Microsoft’s advertising subsidiary, Xandr, is facing serious allegations of violating the General Data Protection Regulation (GDPR). The privacy advocacy group, noyb, has filed a complaint with the Italian privacy watchdog, accusing Xandr of mishandling personal data for targeted advertising purposes.
According to noyb, Xandr collects and uses the personal information of millions of Europeans to facilitate Real-Time Bidding (RTB). RTB is an automated process where advertisers bid on available ad space based on users’ interests and characteristics. This allows advertisers to show personalized advertisements to users, which is a profitable practice for companies seeking to maximize their advertising effectiveness.
However, the privacy foundation claims that Xandr’s practices involve the sharing of extensive personal details with all advertisers participating in the bidding process, even though ultimately only one ad is shown to the user. These details can include sensitive information about an individual’s health, sexuality, and political views.
Additionally, Xandr has reportedly failed to comply with GDPR access and deletion requests. In 2022, the company received nearly 2,000 such requests but denied them all, according to noyb. This lack of compliance is a significant issue under GDPR, which grants individuals the right to access and delete their personal data held by companies.
“Xandr’s business is obviously based on keeping data on millions of Europeans and targeting them. Still, the company admits that it has a 0% response rate to access and erasure requests. It is astonishing that Xandr even publicly illustrates how it breaches the GDPR,” said Massimiliano Gelmi, a data protection lawyer at noyb.
The foundation also points out inaccuracies in Xandr’s data. An investigation revealed that Xandr’s database contains conflicting and erroneous information about users, such as listing the same person as both male and female or as having multiple income levels simultaneously. These inaccuracies question the effectiveness and honesty of Xandr’s targeted advertising model.
“The available information suggests that Xandr’s system uses tonnes of false information about users. Even from a business perspective, Xandr seems to make a mockery of the idea of targeted advertising,” Gelmi added.
Noyb has requested the Italian privacy watchdog to investigate Xandr and enforce GDPR compliance. They seek an order for Xandr to process data accurately and minimize unnecessary data collection. Additionally, they urge the watchdog to impose a fine of up to four percent of Xandr’s annual turnover to deter future violations.
