The Irish Council for Civil Liberties is suing a branch of the Interactive Advertising Bureau (IAB) and others over what it describes as “the world’s largest data breach”.
The IAB Tech Lab, based in New York, develops digital ad industry standards.
IAB members include Facebook, Google and Amazon.
The case brought by Johnny Ryan centres on the data shared between ad brokers and other firms while ad space is being auctioned as a site loads.
It’s known as real-time bidding.
The IAB said it was the first it had heard of the claim, although the court papers are dated 18 May.
“We are reviewing the allegations in conjunction with our legal advisers and will respond in due course, if appropriate,” said a spokeswoman.
There is a debate about the volume of data gathered about people in order to target digital ads, although this form of revenue is what currently keeps most internet services free to use.
But Mr Ryan argues that most people using online services are not aware of the amount of data that is shared about them, and with whom.
As a web page or app that carries advertising is loading, information is shared about the device it is loading on, some details about where that device is, and other information including previous websites visited and their subject matter.
This data is used by brokers to sell the ad space that is on that page in seconds or less, targeting the person using the device – although the person is not named.
If you momentarily see empty advertising spaces before they are filled on a web page or an app, you are essentially watching yourself being auctioned in that moment, says Mr Ryan, a former advertising industry professional who is now at the Irish Council for Civil Liberties.
There may be hundreds of ad firms representing different clients involved, but the brands themselves are not directly a part of the process.
The advertising industry says personally identifiable information isn’t shared. But critics say the sheer volume of information – even without a name – is still a violation of privacy.
“Every time we load a page on a commercial website or use an app, the website or app tells tens or hundreds of companies all about us, so that their clients can decide whether to bid on the opportunity to show you an ad,” he says.
“These bid requests include inferences of your sexual orientation, religion, what you’re reading, watching, and listening to, your location.”
The firms can also tell whether they have seen the individual’s profile before, Mr Ryan adds.
It is a multi-million-dollar industry.
The IAB Tech Lab provides industry-standard, two and three-digit codes which represent a huge number of categories – including subject areas like sexuality, religious views and whether the device appears to belong to someone with debts. They are attached to individual profiles.
This publicly available code is called audience taxonomy.
So, for example, according to the current standards, code number 383 represents someone who has expressed interest somewhere online in hair loss treatments, and number 60 denotes a household with an income of less than $10,000 (£7,000).
Mr Ryan has now lodged the case with a court in Hamburg, on the grounds that nobody has actively consented to this data being gathered or shared.
He says he filed a similar complaint with the Irish Data Protection Commissioner’s Office when the European data privacy law GDPR was launched in May 2018 but the investigation is still continuing three years later. Duplicate complaints have been lodged with information commissioners in other EU countries, he said.
“The law needs to apply and sweep the industry so you can still have your bid requests but without personal data changing hands,” he said.
Apple is also increasingly cracking down on ad-tracking, enforcing “opt-in” consent for being tracked by apps on its devices – with a large majority of its customers choosing not to enable it.
Facebook has argued that Apple’s move is likely to hit small businesses hardest.