Real-time bidding, a thriving ad targeting technique, is becoming a GDPR dilemma

U.S. advertisers spent an estimated $23.5 billion on the tactic last year, up from $6.4 billion in 2014.
real time bidding

Data security advocates are taking action against a popular digital advertising technique that sends individuals’ information to perhaps hundreds of companies in less than a second, often without adequate protective measures.

Real-time bidding is the subject of four alleged violations of the European Union’s General Data Protection Regulation (GDPR) filed Monday with regulators in Belgium, Luxembourg, the Netherlands, and Spain. Real-time bidding (RTB) is a targeted advertising technique that occurs when a user visits a website, and their personal information is broadcast to hundreds of marketers who bid in a near-instant auction to get their ad in front of that specific website visitor.

U.S. advertisers spent an estimated $23.5 billion on the tactic last year, up from $6.4 billion in 2014.

“It includes inferences on your sexuality, your religion, what you’re reading and unique identification codes as specific as your Social Security number,” Johnny Ryan, chief policy and industry relations at the private browser Brave, told the Senate Judiciary committee Tuesday. “This allows your data to be tied together by companies over time and built into a profile. They do this to find out what makes you tick, as well as anyone you know. And this happens billions of times a day. It’s happening right now.”


The specific security vulnerabilities in real-time bidding are beginning to emerge.

Twitter last week reported an incident in which a “bug” in its iOS app caused user location data to be shared with an advertising partner. Brave, led by Ryan, filed its own GDPR complaint in September arguing to Ireland’s Data Protection Commissioner that the process violates the law by exposing unwitting users’ information to advertisers whenever they visit a website.

“A data breach occurs because this broadcast, known as an ‘bid request’ in the online industry, fails to protect these intimate data against unauthorized access,” the company said in a blog post. “Under the GDPR this is unlawful.”

The Interactive Advertising Bureau, which provides legal support to the ad industry, has denied any wrongdoing.

The issue was briefly raised during a Senate Judiciary committee hearing Tuesday, in which witnesses shared expertise on a possible federal data protection law, and antitrust enforcement in Silicon Valley.


An effective privacy regulation and stronger antitrust enforcement on Facebook, Google and Twitter, experts said, would result in more transparency and consumer choice. If other social media sites and search engines held more market share, the logic goes, web users would have the option to switch to a different service with stronger privacy provisions.

“The free service sounds good until you realize you’re actually working for a platform by giving them your data,” said Dr. Fiona Scott Morton, an economist at the Yale School of Management.

“The lack of competition in this space leads to very high prices for these ads and very low prices for the content that pulls people online,” she said “That enormous wedge is not socially efficient because its causing platforms to invest a lot in this space in targeting ads rather than, say, investment in good content that was receiving a competitive price.”

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts