We’ve compiled a suite of materials to help you discover more about the current state of play in the adtech business, and how certain companies exploit personal data for financial gain. If you need any more resources then please contact us here.
The Privacy Collective pursues and/or supports claims in selected jurisdictions for compensation arising out of
the misuse of personal data on behalf of, and for the benefit of, the general public collectively (as a class)
– referred to below as the ‘class’ of claimants.
What claims are expected to be commenced at the present time?
Claims arising out of the placement of third-party tracking cookies on your devices when browsing the internet and the collection and sharing of personal data with other parties in connection with the programmatic auctioning of online advertising
See About Us for more information on the claims in each jurisdiction.
Who will be eligible for compensation?
Generally, any person who, since 25 May 2018, has been the subject of third-party tracking cookies and who is resident in a jurisdiction in which a claim is being made. More detailed information on eligibility is available
firstname.lastname@example.org. Also see About Us.
Who are the claims against?
The claims will be against certain companies who place third-party tracking cookies and operate data servers including
data management platforms (DMPs)
which are responsible for the control and/or processing of your personal data
collected by their third-party cookies.
What are the grounds of the claims?
Breach of various provisions of the General Data Protection Regulations
(GDPR) which applies from 25 May 2018, which is intended to safeguard the privacy of your
Once the case is over and if successful, you will need to register to receive compensation following a settlement
or judgment (if the claim is successful).
What if I don’t want to be represented and wish to pursue a claim
You will be entitled to opt out in order to pursue your own claim independently, if you wish
In the claim, it will be submitted that this does not affect the right of the class to compensation because any
consent to the sharing of personal data for the purpose of profiting from real time bidding was not valid.
Where will the legal claims be filed?
The claims will typically be made in the courts of the country where the misuse of personal data has occurred (being the country where the class of claimants are habitually resident).
At the present time, claims for compensation have been filed in The Netherlands (for the benefit of those resident in The Netherlands) and in England & Wales (for the benefit of those resident in England & Wales).
What is the amount of compensation being claimed?
This will be determined by the relevant Court. Based on previous judgements, the amount of compensation could be
in the region of €500 (equivalent in GB£ for England & Wales) per person due by each of the defendants.
How long will the court proceedings in respect of the claims take?
This depends on whether the claim is settled or goes to a full trial. If there is no settlement of the claims
before the full trial, the proceedings could last as long as three years (estimated).
How will the costs and expenses of the claims be funded?
All costs and expenses of the claims (including any court fees, lawyers and experts) will be funded by a litigation
funder in return for a commission, which is based on a percentage of the compensation awarded in favour of
the class of claimants. If the claim is successful, the litigation funder will be entitled to recover the costs
and expenses funded by it and the commission, out of the damages awarded to the class. If the claim is unsuccessful,
the litigation funder will bear all of the costs and expenses.
You will not be obliged to pay for any costs and expenses of the claims in any circumstances.
Do The Privacy Collective have a financial interest in the claims?
No. The claims are made for the benefit of the class of claimants.
A brief history of cookies and tracking
Cookies were first designed in the mid-1990s as a means to make e-commerce shopping carts possible. But what started as a simple - virtually invisible - solution to help improve user experience online quickly became marred in scandal, when the existence
and purpose of cookies became known publicly.
Common Types of Cookies:
These are four of the most common cookie classifications and how they work.
First-party cookies are created by the site you’re currently visiting. They are a core feature of most sites and aid basic functionality and accessibility. This site relies on first-party cookies to identify where in the world you are,
so we can serve you text in your native language.
Third-party cookies are cookies added by a domain other than then site you are currently visiting. The most common use of third-party cookies is to track users who click on advertisements. For example, when you click on an ad on a website,
a third-party cookie is used to associate your traffic with the site where the ad appeared. While cookies are a necessary part of the modern web, they can also pose a considerable risk of privacy invasion, as well as a security risk to the websites
that use them.
Session cookies are temporary cookies stored in the browser’s memory until the browser is closed. These types of cookies pose less of a security risk and are used to power e-commerce shopping carts, to adjust preferred page layouts and
for other short-term storage purposes
Persistent cookies are longer-term cookies that are tagged by the issuer with an expiration date. These cookies are stored by the browser even after it’s closed, pinging back to the issuer every time you interact with them.
Persistent cookies can track your activity not only on the site that issued the cookie, but also on any site that includes a resource issued by the same site. This allows the likes of Google and Facebook to create a log of user activity across multiple
websites. When you click ‘Remember Me,’ or similar, when logging into an online account, a persistent cookie is used to store your information on your browser.
Because persistent cookies stick around much longer than session cookies, and can theoretically track your activity over time across multiple sites, they pose a much greater risk to user privacy than session cookies.
Real-time bidding (RTB) in more depth
RTB is a new model of buying online advertising inventory. Traditionally, static ads are bought by the impression; a media company will commit to delivering X number of impressions for an advertiser over a set period of time.
With RTB, inventory can be bought and sold on a per-impression basis programmatically. Automated servers are designed to bid against one another to run display ads in any given space and, if they win, that ad is served to the user. This means you can
optimise on the fly with different advertising content, with the ultimate goal of delivering the most personalised ads to the highest number of people.
that’s also aware of what activity they’ve had online that previous day, week or month.
Class action (or collective action)
A class action, or collective action, lawsuit - sometimes also known as ‘representative action’ - is a type
of suit where one of the parties is a (foundation acting for a) group of people, represented collectively
by (a foundation or) a single member of that group. In this case, The Privacy Collective, through its local
initiatives, are representing the interests of Affected Parties.
Cookie – first-party
An HTTP cookie - or an internet cookie, or a browser cookie - is a fundamental part of the modern online space. It is essentially a small piece of data shared between a website and a user’s device via their web browser. In its most basic terms: if you
visit a website, the site may deliver a cookie identifying you as X. And if you leave the site and then return to it again, that cookie will be used for the site to recognise that you are the same X who previously browsed the page. Cookies were designed
to reliably remember useful information about a user (i.e. contents of a shopping cart) or to record the user’s browsing activity (i.e. log-in information, or previous activity on that page). They can also be used to remember previously-entered information
such as names, addresses, passwords, log-in IDs and credit-card numbers. Security is clearly an issue here, so traditionally, cookies are encrypted to avoid outside agents freely accessing user’s information. See below for more information.
Cookie – third-party, or tracking
More commonly known as ‘third-party cookies,’ these are cookies not associated with the website you’re actually on. They aren’t offering you or your device any assistance, but are purely there to collect information about you, almost always for marketing
Cookie syncing takes place when two advertising systems or platforms attempt to compare the collected information they each have about a person.
Data management platform (DMP)
The main mode of action of the adtech industry. A DMP is a unifying platform to collect, organise and activate first-, second- and third-party audience data from any source. DMPs fuel data-driven marketing because they allow businesses to collect, aggregate
and exploit individual customer models.
Demand side platform (DSP)
A DSP allows advertisers to buy inventory at the best price, targeting users based on the various categories such as location, age and gender, to increase the impact of an ad campaign.
General data protection regulation (GDPR)
A piece of privacy legislation rolled across the EU in 2018 that sets out seven core principles for the lawful processing of personal information. Broadly speaking, these principles cover:
Any data - online or otherwise - that could be used to identify a particular individual, e.g. full name, passport number, email address, driver's license number, bank account details, etc.
Real-time bidding (RTB)
Traditionally, advertising inventory online is bought statically, on the basis of a set amount of impressions (direct views, and secondary incidental views). RTB inventory is bought and sold programmatically on a per-impression basis. Automated servers
bid against one another live to run their advertising inventory, and if they win, that ad is served to the user. It means companies can optimise on the fly with different creatives and serve people the most personalised ads possible.
Supply side platform (SSP)
SSP is similar to DSP. Here, publishers sell their ad inventory to gain maximum benefit, allowing website owners for example to sell their ad space by providing free content to users. There’s an implicit value exchange here; the user gets content, but
views paid-for advertising first. SSPs are often connected to multiple DSPs, where multiple media buyers try to sell their inventory. The publishers can ask for ads that match their content - by sharing first-party user data - which, put simply, is
the reason why you often see ads for sports equipment on sports websites.
Exec summary: Networks of online platforms, advertising technology providers, data-brokers and various other businesses can now monitor, recognise and analyse individuals in many aspects of their lives. Information about personal characteristics and
behaviors is linked, combined and monetised in real-time across companies, databases, platforms, devices and services. Based on data, and guided by their business interests, multinational companies have constructed an online environment which
constantly watches, evaluates, categorises, ranks, and includes or excludes individuals. Constant data tracking and profiling, in combination with personalised optimisation and A/B testing, are used systematically to actually influence people’s
Exec summary: Just a single visit to a website is enough to start an advertisers’ auction which can result in an individual’s personal data being shared amongst hundreds of disparate businesses. And as these bids are normally not sent via a single
entity, there is a chance that each of these requests can be accessed and harvested by anyone using the standard protocols available, whether they’re on the approved vendor list or not. There’s also no oversight as to whether any of these potential
parties are processing personal data according to the requirements of GDPR. The reason for all this is that while only one party will ‘win’ the auction to serve their ad, multiple parties receive the information about a user. There are no controls
or limits on how that personal data will be processed by the other parties - is it transferred securely? Will it be stored? And so on.
Exec summary: Our study observed 10 apps transmitting user data to at least 135 separate third-party entities involved in behavioural profiling and/or advertising. The Android Advertising ID, which allows consumers to be tracked across different services,
was transferred to at least 70 different third parties. This identifier was often transmitted in combination with other personal information, such as location and unique computer IP address. The result of this extensive collection, combination
and use of personal data is that individuals are able to be tracked without their knowledge across apps and devices. This allows advertisers to create very comprehensive profiles of individuals, including age, gender and location. Such information
can be used to target ads, as well as infer other attributes such as sexual preference and religion.
Exec summary: Many controllers are setting a wide range of third-party cookies as soon as a user lands on their website, without any consent or even announcement to the user. These included social media platforms, payment providers and advertisers,
all which enable the monitoring of browsing habits and online (even potentially offline) behaviour of individuals, across sessions and devices. 15 of the 38 controllers responded either that they were aware they may not be compliant with the regulations,
or that they had identified improvements they planned to make to be compliant.