Published On: Thu, May 14th, 2020

Google’s Android ad ID targeted in vital GDPR tracking complaint

Now here’s an engaging GDPR complaint: Is Google illegally tracking Android users in Europe around a unique, device-assigned promotion ID?

First, what is a Android promotion ID? Per Google’s description to developers building apps for a smartphone height it’s — [emphasis combined by us]

The promotion ID is a unique, user-resettable ID for advertising, supposing by Google Play services. It gives users improved controls and provides developers with a simple, customary complement to continue to monetize their apps. It enables users to reset their identifier or opt out of personalized ads (formerly famous as interest-based ads) within Google Play apps.

Not so fast, says noyb — a European not-for-profit remoteness advocacy organisation that campaigns to get regulators to make existent manners around how people’s information can be used — a problem with charity a tracking ID that can usually be reset is that there’s no approach for an Android user to not be tracked.

Simply put, resetting a tracker is not a same thing as being means to not be tracked during all.

noyb has now filed a grave censure opposite Google underneath Europe’s General Data Protection Regulation (GDPR), accusing it of tracking Android users around a ad ID though legally current consent.

As we’ve pronounced many, many, many times before, GDPR relates a sold customary if you’re relying on determine — as Google appears to be here, given Android users are asked to determine to a terms on device set up, nonetheless contingency determine to a resettable though not disable-able promotion ID.

Yet, underneath a EU information insurance framework, for determine to be legally current it contingency be informed, purpose singular and freely given.

Freely given means there contingency be a choice (which contingency also be free).

Thus a doubt arises, if an Android user can’t contend no to an ad ID tracker — they can merely keep resetting it (with no user control over any formerly collected data) — where’s their giveaway choice to not be tracked by Google?

“In essence, we buy a new Android phone, though by adding a tracking ID they boat we a tracking device,” pronounced Stefano Rossetti, remoteness counsel during, in a matter on a complaint.

noyb’s row is that Google’s ‘choice’ is “between tracking or more tracking” — that isn’t, therefore, a genuine choice to not be tracked during all.

Google claims that users can control a estimate of their data, though when put to a exam Android does not concede deletion a tracking ID,” it writes. “It usually allows users to beget a new tracking ID to reinstate a existent one. This conjunction deletes a information that was collected before, nor stops tracking going forward.”

“It is grotesque,” continued Rossetti. “Google claims that if we wish them to stop tracking you, we have to determine to new tracking. It is like cancelling a agreement usually underneath a condition that we pointer a new one. Google’s complement seems to structurally repudiate a practice of users’ rights.”

We reached out to Google for criticism on noyb’s complaint. At a time of essay a association had not responded though we’ll refurbish this news if it provides any remarks.

The tech hulk is underneath active GDPR review associated to a series of other issues — including a plcae tracking of users; and a use of personal information for online advertising.

The latest grave censure over a Android ad ID has been lodged with Austria’s information insurance management on interest of an Austrian citizen. (GDPR contains supplies that concede for third parties to record complaints on interest of individuals.)

noyb says a censure is partially formed on a new news by the Norwegian Consumer Council — that analyzed how renouned apps are rampantly pity user information with a behavioral ad industry.

In terms of process, it records that a Austrian DPA might engage other European information watchdogs in a case.

This is underneath a ‘one-stop-shop’ resource in a GDPR whereby meddlesome watchdogs liaise on cross-border investigations, with one typically holding a lead questioner purpose (likely to be a Irish Data Protection Commission in any censure opposite Google).

Under Europe’s GDPR, information regulators have vital chastisement powers — with fines that can scale as high as 4% of tellurian annual turnover, that in Google’s box could volume to adult to €5BN. And a ability to sequence information estimate is dangling or stopped. (An outcome that would expected be distant some-more costly to a tech hulk like Google.)

However there has been a default of vital fines given a law began being applied, roughly dual years ago (exception: France’s information watchdog strike Google with a $57M excellent final year). So vigour is stability to raise adult over coercion — generally on Ireland’s Data Protection Commission that handles many cross-border complaints though has nonetheless to emanate any decisions in a raft of cross-border cases involving a series of tech giants.

Lack of vast tech GDPR decisions looms vast in EU watchdog’s annual report

About the Author