European privacy rights groups have launched a campaign to stop social media platforms and internet search engines from “spying” on users through online advertising by filing GDPR complaints with nine EU data regulators.

The #StopSpyingOnUs campaign, made up of 12 human rights and digital rights organizations, has filed complaints in Germany, France, Belgium, Italy, Estonia, Bulgaria, Hungary, Slovenia, and the Czech Republic over “unlawful techniques” used by internet firms to sell advertising.

The campaign asks European data protection authorities to launch investigations into an “ongoing, massive potential data breach” that “occurs hundreds of billions of times every day” that “may affect everyone visiting a Website.”

At issue is real-time bidding, a server-to-server buying process that uses automated software to match millions of ad requests each second from online publishers with real-time bids from advertisers.

The online ad industry is a massive money spinner for the likes of Google, Facebook, and other online platforms and advertisers, and the market is expected to grow to U.S. $273 billion this year, according to research firm eMarketer.

Privacy campaigners, however, say that the industry’s success is based on the “illegal” gathering—and sale—of users’ data, which is taken without their knowledge or consent. This data, retrieved from consumers’ historic browsing records and “likes,” is then used to inform targeted sales techniques through “behavioral” advertising.

For example, Google’s ad services business, DoubleClick (recently renamed “Authorized Buyers”), is active on 8.4 million Websites and broadcasts personal data about visitors to these sites to over 2,000 companies, according to Liberties, one of the groups involved in the campaign.

The group adds that every time a person visits a Website and is shown a “behavioral” ad, his or her personal data—including browsing history, location, and even sexual orientation or even unique ID codes—are shared with thousands of companies in real time. Digital advertising companies can then broadcast this data through a “bid request” to sell advertisement placements on Websites the person is visiting.

“Such an advertising method clearly breaches the EU’s General Data Protection Regulations,” says Eva Simon, legal expert at Liberties, which is also trying to increase pressure on regulators to act by getting people to send complaints individually from its Website.

The criticism mirrors a complaint filed by privacy-focused Web browser Brave against Google in Ireland and the United Kingdom, which triggered an investigation by the Irish Data Protection Commission last month. Its statutory inquiry will probe whether Google’s online Ad Exchange violated GDPR by illegally tapping into sensitive personal information about internet users, such as their race, health, and political leanings, and sharing it with advertisers.

Google has said that it will “engage fully” with the Irish regulator’s investigation, adding that it “welcomes the opportunity for further clarification of Europe’s data protection rules for real-time bidding.”

Simon hopes that the collective campaign will lead to EU data regulators “having a conversation” about privacy issues and behavioral ads and prompt them to “combine their efforts to address this problem and force online advertising companies to respect the privacy of internet users.”

“This campaign will have organizations and individuals joining forces to protect personal information that may be shared without our consent,” she says.