The IAB Technology Laboratory (IAB Tech Lab), which develops ad-industry standards, is being sued by the Irish Council for Civil Liberties (ICCL) for allegedly being responsible for "the world's largest data breach."
A non-profit digital media consortium established in 2014 and based in New York, the IAB Tech Lab's 650-member community includes Facebook, Google and Amazon.
In a lawsuit filed by ICCL senior fellow Johnny Ryan on May 18 in a court in Hamburg, the IAB Tech Lab comes under fire for real-time bidding, a process during which data is shared between ad brokers and other companies while advertising space is being auctioned as a website loads.
Despite the case's having been filed nearly a month ago, the IAB Tech Lab told a BBC reporter who reached out to the consortium for comment for an article that went live Wednesday that it was not familiar with Ryan's claim.
"We are reviewing the allegations in conjunction with our legal advisers and will respond in due course, if appropriate," said an IAB Tech Lab spokesperson.
Ryan, who worked as an advertising-industry professional before joining the ICCL, claims that when a user loads an app or web page that carries advertising, their data is shared with hundreds of ad brokers.
The brokers use the data to sell the ad space that splashes onto the screen while the page loads. According to Ryan, users who see empty ad spaces that then fill with ads are watching their own data being auctioned in real time.
Ryan said user data shared in the process includes "inferences of your sexual orientation, religion, what you're reading, watching, and listening to, your location."
He said it is multi-million-dollar industry that most internet users know nothing about.
The IAB Tech Lab provides publicly available two- and three-digit codes, each of which represents a piece of user data. For example, a household with an income lower than $10k is given the code 60.
Ryan alleges that providing that data – which IAB Tech Lab calls "audience taxonomy" – breaches EU privacy rules because users have not actively consented to this collection and dispersion of their data.
He said: "The law needs to apply and sweep the industry so you can still have your bid requests but without personal data changing hands."