Privacy advocacy group NOYB has lodged a detailed complaint against Microsoft’s subsidiary, Xandr, with Italy’s data protection regulator, Garante. This legal step follows concerning discoveries regarding Xandr’s adherence to the General Data Protection Regulation (GDPR) and questions about the precision of data utilised in its Real Time Bidding (RTB) system for personalised advertising.
In February 2024, a complainant requested access to his data from Emetriq, receiving over 200 market segments and 70 profiling events linked to him. He also approached Xandr to access and erasure his data, providing a cookie value set by Xandr.
Xandr initially claimed they couldn’t identify him, thus denying his request, citing the pseudonymous nature of his data. This anonymous nature of data storage also prevents Xandr from complying with GDPR. However, they later ambiguously stated they would delete the identifier if found in their database.
In April 2024, the complainant sought more information from Emetriq about data recipients, particularly demand-side platforms (DSPs) like Xandr. Emetriq confirmed their segments were available on multiple DSPs, including Xandr. This situation underscores significant concerns about data accuracy and GDPR compliance, as Xandr’s contradictory responses highlight potential breaches in data handling and user rights.
Studies conducted by NYOB show that Xandr collects extensive data on European individuals, encompassing private details such as medical conditions, romantic preferences, ideological stances, and faith-based affiliations. The company’s user categorisations reportedly include labels referencing disability status in France, pregnancy, LGBTQ+ identity, views on gender issues, and Jewish heritage among French users.
The depth and nature of this data gathering raise substantial privacy issues, particularly in light of Xandr’s apparent struggles with adhering to GDPR standards.
In the online advertising, Xandr occupies a crucial position by managing Real Time Bidding operations. This process allows advertisers to compete for advertising opportunities on various digital platforms, including websites and mobile applications. The RTB system fundamentally depends on creating detailed user profiles based on individual preferences and attributes, which involves gathering and distributing significant volumes of personal information.
Emetriq, an organisation affiliated with German Telecom, is one of the external entities contributing data to Xandr’s operations.
“In June 2023, investigative journalists in both the US and Europe uncovered tens of thousands of segments collected by Xandr for targeting purposes. These profiles, originally disclosed by Xandr itself to promote its products with advertisers, revealed an impressive level of granularity and the potential to draw detailed inferences on the personal lives of consumers,” says the complaint.
GDPR requires accurate data about individuals, yet evidence suggests that Xandr’s system contains many inaccurate and contradictory information. Data from Emetriq, one of Xandr’s suppliers, revealed that the complainant’s profile included conflicting details such as multiple ages, genders, and employment status.
These discrepancies undermine the credibility of Xandr’s targeted advertising, suggesting a chaotic data management system that fails to provide accurate user profiles.
“It seems that parts of the advertising industry don’t care about providing advertisers with accurate information. Instead, the data set contains a chaotic variety of conflicting information. This can benefit companies like Xandr as they can sell the same user young and old, to different business partners,” notes Massimiliano Gelmi, a data protection lawyer at NOYB.
In response to this situation, NOYB has died a complaint with Garante, citing violations of several GDPR articles, including Article 5(1)(c) and (d) on data minimisation and accuracy, Article 12(7) on transparency, Article 15 on the right of access, and Article 17 on the right to erasure.
If found guilty, Xandr can face hefty fines of up to 4% of its annual turnover.
Last month, NOYB sued Microsoft over unlawful tracking of children via its 365 Education services. The privacy advocacy group also sued OpenAI, claiming the company provided inaccurate birth details to a public figure client.
In the News: Microsoft adds spellcheck and autocorrect to Notepad
