ORG submits complaints about intrusive LiveRamp adtech system

Today, Open Rights Group has submitted complaints to the Information Commissioner’s Office (ICO) and the Commission Nationale de l’informatique et des libertés (CNIL) about LiveRamp, an online advertising and data broking company. The complaints were submitted on behalf of Jim Killock, ORG Executive Director, as well as French digital rights activists Noémie Levain and Benoît Piédallu.

About the complaints

Mr Killock previously complained to the ICO about online advertising privacy practices in 2018. Now, an investigation commissioned by Open Rights Group, carried out by independent research institute Cracked Labs and data protection expert Alan Toner, shows that the supposedly ‘new’ adtech system being rolled out by LiveRamp does not improve, but rather undermines our online privacy even more.

The investigation shows that LiveRamp’s new system, which is being presented as a viable alternative in the face of growing regulatory pressure against online advertising, fails to address or even improve upon any of the substantive issues raised by ORG in its 2018 complaint. Indeed, the company has now developed a profiling system that combines online and offline identifiers (such as name, email and phone numbers, home addresses etc). In turn, Internet users are exposed to more privacy-invasive profiling, that can link their browsing habits to their real identity and even their home address.

The key concerns for ORG are:

• LiveRamp still seems to process personal data without a valid legal basis;

• LiveRamp deployed ‘security measures’ that do not seem to protect individuals’ rights or improve data security throughout the online advertising supply chain;

• LiveRamp systems are more intrusive and pervasive than previous adtech technologies. As LiveRamp processes both online and offline personal data, it does not only knows your online browsing habits but also your home address and the people you live with;

• LiveRamp systems operate in the background, and their functioning is difficult to observe even for technical experts. This makes these systems less transparent and more difficult to understand for individuals, who are being profiled without their knowledge.

Adtech surveillance

Thousands of nameless advertising companies draw very detailed profiles of Internet users’ online activities to target them with ads. Also known by the name of ‘adtech’ or ‘real-time-bidding’, this is the backbone of surveillance capitalism and it is proven to be harmful. Online profile can be used to target problem gamblers or people with addictions, to exclude racialised communities or women from housing or job adverts, persecute women who exercised their right to have an abortion, or simply to show distressing adverts — such as women being shown maternity ads after having a stillborn child.

Previous complaints to the ICO

In 2018, Open Rights Group lodged two GDPR complaints in Ireland and the UK, about the widespread illegality of data protection practices in the online advertising sector.

In 2019, the ICO issued the report, “Update report into adtech and real time bidding”, which endorsed our concerns, finding that online advertising companies were failing to comply with the law in key areas such as legality of data processing, transparency, use of sensitive data, accountability requirements and ensuring an adequate level of security throughout the supply chain.

In January 2020, the ICO announced in a blog that “the reform of real time bidding has started and will continue”. The ICO claimed that their engagement with the adtech companies had resulted in adtech industry players improving their privacy practices.

In August 2020, the ICO closed the ORG complaint. In 2021, ORG lost its appeal to the Information Tribunal to have its complaint reopened and fully addressed by the ICO. To date, the ICO has not taken any regulatory action against data protection infringements in the online advertising space that were revealed as a result of the ORG complaint and the ICO update report.

However, European DPAs have challenged and contested online advertising practices. The Belgian DPA ruled on the illegality of cookie banners, while other European DPAs are contesting Facebook’s data processing. Regulatory pressure is also growing in the US, with new laws that allow individuals to tell companies not to sell their data or to ask data brokers to delete their data.

The abusive adtech business model is being contested everywhere but the UK is lagging behind. The new complaint has been launched in part because the the substantive issues raised with the ICO in 2018 have still not been addressed.

Data Protection and Digital Information (DPDI) Bill

The Data Protection and Digital Information (DPDI) Bill would make it more difficult for civil society and interested individuals to address emerging online threats. The proposed requirement to seek a resolution with a company like LiveRamp before issuing a complaint to the ICO constitutes a significant barrier to promoting regulatory compliance: LiveRamp systems raise structural and systemic issues that affect every online users, and cannot be addressed by solutions negotiated privately and by individuals.

ORG is presenting amendments to the DPDI Bill that would remove barriers to lodge complaints and seek redress against data misuses, ensure the ICO is accountable for their failure to enforce the law against lawbreakers, and provide public interest organisations with the right tools to promote enforcement actions that benefits society at large.

About the complainants

Jim Killock is the Executive Director of Open Rights Group, the UK’s leading digital rights organisation.

Benoît Piédallu is a digital project manager who has campaigned for years against the surveillance and abuse of personal data, including by private actors.

Noémie Levain is a lawyer and campaigner with a particular interest in the protection of personal data and respect for the right to privacy.