chinnarach - stock.adobe.com

Open Rights Group accuses LiveRamp of ‘unlawful’ data processing

Privacy campaigners at Open Rights Group have submitted formal complaints to UK and French data regulators about allegedly unlawful data processing by online advertising firm LiveRamp

Privacy campaigners have submitted formal complaints to UK and French data regulators against online advertising and data brokerage company LiveRamp, claiming it’s “privacy-invasive profiling” breaks European data protection laws.

Open Rights Group (ORG) – which submitted two separate complaints to the UK Information Commissioner’s Office (ICO) and the French Commission Nationale de l'informatique et des libertés (CNIL) at the end of February 2024 – claims that LiveRamp’s extensive data processing activities are likely to be unlawful due to the lack of a clear legal basis and meaningful transparency for data subjects.

Other data protection issues cited in the complaint include LiveRamp’s “indiscriminate collection and processing of personal data”, which ORG claimed is “out of all proportion to its objectives”; its reuse of personal data that was collected for other contexts; and the security of people’s sensitive data. ORG claims these issues with LiveRamp’s data processing could affect millions of people in the UK.

“The Liveramp system is intrusive and lets advertisers link people’s actual address and name with their browsing habits. This is unacceptable,” said ORG executive director Jim Killock.

“The adtech industry is evolving fast as regulators elsewhere clamp down on profiling and excessive data sharing. These new and dangerous technologies are an attempt to get around changes that limit the use of tracking cookies, and to make online advertising more intrusive, rather than less.

“We hope that both the [UK] ICO and the CNIL in France will take these issues very seriously and investigate. In the UK, there are still outstanding, unresolved issues from previous complaints. Europe is making slow but definite progress against intrusive adtech.”

Computer Weekly contacted LiveRamp about the ORG complaint, which said it was aware of the reports submitted to data protection authorities: “LiveRamp firmly believes that we are in compliance with all laws in the regions where we operate, including UK and EU laws.

“As part of our long-standing collaborative relationship with the regulators across Europe, we have been working with the UK ICO for the last 2.5 years as part of their ongoing audit of the adtech sector. This is part of our ongoing engagement with regulators to ensure LiveRamp delivers privacy-centric solutions compliant with local market regulations.”

A spokesperson added “we look forward to continuing to engage and collaborate with regulators and policy makers to ensure that consumer privacy concerns are properly addressed, while also ensuring that there can be a vibrant and free internet for consumers that is supported by advertising and marketing.”

While complainants are usually expected to take the issue up with the data controller (LiveRamp in this instance) before making a complaint to the ICO, ORG said it believes this would “clearly be futile” because of how “the unlawful processing goes to the heart of LiveRamp’s business model”.

It added that there was no prospect of LiveRamp bringing itself into compliance off the back of a data subject’s informal complaint, and that the widespread nature of the “unlawful processing” instead requires regulatory action.

ORG further added that while the complaint is not intended as a comprehensive legal analysis of LiveRamp’s processing, the scale and opacity of its activities “makes it unrealistic for any individual complainant to fully investigate and legally analyse it”, which it said necessitates an ICO investigation.

The ORG added that online advertising technology is the backbone of surveillance capitalism and can have serious consequences for individuals, including the use of online advertising profiles to target problem gamblers or people with additions; exclude racialised minorities from housing or job adverts; and track women who have exercised their right to have an abortion.

Commenting on the complaint, an ICO spokesperson said: “We can confirm that we are making enquiries into LiveRamp UK, following an audit of the company as part of our work looking at the adtech sector. While we are aware of the report commissioned by Open Rights Group and are in touch with both parties, we cannot comment further at this stage.”

LiveRamp’s business model

Following its investigation into LiveRamp’s processing, which was conducted alongside independent researchers at Cracked Labs, ORG claimed the firms business involves the “maintenance of vast databases of personal information”, including postal addresses, phone numbers, email addresses and cookie identifiers.

“LiveRamp infers connections between these pieces of information, linking them with pseudonymous identifiers so that with just one piece of information – a device identifier or email address, for example – a comprehensive identifying profile of an individual can be retrieved,” ORG wrote in the complaint, adding that the firm then sells this data to a wide range of online actors, who can monitor individuals as they browse.

“In this way, LiveRamp’s processing plays a major role in today’s marketing surveillance ecosystem, since it facilitates ad-tech and behavioural advertising without the need for third-party cookies. LiveRamp also enables data brokers to sell personal data about millions of people to data buyers, who can then further transmit records to other companies, all while ensuring the commercial actors in the chain are talking about the same individuals.”

ORG added that the complexity and opacity of LiveRamp’s processing means that it is difficult to understand for ordinary consumers, and allows people to be tracked and influenced in a personalised way without them even realising it.

“Indeed, even where a person uses browsing behaviours that they might think protect them from being tracked – e.g. not logging into sites, or only providing partial address information – they can be monitored and profiled in ways they would not expect, thanks to LiveRamp’s processing,” it wrote.

In its complaint, ORG also specifically claimed that LiveRamp offers inconsistent information about its lawful basis for processing across different jurisdictions, noting that its French privacy notice suggests it relies on user consent, while its UK privacy notice suggests it relies principally on its ‘legitimate interests’.

However, in each case ORG claims the processing will likely be unlawful. In the case of ‘legitimate interests’, ORG said its “purely commercial” interests must be balanced against the invasiveness of its processing, “which minutely tracks people’s online and offline behaviour (such as changes of physical address) and invisibly exposes their personal information to hundreds of clients”.

In the case of relying on consent, ORG added that consent is not “freely given, specific, informed and unambiguous” as required by the UK General Data Protection Regulation (GDPR): “In particular, this is because the complexity and scale of LiveRamp’s processing means it cannot be properly understood by data subjects.”

Commenting on the firm’s business model, a LiveRamp spokesperson said “Over the past few years, we have supported the deprecation of third-party cookies and have taken a strong stand against fingerprinting and other nefarious tactics that do not require consent and affirmative action by the consumer. More specifically, LiveRamp’s Authenticated Traffic Solution requires affirmative consent across all jurisdictions where that is the model, and has multiple safeguards to check for consent.

“As one of the leaders in the industry, we are committed not just to respecting but to enhancing privacy and the appropriate collection and use of data. LiveRamp adheres to a privacy-by-design model, which not only ensures our processing of data is lawful but embeds a high degree of data ethics in everything we do."

Ongoing online advertising issues

ORG previously submitted a complaint about the widespread illegality of data protection practices throughout the online advertising sector in 2018.

In 2019, the ICO issued the report titled Update report into adtech and real time bidding, which found that online advertising companies were failing to comply with the law in key areas such as legality of data processing, transparency, use of sensitive data, accountability requirements and ensuring an adequate level of security throughout the supply chain.

“The creation and sharing of personal data profiles about people, to the scale we’ve seen, feels disproportionate, intrusive and unfair, particularly when people are often unaware it is happening,” wrote the ICO. “We outline that one visit to a website, prompting one auction among advertisers, can result in a person’s personal data being seen by hundreds of organisations, in ways that suggest data protection rules have not been sufficiently considered.”

While the ICO closed the ORG complaint in August 2020, the privacy group appealed the decision, claiming that the issues raised had not been fully addressed. In 2021, the ORG lost its appeal to the Information Tribunal to have the complaint reopened.

The ORG has said that, to date, the ICO has not taken any regulatory action against data protection infringements in the online advertising space that were revealed as a result of the its complaint or the ICO update report.

It added that this stands in contrast to other European data protection authorities, which have ruled on the illegality of cookie banners and are actively contesting Meta’s processing of personal data for behavioural advertising.

“The abusive adtech business model is being contested everywhere, but the UK is lagging behind. The new complaint has been launched in part because the substantive issues raised with the ICO in 2018 have still not been addressed,” said the ORG.

In its latest complaint, the ORG said that while LiveRamp monitors hundreds of millions of individuals globally, its physical presence in the UK, alongside the fact that it is processing the personal data of millions of UK individuals, means the issue is within the ICOs jurisdiction.

Computer Weekly contacted the ICO about ORG’s claims of regulatory inaction. A spokesperson said that resetting any power imbalances between the public on one hand and online advertisers and aggregators on the other is a priority for the regulator, and that the ICO will continue to push for greater transparency and accountability within the adtech ecosystem.

“For example, in November [2023], we warned the top 100 websites in the UK that they faced enforcement action if their ‘reject all’ button for advertising cookies was not as prominent as their ‘accept all’, with an 80% success rate for compliance thus far and more action to follow. We have been clear that we will act decisively to protect the public where necessary.”

Read more about online advertising

Read more on Information technology in France

CIO
Security
Networking
Data Center
Data Management
Close