data broker providing data to Xandr, it must be assumed that this information is used for ad targeting.
Massimiliano Gelmi, data protection lawyer at noyb: "It seems that parts of the ad industry don't really care about providing advertisers with accurate information. Instead, the dataset contains a chaotic variety of conflicting information. This could potentially benefit companies like Xandr, as they could sell the same user as young and old to different business partners."
Complaint filed in Italy. noyb has now filed a GDPR complaint with the Italian Data Protection Authority (Garante) over transparency issues, the right of access and the use of inaccurate information about users. In general, Xandr seems to violate Articles 5(1)(c) and (d), 12(2), 15 and 17 of the GDPR. Therefore, we ask the authority to investigate Xandr's processing activities and order the company to comply with the complainant's request for access and deletion. With respect to all affected data subjects, we also propose that the Garante order Xandr to bring its processing activities in line with the principles of data minimization and accuracy. Finally, we propose that the competent authority impose an effective, proportionate and dissuasive administrative fine of up to 4% of Xandr's annual turnover.
