This Privacy Policy (“the Policy”) explains how and why New York University (“NYU”) processes personal data when people install Ad Observer (“the Application”).

The Policy does not cover any other personal data processing by NYU, which is covered by other applicable policies and procedures, including NYU’s Digital Privacy Statement.

If you have a question regarding the Policy or the use of the Application, please contact developers@adobserver.org.

Data controller

NYU is the controller of the data covered by the Policy. You can contact NYU’s Data Protection Officer with any questions about this notice, our data collection practices, or your rights. You can reach NYU’s Data Protection Officer, Peter Christensen, at:

Peter Christensen

c/o Data Protection Officer’s Office

70 Washington Square South

Room 1201

New York, NY 10012

+1 212 992 7256

Guiding principles

NYU is committed to respecting individuals’ right to privacy, protecting personal data and compliance with applicable laws globally. In accordance with these guiding principles, the Application has been designed to process the minimum amount of personal data possible to achieve NYU’s objectives.

Purposes and means of data processing

The purpose of the Application is to collect information about the political ads directed at and seen by private individuals on Facebook & YouTube. This is done with the objective of facilitating public understanding of how political advertising is deployed. NYU believes that it is in the public interest to understand this phenomenon and its impact on democracy.


To this end, NYU collects basic demographic information about the individuals who install the Application as well as information about the ads that they see. This information has been kept to an absolute minimum, so that it is not possible for NYU to identify individual users of the Application.

NYU also maintains a public, online repository of aggregate data (“the Database”) collected by the Application in order to render its research findings transparent and facilitate research by others. This information is anonymized so that it is not possible to identify individual users of the Application from within the Database. The Database can be accessed here.

Data processed by the Application

When an individual user installs the Application, they are invited to provide basic demographic information about themselves: their age group, gender and ethnicity. This basic demographic profile (“the Profile”) helps NYU understand which people see which ads. It is not mandatory to provide this information and the Application can still collect data that contributes to the research project without creating a Profile.

No other personally identifiable information is requested or processed by NYU. The browser language, which is recorded by the Application for the purposes of correctly parsing the ads, is also included in the Profile. The Application does not undertake any “profiling” or “automated decision-making” as defined by the GDPR.

If the user has elected to share their Profile, an instance identification number (“ID”) is created and stored locally by the Application. When an ad is seen by the Application, details of the ad together with the ID and the Profile data is transmitted to NYU. This data is then added to the Database, with the exception of the ID, which is not added to the Database.

If the user has decided not to create or share a Profile, only the data related to the ads is transmitted to and included in the Database. All users can view the data related to the ads that has been processed by the Application at any time by clicking on the Ad Observer icon and navigating to ‘My Archive’.

Legal basis for processing

NYU processes data for the above purposes on the basis of consent. By installing the Application, users consent to the processing of their data for the purposes described above. Individuals may withdraw their consent at any time by uninstalling the Application.


As noted above, data retained in the Database is anonymised, meaning that a user’s withdrawal of consent will not mean the deletion of the data related to the ads that the Application has collected.

“Sensitive data”


As noted above, individuals may elect to provide information about their ethnicity when they install the Application. This data, which may fall within the definition of “special category data” under the GDPR, is processed with consent. As noted above, this data is not stored by NYU in a format that allows identification of the individual concerned. No other sensitive data is requested or processed by NYU.

Information security

NYU takes reasonable steps to protect personal data against loss, misuse, and unauthorized access, alteration, disclosure or destruction. This includes the use of technical, organisational and legal measures to ensure the confidentiality, integrity and availability of personal data.

Information transmitted across the internet remains vulnerable to unauthorised access. The transmission of such data is therefore at the individual’s own risk. See further [link to ToU]

Data retention

No personal data is retained by NYU. The only data that is retained has been fully and irreversibly anonymised.

Data Subjects Rights

Individuals whose personal data is processed in accordance with the GDPR have the following rights:

The right to be informed as to whether NYU holds data about them
The right of access to that information
The right to have inaccurate data corrected
The right to have their data deleted
The right to opt-out of particular data processing operations
The right to receive their data in a form that makes it “portable”
The right to object to data processing
The right to receive an explanation about any automated decision making and/or profiling, and to challenge those decisions where appropriate
Individuals wishing to exercise their rights in respect of the Application can do so by contacting NYU’s Data Protection Officer’s Office using the contact details provided above.

Data subjects covered by EU law may also be entitled to lodge complaints in regard to data processing or the handling of subject access requests with data protection supervisory authority in their country of residence. Relevant supervisory authority names and contact details are listed here.

Changes and revisions

Should NYU make changes to this Policy, the date and nature of the change will be indicated below.