Advertising Tracking Leads to more Potential GDPR Issues for Google

European privacy advocates NOYB (none of your business), have submitted an official GDPR complaint relation to have Google implement advertising trackers.

The group are claiming that Google is recording the activity of phone users, without adequate authorization, using unique advertising IDs. This is due to the policy of Google that any developer uploading an app to the Google Play Store incorporates its Advertising ID capability. Google claims that the Advertising ID will lead to these developers being able to optimize their monetization of apps with a standard API.

However, NOYB are alleging that Google’s Advertising ID can not be turned off and tracks users “without a valid legal basis”. In a statement released recently they claim that: “The data collected with this unique tracking ID is passed on to countless third parties in the advertising ecosystem. The user has no real control over it: Google does not allow to delete an ID, just to create a new one.”

GDPR legislation states that data processors must have a sound legal reasoning for processing data. In other words, data subjects must provide advertising companies authentic consent to record their behavior and online activity.

NOYB were pivotal in instigating an investigation in 2019 that resulting in French data regulators sanctioning Google with a €50 million fine. This fine was applied due to the collection of data for ad personalization that was found to be “informed” nor “unambiguous” and “specific” as is required under GDPR.

NOYB has submitted this new complaint to Austrian data regulators. They (NOYB) claim that users can not control the processing of their data because they can not delete the tracking ID and google does not collect valid opt-in before generating them.

NOYB privacy lawyer, Stefano Rossetti said: “It is grotesque: Google claims that if you want them to stop tracking you, you have to agree to new tracking. It is like cancelling a contract only under the condition that you sign a new one. Google’s system seems to structurally deny the exercise of users’ rights.”

The complaint said that Google is using “invalid consent” that is gathered via a privacy policy that must be accepted to use the mobile device, and claim that Google has not given users a proper alternatives once the complainant explicitly withdrew their consent for the Advertising ID.

Under GDPR legislation, which became enforceable during 2018, data processors like Google can be fined up to €20 million, or 4& of the firm’s annual global revenue from the preceding financial year, whichever amount is higher.