EU consumer groups urge immediate investigation into systematic breaches of GDPR by online advertising companies

PRESS RELEASE - 14.01.2020

Consumer groups from across the BEUC network [1] are today urging their data protection authorities to open an investigation into practices by online advertising tech companies and bring them in compliance with the General Data Protection Regulation (GDPR). Based on a comprehensive report on the matter, the Norwegian consumer organisation Forbrukerrådet has filed several GDPR complaints against the dating app Grindr and five online advertising technology companies [2].


The report provides compelling evidence about how the so-called ad-tech companies collect vast amounts of personal data from people using mobile devices, which advertising companies and marketeers then use to target consumers with personalised ads, without a valid legal base and without consumers knowing it.

Consumer organisations are seriously concerned that consumers have no realistic way to stop or control their data being hoovered up and exploited by the ad-tech industry. In its complaint, Forbrukerrådet asserts that the five ad-tech companies and Grindr do not have a valid legal basis to process and share the personal data that they are receiving [3].

The research from Forbrukerrådet [4] shows how sensitive information about people’s health, their sexual orientation, their location and interests is exploited by these companies. Consumers are generally unaware about this data collection and exploitation system. Even if consumers know about it, there is very little they can do to protect themselves. The pervasive tracking and profiling of consumers that is at the heart of the system is at odds with the GDPR. Apart from enabling targeted behavioural advertising, this data collection can lead to exclusion, discrimination, fraud and manipulation, for example, by determining the maximum price a consumer is willing to pay for a product or service, and by adjusting the price upwards accordingly.

Monique Goyens, Director General of The European Consumer Organisation commented:

“Consumers carry their mobile devices everywhere and use them for a myriad of reasons. What people do not know is that scores of companies with whom they have no relationship hoover up all sorts of personal data through software installed inside their apps. The study shows that most of the time there is no legal basis for this unrestrained surveillance, and it also leaves consumers vulnerable to discriminatory practices or to manipulation. 

“The EU’s data protection law is a powerful tool to defend consumers against companies who do not respect their privacy. Data protection authorities need to take action against those who break the rules.”

The call for an in-depth investigation is echoed by consumer and civil rights groups from the US, who will write to their Federal Trade Commission, Russia and New Zealand. In a letter to the European Commission’s Executive Vice-President M. Vestager, BEUC is asking the EU to take action against the systematic and illegal commercial surveillance enabled by the ad-tech business model.[5]



[1] Consumentenbond (NL), EKPIZO (EL), Fédération Romande des Consommateurs (CH), KEPKA (EL), Sveriges Konsumenter (SE), Forbrugerrådet Tænk (DK), UFC-Que Choisir (FR), Verein für Konsumenteninformation (AT), Which? (UK) and Zveza Potrošnikov Slovenije (SI)
[2] The five adtech companies in question are MoPub (Twitter), AppNexus (AT&T), OpenX, AdColony and Smaato
[3] The data collection and use is not based on a legally valid consent from users under GDPR Art.7. Users have no idea that the companies even exist, and consequently cannot make informed choices. These companies also cannot claim to have a legitimate interest (as described in GDPR Art.6). Because of the comprehensive tracking and the privacy violations that occur as a consequence, the rights and freedoms of the individual outweighs any legitimate interests the companies may claim to have.
[5] BEUC has also written to Commissioners Breton and Reynders, the European Data Protection Board and the European Data Protection Supervisor.