HomeWinBuzzer NewsMicrosoft's Xandr Faces GDPR Complaint Over Targeted Advertising Data Practices

Microsoft’s Xandr Faces GDPR Complaint Over Targeted Advertising Data Practices

Xandr is accused of violating GDPR by collecting extensive user data for targeted advertising and failing to respond to data access/removal requests.


Xandr, an advertising platform owned by Microsoft, is under scrutiny due to a GDPR complaint lodged by privacy group NOYB. The organization argues that Xandr's data collection practices for creating advertising profiles are not in line with GDPR regulations on data access and removal.

Detailed Accusations

The core of NOYB's complaint is Xandr's real-time bidding (RTB) system, which collects extensive user data to facilitate targeted advertising. NOYB's investigation claims the platform processes sensitive personal information, including health details, sexual orientation, political affiliations, religious beliefs, and financial data. Identified user segments comprised labels such as ‘french_disability,' ‘pregnant,' ‘lgbt,' ‘gender_equality,' and ‘jewishfrench.'

NOYB's findings also indicate potential inaccuracies in Xandr's data practices. Emetriq, a data supplier for Xandr, allegedly categorized users with contradictory attributes. Reports mentioned misclassifications such as labeling a single user as both male and female, aged between 16 and 60+, and having various employment statuses.

Regulatory Demands

The complaint has been presented to the Italian data protection authority, Garante. NOYB is calling for a comprehensive investigation into Xandr's operations and insists on compliance with GDPR provisions. The group also recommends a fine amounting to 4% of Xandr's annual revenue to enforce adherence to data protection laws. purchased Xandr from AT&T in 2021 and transitioned Microsoft Advertising into Xandr's SSP in 2023

Internal data from Xandr, displayed on a confidential website, shows that the company did not respond to any GDPR access and erasure requests in 2022. In one instance, when an individual requested access to his data, Xandr reportedly asserted that the user could not be identified, even though they had enough information to do so.

Legal Perspective

Massimiliano Gelmi, a NOYB data protection lawyer, noted his astonishment at Xandr's transparency regarding its non-compliance with GDPR. He emphasized that Xandr's business model is heavily dependent on maintaining comprehensive profiles of millions of users for targeted ads.

NOYB's grievance mentions potential violations of several GDPR articles, such as Article 5(1)(c) and (d), Article 12(2), Article 15, and Article 17. The group is petitioning Garante to ensure that Xandr adheres to GDPR mandates on data minimization and accuracy.

Recent NYOB Complaints

Last month, Austrian advocacy group NOYB also filed official grievances with Austria's data protection agency, contending that  neglects its obligations under and misuses tracking cookies within its Microsoft 365 Education package. A lawyer from the privacy rights organization, Maartje de Graaf, took aim at Microsoft's approach to student data protection in educational institutions. De Graaf argues that Microsoft unfairly places the responsibility for compliance on schools, an unrealistic expectation for these institutions.

In May, NOYB also accused OpenAI of violating GDPR laws. The complaint highlights a potential conflict between the General Data Protection  (GDPR) and the capabilities of large models (LLMs) like . The core of the issue lies in the inability of the LLM to correct demonstrably inaccurate personal data. 

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.