Facebook left its API wide open, and had no control over personal data once those data left Facebook.
But there is a wider story coming: (thread...)
Every single big website in the world is leaking data in a similar way, through "RTB bid requests" for online behavioural advertising #adtech. 2/12
Every time an ad loads on a website, the site sends the visitor's IP address (indicating physical location), the URL they are looking at, and details about their device, to hundreds -often thousands- of companies. Here is a graphic that shows the process. 3/12
The website does this to let these companies "bid" to show their ad to this visitor. Here is a video of how the system works
External Tweet loading...
If nothing shows, it may have been deleted
by @johnnyryan view original on Twitter
.
In Europe this accounts for about a quarter of publishers' gross revenue. 4/12
Once these personal data leave the publisher, via "bid request", the publisher has no control over what happens next. I repeat that: personal data are routinely sent, every time a page loads, to hundreds/thousands of companies, with no control over what happens to them. 5/12
This means that every person, and what they look at online, is routinely profiled by companies that receive these data from the websites they visit. Where possible, these data and combined with offline data. These profiles are built up in “DMPs”. 6/12
Many of these DMPs (data management platforms) are owned by data brokers. (Side note: The FTC's 2014 report on data brokers is shocking. See ftc.gov/reports/data-b…)
There is no functional difference between an #adtech DMP and Cambridge Analytica. 7/12
None of this will be legal under the #GDPR. (See one reason why at pagefair.com/blog/2017/unde…).
Publishers and brands need to take care to stop using personal data in the RTB system. Data connections to sites (and apps) have to be carefully controlled by publishers. 8/12
So far, #adtech's trade body has been content to cover over this wholesale personal data leakage with meaningless gestures that purport to address the #GDPR (see my note on @IABEurope current actions here pagefair.com/blog/2018/iab-…). It is time for a more practical position. 9/12
And advertisers, who pay for all of this, must start to demand that safe, non-personal data take over in online RTB targeting. RTB works without personal data. Brands need to demand this to protect themselves - and all Internet users too. @dwheld@stephan_lo@BobLiodice 10/12
Websites need to control 1. which data they release in to the RTB system 2. whether ads render directly in visitors' browsers (where DSPs JavaScript can drop trackers) 3. what 3rd parties get to be on their page @jason_kint@epc_angela@vincentpeyregne@earljwilkinson 11/12
Lets work together to fix this. 12/12
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Our letter contains a summary of the various personal data that are broadcast in the OpenRTB system. Note that these data are very likely to include “special categories” of personal data, since they show what the person is watching and reading, can include brokers’ segment IDs 2/
Unless OpenRTB 3.0 is very radically altered, so that no personal data are contained in the bid request, it appears that it will severely infringe Article 5 of the #GDPR, and all that flows from Article 5’s principles. 3/
Facebook is confronting EU users a new “terms of service” dialogue that denies access until a user opt-ins to tracking for ad targeting, and various other data processing purposes...
These Terms refer to the “data policy” that says “we use the information we have about you – including information about your interests, actions and connections – to select and personalise ads, offers and other sponsored content that we show you.”
The data policy also says “We use the information [including] the websites you visit and ads you see … to help advertisers and other partners measure the effectiveness and distribution of their ads and services, and…” See facebook.com/about/privacy/…