"Google will never sell any personal information to third parties; and you get to decide how your information is used." - Sundar Pichai

Sound familiar? Although big tech companies like Google keep the lights on by harvesting and monetizing your personal data, they can be quick to mince words and deny the strawman scenario of exchanging hard drives full of your data for a suitcase of money. Now California law has given them another reason to deny and deflect.

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. One of its biggest effects is to regulate the sale of data: under the law, any exchange of personal information for “valuable consideration” is, with some exceptions, a “sale.” Any company that sells data has to give users the chance to opt out of that sale, and facilitate those opt-outs by placing a “do not sell my data button” on the company’s website.

This is a big deal. The CCPA gives Californians an affirmative right to control how our personal data is used. On its own, the CCPA is not enough to fix the problems with tech’s use of personal data, but it is a good first step down the road to privacy reform.

How can a company that monetizes personal data evade these new CCPA duties? One way is to claim they do not “sell” data, as that term is used in CCPA. Google, the adtech oligarch, devourer of data, surveyor of souls, That Which Knows All That Is Known, has decided that it doesn’t sell data.

A screenshot of a web page that says "We do not sell your personal information to anyone"

Thanks for clearing that up.

Google controls about 62% of mobile browsers, 69% of desktop browsers, and the operating systems on 71% of mobile devices in the world. 92% of internet searches go through Google and 73% of American adults use YouTube. Google runs code on approximately 85% of sites on the Web and inside as many as 94% of apps in the Play store. It collects data about users’ every click, tap, query, and movement from all of those sources and more.

So what is happening with all of that data, which Google says it’s not selling, but from which it makes tens of billions of dollars a year?

Let’s find out.

Real-time bidding

Google monetizes what it observes about people in two major ways:

  1. It uses data to build individual profiles with demographics and interests, then lets advertisers target groups of people based on those traits.
  2. It shares data with advertisers directly and asks them to bid on individual ads.

The second method of monetization involves most of the behaviors that regular people might think of as “selling data.” Google is involved at nearly every level of the complex, automated process of third-party ad placement known as “real-time bidding,” or RTB.

Real-time bidding is the process by which publishers auction off ad space in their apps or on their websites. In doing so, they share sensitive user data—including geolocation, device IDs, identifying cookies, and browsing history—with dozens or hundreds of different adtech companies. 

Each RTB auction typically sees user data passing through three different layers of companies on its way from a device to an advertiser: supply-side platforms (or SSPs) collect user data to sell, ad exchanges organize auctions between them and advertisers, and demand-side platforms (or DSPs) “bid” on behalf of advertisers to decide which ads to show to which people. These auctions take milliseconds, constantly churning away in the background of your browsing activity as companies at every level of the process share and collect more and more data to add to their existing profiles of users.

A diagram showing the data flows from a user's computer to advertisers in the real-time bidding process

Data flows in a typical real-time bidding system

Google controls massive portions of nearly every level of the real-time bidding ecosystem. In 2007 Google purchased DoubleClick, then the largest third-party ad network for the Web. And in 2009 it bought AdMob, the largest ad server for the then-nascent mobile application market. Both AdMob and DoubleClick have blossomed under Google’s ownership, and today they continue to dominate their respective markets. DoubleClick (now folded into Google Marketing Platform) controls over half of the ad exchange market on the Web, and AdMob is far and away the most popular supply-side platform for apps on both iOS and Android.

Real-time bidding is a convoluted, opaque system of data collection and sharing that enables profiling and surveillance by advertisers, data brokers, hedge funds, and ICE. It is at the center of everything that’s wrong with privacy in tech. Let’s take a look at how Google claims it doesn’t sell data at different levels of the RTB process.

On your phone

AdMob is a mobile supply-side platform. That means the company creates tools, called Software Development Kits (SDKs), that developers build into their apps. AdMob partners with ad exchanges, and its SDKs connect apps to the exchanges directly. Inside an app, AdMob code collects information and shares it with Google and other exchanges through processes called “open bidding” and “mediation.” Your phone shares data, including your device ID and geolocation data, with Google and with other ad exchanges; the app serves you an ad; Google and the developer get paid.

A partial list of the ad exchanges that Google shares data with through AdMob Open Bidding.

In your browser

Google’s Ad Manager product (formerly Doubleclick for Publishers) is the equivalent of AdMob for the web. Developers install Google’s code on their websites, and the code makes requests to Google and other ad exchanges with your identifying cookie as well as other information. Again, Google sends data out into the ecosystem, and advertisers send money back.

Google also shares data with advertisers in other, less direct ways, such as by “cookie matching,” which lets third-party adtech companies connect their own tracking cookies to Google’s identifier. It has even been caught setting up “workarounds” to keep its non-consensual data-sharing measures active in jurisdictions where they should be illegal, like the EU. 

On Google’s servers

After the data leaves your device, it goes to one of several downstream services, like Google’s own Ad Exchange. Google collects bid requests from all over the Internet: from both sites and apps; from phones, computers, game consoles, and TVs; and from its own as well as competing SSPs. Then it presents those bid requests to hundreds of “authorized buyers”—demand side platforms that represent advertisers. Each of those DSPs has access to a firehose of personal information about millions of different users on all different devices. Google runs billions of ad auctions per day; in the process, it shares data about millions of people and receives millions of dollars from advertisers.

The data being transferred here is all associated with at least one unique ID: this could be the ad ID which identifies your phone, the cookie ID stored in your browser, or Google’s own internal ID for your account. Either way it ties back to you. It can include geolocation information, gender, age, and interests

Beyond RTB: customer data files

RTB isn’t the only way Google shares data with advertisers (or anyone else with money). Google also allows its advertiser customers to target users by name, email, or device ID and reach them almost anywhere. Through its “Customer Match” program, advertisers can upload lists of users they want to reach, and Google will serve them ads in exchange for money. 

This is an indirect means of data sharing, but the end result is the same. Companies can upload lists of “anonymous” device IDs or phone numbers, and Google will connect those numbers to real people. Then, Google will serve ads to those people across its platforms: on their phones, computers, and TVs. Anyone who engages with those ads will be sent right to the advertiser’s landing page, where the advertiser can collect cookie IDs, IP address, location, and more. Researchers have found that this style of individual-targeting system exposes users to a wide range of privacy leaks

To make this more concrete: suppose a company wants to acquire data about expecting mothers. It can buy a list of a million device IDs that a data broker believes to belong to such women. The company can upload this list to Google and target an ad at those IDs. If even a small fraction—say, 1%—click on the ad, then 10,000 people are sent to the advertiser’s landing page, where they automatically share their IP address, cookies, and possibly geolocation data. The company now has sensitive medical data about 10,000 people served up to it on a silver platter. (Google prohibits targeting based on medical and other characteristics in its Customer Match terms of service, but it is unclear how the company audits or enforces them.)

This system provides a way for companies to turn lists of identifiers into direct pipelines to real humans. Advertisers piggyback on Google’s identity graph, and can acquire new data about their targets in the process. And for its services, Google gets paid. Once again, Google insists this is not a sale.

The need for stronger consumer data privacy laws

In many different ways, Google sends data to advertisers, and advertisers send it money.

Yet Google claims that it’s not “selling” anything.

It does acknowledge that somewhere in this process, a “sale” is occurring. It just insists that Google itself isn’t the one selling data. Instead, although Google facilitates the whole process, it places the responsibility of CCPA compliance on website and app publishers. Therefore, in order to opt out of having your data sold by Google’s services, you need to opt out with each individual app and website that you use. Doing so won’t even stop your data from being collected; it will only stop Google from showing you behaviorally targeted ads.

If Google isn’t “selling” data for purposes of CCPA protections of consumers, that underscores the need for a more comprehensive law that treats privacy as a default, not an option. It’s unreasonable to expect users to tell every company in the expansive tech ecosystem, one by one, that they would like their privacy please. And companies like Google shouldn’t be able to monetize data they collect without consent even if they aren’t technically “selling” it. Data collection, use, and sharing should be minimized by default.