The Mechanics of Real-Time Bidding

When we open a webpage, we are all familiar with the pop-up banners in the corners, displaying ads for our favorite clothing brands or the latest video games. Do you ever wonder how those ads that often look way too personalized sneak into your browser? The reality is that behind the scenes, advertisers are competing in a split-second race to grab your attention, all based on the data collected about your browsing habits through a mechanism called Real-Time Bidding ("RTB"). 

Here’s how it works: When a user visits a website, an ad exchange collects various data points—IP addresses, browsing history, location, and interests—before sending them to potential advertisers for bidding. Ad tech companies are intermediaries that process this data at scale, ensuring that the highest bidder wins the opportunity to display their ad. The entire transaction takes place within 100 milliseconds, rendering it virtually invisible to users.

While RTB enables precise targeting and higher efficiency for advertisers, the model is fundamentally built on the mass collection and dissemination of user data—often without meaningful consent or safeguards. This has placed RTB at odds with Europe’s General Data Protection Regulation ("GDPR"), setting the stage for significant regulatory and legal challenges faced by the ad tech industry at large.

GDPR Compliance and RTB’s Troubling Violations

The GDPR is Europe’s privacy law designed to protect data privacy and security.  GDPR mandates strict conditions for the collection, processing, and storage of personal information. The RTB system presents two major issues that risk violations of GDPR:

  1. Lack of Meaningful User Consent

Under Article 6 of the GDPR, personal data processing requires a lawful basis—explicit user consent in the context of digital advertising. This means users must actively opt in to data collection, with full knowledge of how their information will be used.

However, RTB operates in a manner that is fundamentally incompatible with this requirement. User data is collected and shared with thousands of third parties in the ad auction, often without explicit or informed consent. Even where consent mechanisms (such as cookie banners) exist, they frequently rely on misleading designs that nudge users into accepting tracking without fully understanding the implications.

The 2019 complaint filed by privacy advocate Johnny Ryan against Google’s RTB system highlighted how Google was inferring user consent instead of explicitly obtaining it, which potentially violated Article 6 of the GDPR. At the center of this issue was Google’s user consent practice that was adopted from the IAB Europe’s Transparency & Consent Framework ("TCF")—a system designed to standardize consent collection across the RTB ecosystem. In 2022, Belgium’s Data Protection Authority ("APD") ruled that the TCF itself was unlawful, reinforcing the claim that RTB, as it currently operates, does not comply with GDPR’s strict consent requirements.

  1. Insufficient Data Security and Unchecked Data Dissemination

Data security is another cornerstone of GDPR compliance. Article 5(1)(f) mandates that personal data must be processed in a manner ensuring appropriate security, including protection against unauthorized access and data leaks.

RTB poses serious problems in relation to data security, as each bid request includes a huge amount of personal data—often sent to hundreds or thousands of entities without meaningful restrictions on how that data is stored or further shared. RTB thus effectively broadcasts user information to an opaque web of advertisers, data brokers, and ad exchanges.

Michael Veale and Frederik Zuiderveen Borgesius’s 2021 paper highlighted the systemic lack of control over how RTB data is handled: first, users have no visibility into how many third parties receive their data; second, ad tech companies lack mechanisms to track how data is used after it is shared; third, the regulators also lack ability to audit the use of data due to the complexity of RTB. RTB’s vast and uncontrolled data-sharing model makes compliance with GDPR’s security and accountability principles virtually impossible.

The Road Ahead: Can Ad Tech Align RTB with GDPR?

With GDPR enforcement intensifying, ad tech companies face a stark choice: adapt or face extinction in European markets. Several strategies could help RTB align with GDPR’s principles while preserving the core of programmatic advertising.

One potential solution is to shift away from behavioral targeting and adopt contextual advertising. The traditional behavioral targeting model relies on heavy tracking of user-specific data so that individual purchasing behaviors could be accurately predicted. The contextual advertising model, in contrast, analyzes webpage content rather than personal data. Therefore, the latter ensures that ads remain relevant without violating privacy laws.

Emerging initiatives also propose differential privacy and on-device processing to minimize the volume of user data transmitted in bid requests. Google’s privacy sandbox initiative, for example, terminated the use of third-party cookies on Chrome and replaced it with new technologies that allow advertisers to target users without exposing individual identities, a response to the growing regulatory scrutiny under GDPR.

Conclusion

Real-Time Bidding has long been a core mechanism of digital advertising, but GDPR is forcing a reckoning.  Facing a growing number of data privacy lawsuits, the ad tech industry must rethink its approach to the process of collecting and using data for advertising purposes. The future of digital advertisement belongs to the ad tech companies that can devise innovative solutions to balance privacy with profitability, ensuring that digital advertising evolves without infringing upon user rights.