Project:Adtech

Interesting queries

• render
• adtech mess
• adtech companies
• data management platforms
• identity resolution services
• actors

• datasets about the adtech ecosystem

• Lumascape
  • lumascape
  • "historic" picture

GDPR Article 15 (Q845)-related questions

• What is the impact of a Q839 on a data management platform (Q495)(all)?
  • Is this helpful for understanding cross-device tracking (Q519)? probabilistic fingerprinting (Q520)?
  • More specifically a SAR on an identity resolution service (Q559)(all)? Is it different than for a data broker (Q522)(all)?
    • What is the legal situation of Adobe Marketing co-op (Q399), successor to Demdex (Q398)?
• What traces are left by real-time bidding (Q523)? Which are accessible through Q839?
• Which adtech company (Q110)(all) or adtech product (Q834)(all) set the marketing segment (Q838)(all)?
  • When are they shared?
  • Is deciding the marketing segment (Q838) enough to make an entity a data controller (Q96)(all)? What about if you decide how they can be shared?
    • Turn Inc (Q546) for instance facilitated the selling of an audience (Q496) by Weather Channel (Q840) of people more "likely to be constipated". This was determined (?) through the use of geolocation data (Q539).

• An example request:

Dear The Guardian,

This is a request under the General Data Protection Regulation.

Please confirm whether or not you are processing personal data (as defined by Article 4(1) and (2) GDPR) concerning me.

In case you are, I am hereby requesting access to the following information pursuant to Article 15 GDPR:

• all personal data concerning me that you have stored;
• the purposes of the processing;
• the categories of personal data concerned;
• the recipients to whom the personal data have been or will be disclosed;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me.

If you are transferring my personal data to a third country or an international organisation, I request to be informed about the appropriate safeguards according to Article 46 GDPR concerning the transfer.

Additionally, please make the personal data concerning me which I have provided to you (quite possibly a subset of all the data you hold about me), available to me in a structured, commonly used and machine-readable format as laid down in Article 20(1) GDPR.

As laid down in Article 12(3) GDPR, you have to provide the requested information to me without undue delay and in any event within one month of receipt of the request. According to Article 15(3) GDPR, you have to answer this request without cost to me.

My request explicitly includes The Guardian, as well as any other services and companies for which you are the controller as defined by Article 4(7) GDPR.

Additionally, in accordance with Article 26, please provide me with the "essence of [your] contract" with any other data controller, for any joint controllership situation.

Should you need to have more information to identify which is my personal data, in accordance with Article 11(2) GDPR, I send you the additional information:

• cookie for domain: .doubleclick.net
  • key: IDE
  • value:
• cookie for domain: .doubleclick.net
  • key: fbp
  • value:
• cookie for domain: .doubleclick.net
  • key: IDE
  • value:
• cookie for domain: .openx.net
  • key: p_synced
  • value:

I do expect you to reach out to each of your vendors to make sure I obtain all the requested information.

Thank you very much.

Sincerely,

<<FIRST_NAME LAST_NAME>>, generated directly from Guardian adtech investigation (Q855).

Tag management

• What is the impact of an indirect SAR on a tag manager (Q504)(all)
• Can a SAR tell you for whom an advertising tag (Q503)(all) fired?
  • Is the legal situation different for a SAR on Google Tag Manager (Q70)?

Bidding process

• What is the impact of a(n indirect) SAR on a ad exchange (Q498)(all)?
• Can you know whether ad impression (Q497)(all) was triggered? How much it cost?

Top-down, bottom-up, maximizing utility

The goal of SARs could be to maximize utility in understanding the ecosystem.

Hence the goal of litigation should be around expanding the reach of SARs, in order to "flatten" the ecosystem.

This has two advantages: better competition, more transparency.

In particular, for every role, there is a possibility of picking a small player with this role, a huge one, or one with dual roles. **Each of those situations will lead to different outcomes for the SAR, all valuable**.

Scaling effects

Indirect SARs sound complicated and unhelpful. I am not sure: you get a lot of allies in putting pressure on the service providers, who sometimes masquerade as GDPR data processor (Q841). The costs and effects have a completely different scaling factor, and also an impact on the choice of jurisdiction.

GDPR Article 20 (Q846)-related questions

• All boils down to: what is provided by the data subject?
• Why do this? Because then we can transfer more easily to researchers to understand better the ecosystem.

GDPR Article 26 (Q842)-related questions

GDPR Article 26 (Q842) gives the right to information about the "essence of the contract" in joint-controller situations. What does this cover?

• Can we learn more about anonymization (Q848) or pseudonymization (Q847) through this?
• Can we know how unique identifier (Q127) hashing (Q849) is done? Is a hashing salt (Q850) used? This has direct impact on identifiability (to whom?)

Adtech experiments

• data portability portals
• I consent on Monday, withdraw it on Tuesday...

Facebook's Replacement IDs

Privacy Shield

Tremendous tool for choosing jurisdiction, at no cost.

Involves Europeans, but also Americans, whose data goes abroad. Drives a wedge between Facebook Ireland and Facebook Inc, etc.

Links to competition

Privacy is a dead-end for enforcement. It will always boil down to consent and design, and always be abused in unaccountable ways, in order to get the first users. And then it will expand progressively to everyone (cf. Facebook's experiments to get my consent in order to use facial recognition).

On the other hand, tracing data flows -- which is possible thanks to data protection law -- helps define exactly the assets that are being shared. It's not just about raw (personal) data, it's also about the consents associated to this data, as well as its identifiability. Once all this is taken into account, we will have a better understanding of the personal data market, and will be better able to assess dominance of some players over that market. This might open the door to a more reasoned antitrust action.

Relevant items

• advertising technology (Q107)
• adtech company (Q110)
• adtech ecosystem buy side (Q517)
• adtech ecosystem sell side (Q518)
• adtech ecosystem (Q370)
• adtech company (Q110)
• data management platform (Q495)
• identity resolution service (Q559)