Online advertising giants have promised to rein in the sharing of sensitive personal data for targeted ads, but some still doubt they can comply with tough new data protection rules.

At a conference organised by the Information Commissioner’s Office this week, two of the biggest names in ad tech outlined moves to restrict the amount of personal information they send to advertisers who use their services.

It comes after reports that Google will limit the data it passes on to advertisers, and an ICO report in June warning parts of the current system for getting Internet users’ consent to targeted ads does not comply with the EU’s new GDPR rules.

A quick recap for those unfamiliar with the sprawling, Byzantine online advertising ecosystem: when you visit a website, it will almost certainly contain code from an advertising technology firm. This code looks for a cookie on your computer (a long string of letters and numbers), or some other way to uniquely identify you. The ad tech company will then try to match that unique identifier to information about you: which other websites you’ve visited, how old you are, what your likes and interests are, etc.

Having pulled together your profile, the ad tech company effectively auctions you off to the advertisers, telling them for example: “we have a guy in his 40s in the UK who likes technology and rock climbing and is probably interested in city break holidays – who wants to put an advert in front of him right now?”

The advertisers will then make bids to place their ads in the available slot, and usually the highest bid wins.

Terrifyingly yet impressively, this all takes place in a fraction of second, billions of times per day. It’s called Real Time Bidding, or RTB.

The inevitable outcome is that the more information the ad companies can find out about you, the more accurate their profile will be, and the more money they can charge advertisers (for example, if the ad tech company can discern not only that I’m in the market for a city break, but also that I’d be keen on Barcelona, they can potentially convince an advertisers to pay extra to get a more targeted ad in front of my eyeballs).

So a shadowy and complex industry has emerged to gather as much information as possible about web users, to “enrich” the profile information about them, all driven by the extra money that highly targeted ads can bring.

The first problem is data leakage: it’s not just the winning bidder who gets the users’ personal information – it goes out to all potential bidders, who can then hang onto it even after the auction, building up their own stock of profiles.

The second problem is, some of this information is highly sensitive: your health conditions, for example, or psychological well-being. Under the new EU GDPR rules, this is classed as “special category” data (along with religious and political beliefs, sexuality, and other attributes) and in order to use it, ad firms need to get users’ explicit permission.

The ICO found that, among the two biggest ad tech systems in the world, these rules are not being followed. It’s easy to see how this could happen: if a web user visits a health insurance site, for example, that might seem fairly innocuous. But if they visit the page on the site dedicated to rules around insurance for HIV sufferers who’ve used drugs intravenously, things get a lot more sensitive. If an ad tech company tells advertisers which page a user is looking at, they could be handing over “special category” data to a plethora of ad companies (not just the one company that wins the bidding process).

It’s far from clear what kind of explicit permission needs to be given before this can happen, and even if such permission is granted by the user on that occasion, what’s to stop an ad company from hanging on to that information and reusing it later without the user’s consent?

Hence the moves by ad tech giants to police the system.

Make no mistake, this area is a spaghetti junction of regulation, technology and entrenched business practices, and it’s hard to see a way out that won’t inflict pain on some of the players.