Microsoft's Xandr Faces Accusations of EU Privacy Violations

Microsoft’s Xandr Faces Accusations of EU Privacy Violations

Xandr, a Microsoft-owned ad tech company, specializes in digital advertising solutions and provides tools and platforms for advertisers and publishers to manage and optimize their advertising strategies across various digital media channels.

Microsoft’s subsidiary, Xandr, is under scrutiny for allegedly violating European Union data protection laws, following a complaint backed by the privacy advocacy organization, noyb. The complaint, submitted by an anonymous individual in Italy, has been filed with the country’s data protection authority under the General Data Protection Regulation (GDPR). Xandr could face fines amounting to up to 4% of Microsoft’s annual global revenue if they have been found not in compliance with GDPR.

According to an article published by noyb on July 9, 2024, Xandr collects and shares the personal data of millions of Europeans for detailed targeted advertising. This practice enables Xandr to auction off advertising space to thousands of advertisers. However, even though only one ad is displayed to users, all advertisers receive their data. This data may include sensitive personal details such as health information, sexual orientation, or political opinions.

According to previous research, Xandr collects hundreds of sensitive data points of Europeans, which include information about their health, sex life, sexual orientation, political or philosophical opinions, religious beliefs, or financial status. Specific segments identified in this data collection include labels such as “french_disability,” “pregnant,” “lgbt,” “gender_equality,” and “jewishfrench.”

In addition, noyb claims that Xandr fails to comply with any access requests, which, according to the GDPR, individuals have the right to access their information. Despite Xandr collecting extensive details about people, they reported a 0% response rate to access and erasure requests in 2022. Xandr openly publishes these internal statistics on a concealed website.

As per the article, the complainant directly experienced this issue: When requesting access to his data, Xandr claimed inability to identify him and denied his access and erasure request. However, the company possesses the necessary information to identify specific data subjects.

GDPR mandates data about individuals to be “accurate.” However, available information indicates that Xandr’s system includes a significant amount of false information about users. From a business standpoint, Xandr appears to undermine the concept of targeted advertising. Through an access request with the data broker and Xandr supplier, emetriq, it has been revealed that at least a portion of Xandr’s database contains highly inaccurate and contradictory personal data about individuals.

What to do if you or your vendors have active relationships with Microsoft’s Xandr

Xandr is currently under scrutiny for allegedly violating European Union data protection laws. This incident, which involves the collection and sharing of personal data for targeted advertising, raises significant concerns for businesses and individuals associated with Xandr. Here are some recommendations to follow if you or your vendors have active relationships with Xandr:

Review Data Privacy Practices

  • Assess Compliance: Ensure that your data privacy practices are in full compliance with GDPR and other relevant data protection laws. Review and update your data handling, storage, and sharing policies to align with legal requirements.
  • Audit Data Sharing Agreements: Examine data sharing agreements with Xandr and other third-party vendors. Confirm that all parties adhere to strict data protection standards and that there are clear guidelines on data usage.

Enhance Data Security Measures

  • Implement Robust Security Protocols: Strengthen your cybersecurity defenses to protect against unauthorized data access. This includes regular security audits, vulnerability assessments, and updating your security infrastructure.
  • Encrypt Sensitive Data: Ensure that all personal data, especially sensitive information such as health, sexual orientation, and political opinions, is encrypted both in transit and at rest.
  • Exercise Data Subject Rights

  • Facilitate Access and Erasure Requests: Ensure that mechanisms are in place for individuals to exercise their rights under GDPR, including access to their data and the ability to request its erasure. Promptly respond to such requests and maintain transparency with data subjects.
  • Monitor Compliance: Regularly monitor your compliance with access and erasure requests. Ensure that any third-party vendors, including Xandr, are also fulfilling these obligations.

Conduct Regular Privacy Impact Assessments (PIAs)

  • Evaluate Data Handling Risks: Perform regular PIAs to identify and mitigate risks associated with data processing activities. Assess how data is collected, used, and shared, and implement measures to minimize privacy risks.

Stay Informed and Engage with Regulatory Bodies

  • Stay informed about changes in data protection regulations and best practices. This will help ensure your compliance efforts remain current and effective.

Educate and Train Employees:

  • Provide Data Protection Training: Educate your employees about data protection laws, company policies, and best practices for handling personal data. Regular training sessions can help prevent data breaches and ensure compliance.
  • Promote a Culture of Privacy: Foster a culture of privacy within your organization where data protection is prioritized and employees understand the importance of safeguarding personal information.

These recommendations can help mitigate risks associated with data breaches and non-compliance, maintain trust with your own customers, and uphold ethical standards in data-driven advertising practices.

Sign up to try VISO TRUST today

Sign up for free

Try the VISO TRUST platform for free to see the CDK Global risk advisory in the context of your TPRM program and see if it impacts your vendors or your nth parties.