Skip to main content

by Sonia Intonti

Open Real Time Bidding: what does this “openness” imply for our privacy?

Especially in circumstances like the one we all are living right now (to be read as “the whole world”) due to the coronavirus pandemic, what happens online becomes now even more crucial for everyone’s life, for at least two reasons: first, because we all are spending a lot more time connected to internet than ever before[1], and second, because internet suddenly became the only way through which we can get to know what’s happening outside.  

So, especially during periods like this, we all need to pay more attention and have a more critical attitude to anything we have given online, and maybe we could start by trying to understand “why is this post/video being shown to me?”.

Well, let’s start by trying to understand a small segment of one of the processes that leads a certain content to our display by digging into the “Open Real Time Bidding” (Open RTB) and the related privacy issues.

As the name already suggests, “Open RTB” defines the automated auctions online that begins in the same moment a web page or an app (whose owners are called “Publishers”) is loaded by an individual (“user”), and it concerns the adv spaces reserved to advertisements (entitled to the so called “Advertisers”) within the web page/app. 

In fact, once the user logs in, all the tracking technologies (e.g. cookies) that may be used by the Publisher to collect information about its audience, give shape to the so-called “bid request”. This bid request is sent by Publishers’ servers to the Advertisers participating in the auction, which are often not identifiable in advance, so that they can make their bid based on the compatibility of the user profile contained in the bid request with their expectations. In the end, only the highest bid will win the auction and be shown to that particular user. 

Because of the sheer volume of Publishers, however, there was initially a lot of unsold adv spaces. This called for a more efficient and proficient way of doing business and going about selling these adv spaces through the so-called Ad Exchanges, created to make trading easier and quicker, focused on selling the profiles of the individuals visiting the Publisher’s pages. Finally, to streamline the entire process and make it possible in 200 milliseconds, both Advertisers and Publishers respectively use Demand Side Platforms (DSPs) and Supply Side Platforms (SSPs)[2].

Cool! But what does it mean for the “user”? Where does his/her personal data end up and, above all, what personal data are we talking about?

According to one of the main protocols governing how data is collected and shared in this environment[3], the content of a bid request can vary, but most of the times it includes: user’s IP address, location, address, site behavior, data broker segment ID, if available. This last data could denote things like user’s age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc[4]

Indeed, it’s natural to deduce that the more detailed the bid request is the higher would be the Advertisers’ awareness about the individual that is visiting the page and so their bid to win the adv space. In some cases, this means sharing also special categories of personal data (more commonly known as sensitive data) of the user, for which greater protection is required[5].

Under the current legal framework supported by the EU Regulation 679/2016 (“GDPR”) on privacy and data protection, any data controller “shall be responsible for, and be able to demonstrate compliance with[6] the GDPR. Given that the data controller is the natural or legal person (…) which determines the purposes and means of the processing of personal data, the duties explained below affect both the Publisher’s and the Advertiser’s side.

Lawfulness, fairness and transparency

The first clear principle under the Art. 5 of GDPR imposes that any information and communication relating to the processing of personal data given to data subjects should be easily accessible and easy to understand, and that clear and plain language should be used[7]. Moreover, article 13 of GDPR requires that information about any recipients of those data are given to data subjects, either by indicating their specific identity or the belonging category. Given the complexity and opacity of the Open RTB ecosystem, proven by the fact that most of the players ignore how the Open RTB actually works due to the unaffordable text of most of the protocols which aim to address the RTB players behavior, Publishers that join the system cannot always provide the information required, particularly as they sometimes do not even know with whom the data will be shared[8].

Added to adequate information, a data controller has to find a legal basis which justifies the data processing, and for the nature and the scope of the Open RTB, the only adequate legal basis seems to be the data subject’s consent. In fact, what also rules out the use of the legitimate interest as legal basis[9] is that the same purpose could be pursued by a less intrusive[10] processing for users and so failing one requirement to base a data processing on Art. 6(1)(f) GDPR. 

However, whenever a data controller would base the data processing on the user’s consent under Art. 6(1)(a) GDPR, it’s necessary that certain specific requirements are met: the consent must be informed, free, expressed through a positive action of the data subject, granular and revocable. For this reason, it is considered quite difficult for a Publisher to obtain legitimate and therefore adequate consent to justify the processing. For example, a consent collected through a single button “I agree” through which the data controller is willing to process the data gathered for various purposes including profiling on his own and  the communication of this data to partners and/or Advertisers (to allow the latter to carry out their own profiling), it’s deemed unlawful under the GDPR. Likewise, it cannot be considered legitimate to use a “customize” button where the individual purposes (e.g. profiling and communication) are already pre-selected by default to “true”[11]

Finally, for the consent to be legitimately given by the data subject and in general for the processing to be lawfully set by the data controller, the latter shall in any case give information about and guarantee the exercise of data subjects’ rights under Articles 15 to 22. In this particular environment of Open RTB, this would imply, among other things, that the data controller, if requested, should be able to delete the data subject’s personal data and obtain their deletion by the recipients of such data. 

[1] Independent, “UK coronavirus lockdown has led daytime internet usage to more than double, virgin media says”, March 25th, 2020.

[2] IAB Europe, The advent of RTB, 4 April 2017

 “This is what that real-time bidding thingamajig from the first paragraph actually is. Imagine machines into which you input a series of criteria (such as the size, shape colour and weight of the fruit you want from the convenience store for today) and it does the rest, buying (if you’re the Advertiser) what you need in the blink of an eye.”-

[3] IAB Europe, “Transparency & Consent Framework – Policies”, 25 April 2018. The IAB is the standards body and trade lobby group of the global advertising technology industry.  

[4] IAB (2017), Content Taxonomy v2.0, available at:

[5] UK Information Commissioner’s Office, Update report into adtech and real time bidding, 20 June 2019 (p. 16)

[6] “Principle of accountability” under Art. 5 (2) of GDPR

[7] Any processing of personal data should be lawful and fair. 2It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. 3The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. 4That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed […]” (cfr.recital 39 GDPR)

[8] UK Information Commissioner’s Office, Update report into adtech and real time bidding, 20 June 2019

[9] The other legal bases foreseen by Art. 6 GDPR are not applicable.

[10] Johnny Ryan, Report from Johnny Ryan – Behavioral advertising and personal data, 2018

[11] Significant is the decision of the French Data Protection Authority (CNIL), which recently sanctioned the company Vectuary for not having obtained the consent of data subjects legitimately, collecting different purposes in a single option and presenting an ambiguous and therefore non-transparent language. (CNIL) Décision n° MED 2018-042 du 30 octobre 2018 mettant en demeure la société VECTAURY.