Web browser company Brave said on Wednesday that it learned how Google works around GDPR (the EU's data privacy regulation) to help its advertising partners identify European web users. According to the company, which offers its own privacy-focused web browser, Google uses Push Pages that contain unique identifiers to share information with its partners. Those pages appear to be made specifically for identifying web users; they have no other function.
This isn't the first time Brave leveled allegations of GDPR violations against Google. The company told the UK Information Commissioner and Irish Data Protection Commission (DPC) in September 2018 that Google's advertising systems were a "massive and ongoing data breach that affects virtually every user on the web." The revelation of these Push Pages is supposed to help support those claims.
Brave said the Push Pages rely on a "code of almost 2,000 characters, which Google adds at the end to uniquely identify the person that Google is sharing information about" and which can be used in conjunction with other identifiers, like browser cookies. This makes it easier for Google's partners to connect data about website visitors even if they aren't technically being given their real identity.
The Push Pages don't appear to serve any other purpose. Brave said they're never visible to users, and even if someone enters their URL to visit them directly, they don't show any content. (Which implies that Google only intends for them to communicate with other background processes of which web users are probably unaware.) Here's what Brave said about Push Pages' implication for web users:
"Brave’s evidence shows that Google’s Push Page mechanism undermines Google’s purported data protection measures. They are also vulnerable to abuse by other parties. We are aware that companies other than Google have used the Push Page mechanism to establish their own Push Pages to share data with their own business partners. This appears to happen without Google’s knowledge. The loss of control over personal data in Google’s RTB system is again evident, and it is clear that Google’s policies have provided no protection."
Google sent us the following response to our request for comment. "We do not serve personalized ads or send bid requests to bidders without user consent. The Irish DPC -- as Google's lead DPA -- and the UK ICO are already looking into real time bidding in order to assess its compliance with GDPR. We welcome that work and are co-operating in full."
The company also pointed us to some articles on Cookie Syncing (aka Cookie Matching), a process which many companies, including Google use, to share data between ad networks that each have their own tracking IDs. Google has been open publicly about its use of this industry-standard technology. It noted that some URLs we submit data to every day for commerce engines to ad landing pages also appear blank when typed into the browser.
More information about Brave's allegations can be found in the company's report to the DPC. Because Google followed many of its counterparts in basing its European headquarters in Ireland for tax purposes, the DPC is tasked with enforcing GDPR and other regulations.