Last year, when the EU enacted the General Data Protection Regulation (GDPR), it took a strong consumer-oriented stance on data and privacy. However, new evidence seems to suggest that Google may not be complying with the GDPR.
According to a report by CNET, Google has been sending personal information to ad companies who can subsequently match that with your profile. This is done through a process called “cookie matching”/”cookie syncing” where ad companies can identify you via cookies across different websites and profiles.
This practice was spotted by Chief Policy Officer of browser Brave, Johnny Ryan. According to a Financial Times report, Ryan “found that Google had labelled him with an identifying tracker that it fed to third-party companies that logged on to a hidden web page. The page showed no content but had a unique address that linked it to Mr. Ryan’s browsing activity.”
Ryan’s discovery was corroborated by others. Particularly, ad-tech analyst Zach Edwards was able to replicate Ryan’s results and showed that the identifying tracker on the hidden webpage were actually unique to each user in a group of hundreds (Financial Times).
An investigation with the EU Data Protection Commission is underway.