Real Time Bidding, AdTech & Data Protection

Laptop Keyboard

A GDPR & Data Protection Advisory Note.

Published: 02/03/2020 Last Updated: 02/03/2020

Warning! Dull data protection update below*

  • The ICO thinks Real Time Bidding & AdTech industries “appears immature” in its understanding of data protection.
  • Thousands of organisations are processing billions of bid requests in the UK each week with inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.
  • Individuals have no guarantees about the security of their personal data.

What is Real-Time Bidding?

Real-Time Bidding (RTB) is a set of technologies and practices used in programmatic advertising. It has evolved and grown rapidly in recent years and is underpinned by advertising technology (AdTech), allowing advertisers to compete for available digital advertising space in milliseconds, placing billions of online adverts on webpages and apps in the UK every day by automated means.

In practice, this means that when you visit a website, some of the ads you see have been specifically selected for you using real-time bidding. As the site was loading, the website publisher auctioned a space on the page you are viewing, and an advertiser bought it because it specifically wants to reach people like you. The process can involve many companies and happens in milliseconds.

The process relies on the potential advertiser seeing information about you. That information can be as basic as the device you’re using to view the webpage, or where in the country you are. But it can have a more detailed picture, including the websites you’ve visited, what your perceived interests are, even what health condition you’ve been searching for information about.

What are the data protection issues?

From a data protection point of view, RTB carries a number of issues. These include:

  • profiling and automated decision-making;
  • large-scale processing (including of special categories of data);
  • use of innovation technologies;
  • combining and matching data from multiple sources;
  • tracking of geolocation and/or behaviour; and
  • invisible processing.

These make the processing operations involved in RTB of a nature likely to result in a high risk to the rights of individuals. Many of the above factors constitute criteria that make data protection impact assessments (DPIAs) mandatory.

Who are the participants?

RTB involves multiple stakeholders including:

  • Advertisers: organisations that bid in real time to serve ad impressions to webpage visitors. The highest bidder ‘wins’, and their advertisement will be presented on the webpage to the user;
  • Publishers: websites that sell spaces for online adverts;
  • Advertising exchanges: Platforms for comparing the price and quality of impressions, the ‘location’ where the bidding aspect occurs. They serve as mediators and connectors between advertisers and publishers and operate on both the demand;
  • Data Management Platforms (DMPs): These platforms analyse, categorise and collate incoming data from multiple sources (including desktop, mobile web, mobile app, analytics, social media, and offline data), including bid requests, to support the personalised targeting of adverts;
  • Demand Side Platforms (DSPs): DSPs buy inventory (space on websites) based on behavioural, and often personal data. If the impression matches the advertiser’s target audience, then a bid is placed via the DSP;
  • Supply Side Platforms (SSPs): SSPs help publishers manage and sell their advertising inventories; and
  • Consent Management Platforms (CMPs): CMPs are intended to serve as a tool for publishers, for example to enable them to manage user consent, and to facilitate the operation of frameworks such as the IAB Europe’s Transparency and Consent Framework.

What are the key data protection risks?

The following key issues create risks to individuals.

  1. Lawful basis and PECR: In practice, there is often a lack of clarity from regarding the appropriate lawful basis for processing, as well as the particular requirements of each basis. For some participants, these are at best not fully understood or at worst ignored. Also, most participants are focused either solely or primarily on GDPR compliance, rather than the PECR.
  2. Special category data: A proportion of bid requests involve the processing of special category data, either at the point of collection or subsequently. Special category data constitutes the area of greatest potential harm to individuals.
  3. Lack of transparency: Whilst transparency and consent are closely linked in the context of RTB, in data protection terms they are separate concepts. For example, an organisation may meet the consent requirements (freely given, specific, informed, and unambiguous etc) but this does not necessarily mean it is compliant with the information requirements of the GDPR. However, in RTB the privacy information provided often lacks clarity and does not give individuals an appropriate picture of what happens to their data.
  4. The data supply chain: A single RTB request can result in personal data being processed by hundreds of organisations, each with their own privacy policy. Some of these will be in non-EU jurisdictions, meaning that international transfers of personal data are taking place. Multiple parties receive information about a user, but only one will ‘win’ the auction to serve that user an advert. There are no guarantees or technical controls about the processing of personal data by other parties. In essence, once data is out of the hands of one party, essentially that party has no way to guarantee that the data will remain subject to appropriate protection and controls.
  5. Data Protection Impact Assessments (DPIAs): DPIAs are tools that organisations can use to identify and minimise the data protection risks of any processing operation. The GDPR specifies several circumstances that require DPIAs and RTB matches a number of those and participants are therefore legally required to perform DPIAs.


RTB and AdTech are fast developing. The ICO will be paying more and more attention to this sector, which means that those that participate in it must ensure that their businesses understand their data protection obligations and responsibilities.

*We’re not sure if the above is interesting, but it’s definitely not legal advice.

If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.

Further reading:

Employee emails and the data protection implications of access

Brexit and the Data Protection implications in the UK

Data Protection Impact Assessments and the GDPR

COVID-19 & data protection in the UK – Top tips

National Data Strategy: A data protection regime blueprint?