The document outlines the real-time bidding process for online behavioral advertising. It shows how a user's request for a webpage triggers an ad server to select a supply-side platform (SSP) that then selects an ad exchange to send bid requests to hundreds of demand-side platforms (DSPs). The winning DSP serves an ad through its ad server. Along the way, data management platforms can access and share user data. The process allows extensive data leakage of users' personal information to numerous advertising companies without their consent.

2. @johnnyryan

3. RTB

4. “Demand side” “Supply side”
$ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange

5. $ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
Store data
“Demand side” “Supply side”

6. $ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
Request segment
Store data
“Demand side” “Supply side”

7. $ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
Request segment
Deliver segment
Store data
“Demand side” “Supply side”

8. $ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
Request page
Request segment
Deliver segment
Store data
“Demand side” “Supply side”

9. $ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
Serve page
Request page
Request segment
Deliver segment
Store data
“Demand side” “Supply side”

10. $ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
Serve page
Request page
Request segment
Deliver segment
Ad request
Store data
“Demand side” “Supply side”

11. $ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
Serve page
Request page
Request segment
Cookie to SSP
Deliver segment
Ad request
Store data
“Demand side” “Supply side”

12. $ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
Serve page
Request page
Request segment
Request bid
Cookie to SSP
Deliver segment
Ad request
Store data
“Demand side” “Supply side”
(one or many)

13. $ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
Serve page
Request page
Request bid
Request segment
Request bid
Cookie to SSP
Deliver segment
Ad request
Store data
“Demand side” “Supply side”
(one or many)
(10s or 100s or 1000s?)

14. $ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
Serve page
Request page
Request bid
Request segment
Request bid
Cookie to SSP
Deliver ad
Deliver segment
Ad request
Store data
“Demand side” “Supply side”
(one or many)
(10s or 100s or 1000s?)

15. $ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
Serve page
Request page
Request bid
Request segment
Request bid
Cookie to SSP
Deliver ad
Deliver segment
Sync
Ad request
Store data
“Demand side” “Supply side”
(one or many)
(10s or 100s or 1000s?)

16. $ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
Serve page
Request page
Request bid
Request segment
Request bid
Cookie to SSP
Deliver ad
Sync
Deliver segment
Sync
Ad request
Store data
“Demand side” “Supply side”
(one or many)
(10s or 100s or 1000s?)

17. The Daily Bugle

18. The Daily Bugle
ExchangeExchange
Exchange
Exchange

19. The Daily Bugle
ExchangeExchange
Exchange
Exchange
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSPDSP
DSP DSP
DSP

20. The Daily Bugle
ExchangeExchange
Exchange
Exchange
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSPDSP
DSP DSP
DSP
ADVERTISEMENT

21. ?
?
The Daily Bugle
ExchangeExchange
Exchange
Exchange
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSPDSP
DSP DSP
DSP
?
?
?
?
ADVERTISEMENT
?

22. ?
?
The Daily Bugle
ExchangeExchange
Exchange
Exchange
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSPDSP
DSP DSP
DSP
?
?
?
?
ADVERTISEMENT
?

23. French regulator caught it with
68 million illegal RTB records.
Example
Vectaury: a small DSP/DMP/
trading desk in France. €3.5M
annual turnover in 2017 (though
subsequently won a €20M
investment).
DSP

26. Is 68 million
just 30%?
Then this small company
was sent personal data
¼ BILLION times via RTB
(in just one year)

27. website.com
This is the current process of
real-time bidding that is used in
online behavioural advertising.
Channel of data leakage
Legend
Money
DATA LEAKAGE
IN ONLINE
ADVERTISING

28. website.com
This is the current process of
real-time bidding that is used in
online behavioural advertising.
Channel of data leakage
Legend
Money
DATA LEAKAGE
IN ONLINE
ADVERTISING

29. Ad server
website.com
Ad server
javascript
Step 1.
User requests
webpageThis is the current process of
real-time bidding that is used in
online behavioural advertising.
Channel of data leakage
Legend
Money
DATA LEAKAGE
IN ONLINE
ADVERTISING

30. Ad server SSP
Step 2.
Ad server
selects an SSP
website.com
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpageThis is the current process of
real-time bidding that is used in
online behavioural advertising.
Channel of data leakage
Legend
Money
DATA LEAKAGE
IN ONLINE
ADVERTISING

31. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
website.com
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
Ad exchange
This is the current process of
real-time bidding that is used in
online behavioural advertising.
Channel of data leakage
Legend
Money
DATA LEAKAGE
IN ONLINE
ADVERTISING

32. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
This is the current process of
real-time bidding that is used in
online behavioural advertising.
Channel of data leakage
Legend
Money
DATA LEAKAGE
IN ONLINE
ADVERTISING

33. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
Winningbid
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
This is the current process of
real-time bidding that is used in
online behavioural advertising.
Channel of data leakage
Legend
Money
DATA LEAKAGE
IN ONLINE
ADVERTISING

34. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
Winningbid
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
This is the current process of
real-time bidding that is used in
online behavioural advertising.
Channel of data leakage
Legend
Money
DATA LEAKAGE
IN ONLINE
ADVERTISING

35. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
Winningbid
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Step 6.
Exchange serves
winning bid
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
This is the current process of
real-time bidding that is used in
online behavioural advertising.
Channel of data leakage
Legend
Money
DATA LEAKAGE
IN ONLINE
ADVERTISING

36. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
MARKETERS
website.com
Winningbid
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Agency
ad server
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
This is the current process of
real-time bidding that is used in
online behavioural advertising.
Channel of data leakage
Legend
Money
DATA LEAKAGE
IN ONLINE
ADVERTISING

37. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
Step 8.
Assets load
from CDN
MARKETERS
website.com
AD
Winningbid
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Agency
ad server
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
CDN
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
This is the current process of
real-time bidding that is used in
online behavioural advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money

38. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
Step 8.
Assets load
from CDN
Step 9.
Agency ad server
loads verification
vendor
MARKETERS
website.com
AD
Winningbid
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Verification
javascript
Agency
ad server
Verification
vendor
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
CDN
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
This is the current process of
real-time bidding that is used in
online behavioural advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money

39. What’s in a
bid request?

40. IAB OpenRTB Google Authorized Buyers

44. The website this specific person is currently viewing

45. The website this specific person is currently viewing
Various ID codes that identify this
specific person, and can tie them to
existing profiles

46. The website this specific person is currently viewing
Various ID codes that identify this
specific person, and can tie them to
existing profiles
Distinctive characteristics of this specific person

47. The website this specific person is currently viewing
Various ID codes that identify this
specific person, and can tie them to
existing profiles
Distinctive characteristics of this specific person
Distinctive information about
this specific person’s device

48. The website this specific person is currently viewing
Various ID codes that identify this
specific person, and can tie them to
existing profiles
Distinctive characteristics of this specific person
This specific person’s IP address
Distinctive information about
this specific person’s device

49. The website this specific person is currently viewing
Various ID codes that identify this
specific person, and can tie them to
existing profiles
Distinctive characteristics of this specific person
This specific person’s IP address
Distinctive information about
this specific person’s device
Distinctive information about this specific
person’s device

50. The website this specific person is currently viewing
Various ID codes that identify this
specific person, and can tie them to
existing profiles
Distinctive characteristics of this specific person
This specific person’s IP address
Distinctive information about
this specific person’s device
Distinctive information about this specific
person’s device
This young woman’s GPS coordinates!

51. Natural persons may be associated with
online identifiers … such as internet protocol
addresses, cookie identifiers or other
identifiers… This may leave traces which, in
particular when combined with unique
identifiers and other information received by
the servers, may be used to create profiles of
the natural persons and identify them.
GDPR, Recital 30

53. “broadcast”

54. Index Exchange 50 billion
1. “Tour IX’s Amsterdam and Frankfurt Data Centers”, Index Exchange, 2 July 2018 (URL: https://www.indexexchange.com/tour-ix-amsterdam-frankfurt-data-centers/).
2. "OpenX Ad Exchange", OpenX (URL: https://www.openx.com/uk_en/products/ad-exchange/).
3. “Buyers”, Rubicon Project (URL: https://rubiconproject.com/buyers/).
4. "How PubMatic Is Learning Machine Learning", PubMatic, 25 January 2019 (URL: https://pubmatic.com/blog/learning-machine-learning/)
5. "Maximize yield with Oath's publisher offerings", Oath, 3 April 2018 (URL: https://www.oath.com/insights/maximize-yield-with-oath-s-publisher-offerings/)
6. 500 Billion / 29.6 = 18.6 billion impressions per day. Using AppNexus 1:11.5 ratio, this is 214 auctions per day. 500+ impressions figure cited in “Optimize your mobile
strategy”, Smaato (URL: https://www.smaato.com/).
7. “Transacting at a peak of 11.4 billion daily impressions, our marketplace handles more traffic each day than Visa, Nasdaq, and the NYSE combined” at https://
www.appnexus.com/sell. Note that in 2017, AppNexus said in “AppNexus Scales with DriveScale”, 2017 (URL: http://go.drivescale.com/rs/451-ESR-800/images/
DRV_Case_Study_AppNexus-final.v1.pdf) that 10.7 billion "impressions transacted" came as a result of running 123 billion auctions. The impressions transacted to
auctions ratio appears to be roughly 1:11.5. Therefore, the 11.4 daily impressions reported in 2018 equates to 131 billion auctions per day.
8. DoubleClick.Net Usage Statistics (URL: https://trends.builtwith.com/ads/DoubleClick.Net).
Real-time bidding bid requests per day
OpenX 60 billion2
Rubicon Project Unknown, 1 billion people’s devices3
PubMatic 70 billion4
Oath/AOL 90 billion5
AppNexus 131 billion6
Smaato 214 billion7
Google Unknown, live on 8.4 million websites8
1
Index Exchange 50 billion
The biggest

55. Index Exchange 50 billion
1. “Tour IX’s Amsterdam and Frankfurt Data Centers”, Index Exchange, 2 July 2018 (URL: https://www.indexexchange.com/tour-ix-amsterdam-frankfurt-data-centers/).
2. "OpenX Ad Exchange", OpenX (URL: https://www.openx.com/uk_en/products/ad-exchange/).
3. “Buyers”, Rubicon Project (URL: https://rubiconproject.com/buyers/).
4. "How PubMatic Is Learning Machine Learning", PubMatic, 25 January 2019 (URL: https://pubmatic.com/blog/learning-machine-learning/)
5. "Maximize yield with Oath's publisher offerings", Oath, 3 April 2018 (URL: https://www.oath.com/insights/maximize-yield-with-oath-s-publisher-offerings/)
6. 500 Billion / 29.6 = 18.6 billion impressions per day. Using AppNexus 1:11.5 ratio, this is 214 auctions per day. 500+ impressions figure cited in “Optimize your mobile
strategy”, Smaato (URL: https://www.smaato.com/).
7. “Transacting at a peak of 11.4 billion daily impressions, our marketplace handles more traffic each day than Visa, Nasdaq, and the NYSE combined” at https://
www.appnexus.com/sell. Note that in 2017, AppNexus said in “AppNexus Scales with DriveScale”, 2017 (URL: http://go.drivescale.com/rs/451-ESR-800/images/
DRV_Case_Study_AppNexus-final.v1.pdf) that 10.7 billion "impressions transacted" came as a result of running 123 billion auctions. The impressions transacted to
auctions ratio appears to be roughly 1:11.5. Therefore, the 11.4 daily impressions reported in 2018 equates to 131 billion auctions per day.
8. DoubleClick.Net Usage Statistics (URL: https://trends.builtwith.com/ads/DoubleClick.Net).
Real-time bidding bid requests per day
OpenX 60 billion2
Rubicon Project Unknown, 1 billion people’s devices3
PubMatic 70 billion4
Oath/AOL 90 billion5
AppNexus 131 billion6
Smaato 214 billion7
Google Unknown, live on 8.4 million websites8
1
Index Exchange 50 billion
The biggest
Hundreds of billions
of data leaks a day.
(The biggest data breach yet recorded)

56. Everybody you
have ever known

57. OK

59. Security

60. Surfacing thousands of vendors with broad
rights to use data w/out tailoring those
rights may be too many vendors/permissions
“
”
thousands of vendors
“pubvendors.json v1.0: Transparency & Consent Framework”,
IAB, May 2018

61. Publishers recognize there is no technical
way to limit the way data is used after the
data is received by a vendor for decisioning/
bidding on/after delivery of an ad…
“
”
there is no technical
way to limit the way data is used after
Surfacing thousands of vendors with broad
rights to use data w/out tailoring those
rights may be too many vendors/permissions
“
”
thousands of vendors
“pubvendors.json v1.0: Transparency & Consent Framework”,
IAB, May 2018

62. The MO may adopt procedures for
periodically reviewing and verifying a
Vendor’s compliance with the Policies.
“Transparency & Consent Framework Policies, 2019-08-21.3”
IAB, August 2019
“
”
may adopt
Management Organisation (the IAB)

63. “Authorized Buyers Programme Guidelines”,
Google, August 2018
“
”
must not: (i) use callout data ... to create
user lists or profile users; (ii) associate
callout data ... with third party data...

64. Buyer will regularly monitor your
compliance with this obligation, and
immediately notify Google in writing if
Buyer can no longer meet … this obligation...
“
”
“
”
must not: (i) use callout data ... to create
user lists or profile users; (ii) associate
callout data ... with third party data...
Buyer will
“Authorized Buyers Programme Guidelines”,
Google, August 2018

65. GDPR, Article 5 (1)
(f) processed in a manner that ensures
appropriate security of the personal data,
including protection against unauthorised or
unlawful processing and against accidental
loss, destruction or damage, using
appropriate technical or organisational
measures (‘integrity and confidentiality’).

66. EU privacy regulators are like “ents”.
Terrifying, once awoken.

67. 4
We list our concerns - that the creation and sharing of personal data profiles
ab e le, he cale e e ee , feel di i a e, i i e a d
unfair, particularly when people are often unaware it is happening.
We outline that one visit to a website, prompting one auction among
ad e i e , ca e l i a e e al da a bei g ee b h d ed f
organisations, in ways that suggest data protection rules have not been
sufficiently considered.
Our report will be passed to the adtech sector for their response. We are
clear about the areas where we have initial concerns, and we expect to see
change. But we understand this is an extremely complex market involving
many organisations and many technologies. We want to take a measured
and iterative approach, before undertaking a further industry review in six
h i e.
Wi h ha i i d, e ll c i e e gagi g i h he ec , f he e l i g
the data protection im lica i f he eal i e biddi g e . We ll
continue collaborating with Data Protection Authorities in other European
countries too, who are also looking at complaints in this area.
Innovation in technology has the potential to enhance all of our lives. The
internet is central to that, and we understand that advertisements fund much
of what we enjoy online. We understand the need for a system that allows
revenue for publishers and audiences for advertisers. We understand a need
for the process to happen in a heartbeat. Our aim is to prompt changes that
reflect this reality, but also to ensure respect for i e e e legal igh .
The le ha ec e le e al da a be f ll ed. C a ie
do not need to choose between innovation and privacy.
Elizabeth Denham
Information Commissioner
Information Commissioner’s Office
Update report
into adtech and
real time bidding
20 June 2019

68. 4
We list our concerns - that the creation and sharing of personal data profiles
ab e le, he cale e e ee , feel di i a e, i i e a d
unfair, particularly when people are often unaware it is happening.
We outline that one visit to a website, prompting one auction among
ad e i e , ca e l i a e e al da a bei g ee b h d ed f
organisations, in ways that suggest data protection rules have not been
sufficiently considered.
Our report will be passed to the adtech sector for their response. We are
clear about the areas where we have initial concerns, and we expect to see
change. But we understand this is an extremely complex market involving
many organisations and many technologies. We want to take a measured
and iterative approach, before undertaking a further industry review in six
h i e.
Wi h ha i i d, e ll c i e e gagi g i h he ec , f he e l i g
the data protection im lica i f he eal i e biddi g e . We ll
continue collaborating with Data Protection Authorities in other European
countries too, who are also looking at complaints in this area.
Innovation in technology has the potential to enhance all of our lives. The
internet is central to that, and we understand that advertisements fund much
of what we enjoy online. We understand the need for a system that allows
revenue for publishers and audiences for advertisers. We understand a need
for the process to happen in a heartbeat. Our aim is to prompt changes that
reflect this reality, but also to ensure respect for i e e e legal igh .
The le ha ec e le e al da a be f ll ed. C a ie
do not need to choose between innovation and privacy.
Elizabeth Denham
Information Commissioner
Information Commissioner’s Office
Update report
into adtech and
real time bidding
20 June 2019
one visit to a website, prompting one
auction among advertisers, can result in
a person’s personal data being seen by
hundreds of organisations, in ways that
suggest data protection rules have not
been sufficiently considered. page 4

69. 23
4 Summary and conclusions
O e a , e ICO e he adtech industry appears immature in its
understanding of data protection requirements. Whilst the automated
delivery of ad impressions is here to stay, we have general, systemic
concerns around the level of compliance of RTB:
1. Processing of non-special category data is taking place unlawfully at
the point of collection due to the perception that legitimate interests
can be used for placing and/or reading a cookie or other technology
(rather than obtaining the consent PECR requires).
2. Any processing of special category data is taking place unlawfully as
explicit consent is not being collected (and no other condition applies).
In general, processing such data requires more protection as it brings
an increased potential for harm to individuals.
3. Even if an argument could be made for reliance on legitimate interests,
participants within the ecosystem are unable to demonstrate that they
have properly carried out the legitimate interests tests and
implemented appropriate safeguards.
4. There appears to be a lack of understanding of, and potentially
compliance with, the DPIA requirements of data protection law more
broadly (and spec f ca a e a d e ICO A c e 35(4) ). We
therefore have little confidence that the risks associated with RTB have
been fully assessed and mitigated.
5. Privacy information provided to individuals lacks clarity whilst also
being overly complex. The TCF and Authorized Buyers frameworks are
insufficient to ensure transparency and fair processing of the personal
data in question and therefore also insufficient to provide for free and
informed consent, with attendant implications for PECR compliance.
6. The profiles created about individuals are extremely detailed and are
repeatedly shared among hundreds of organisations for any one bid
request, all without the d d a knowledge.
7. Thousands of organisations are processing billions of bid requests in
the UK each week with (at best) inconsistent application of adequate
technical and organisational measures to secure the data in transit and
at rest, and with little or no consideration as to the requirements of
data protection law about international transfers of personal data.
8. There are similar inconsistencies about the application of data
minimisation and retention controls.
9. Individuals have no guarantees about the security of their personal
data within the ecosystem.
4
We list our concerns - that the creation and sharing of personal data profiles
ab e le, he cale e e ee , feel di i a e, i i e a d
unfair, particularly when people are often unaware it is happening.
We outline that one visit to a website, prompting one auction among
ad e i e , ca e l i a e e al da a bei g ee b h d ed f
organisations, in ways that suggest data protection rules have not been
sufficiently considered.
Our report will be passed to the adtech sector for their response. We are
clear about the areas where we have initial concerns, and we expect to see
change. But we understand this is an extremely complex market involving
many organisations and many technologies. We want to take a measured
and iterative approach, before undertaking a further industry review in six
h i e.
Wi h ha i i d, e ll c i e e gagi g i h he ec , f he e l i g
the data protection im lica i f he eal i e biddi g e . We ll
continue collaborating with Data Protection Authorities in other European
countries too, who are also looking at complaints in this area.
Innovation in technology has the potential to enhance all of our lives. The
internet is central to that, and we understand that advertisements fund much
of what we enjoy online. We understand the need for a system that allows
revenue for publishers and audiences for advertisers. We understand a need
for the process to happen in a heartbeat. Our aim is to prompt changes that
reflect this reality, but also to ensure respect for i e e e legal igh .
The le ha ec e le e al da a be f ll ed. C a ie
do not need to choose between innovation and privacy.
Elizabeth Denham
Information Commissioner
Information Commissioner’s Office
Update report
into adtech and
real time bidding
20 June 2019The TCF and Authorized Buyers
frameworks are insufficient to ensure
transparency and fair processing of the
personal data in question and therefore
also insufficient to provide for free and
informed consent… page 23

72. suspected infringement

75. RTB
MARKET
PROBLEMS

76. How RTB data leakage supports untrustworthy websites
The Daily Bugle
///
Step 1.
User “John” visits
The Daily Bugle

77. How RTB data leakage supports untrustworthy websites
The Daily Bugle
///
Step 1.
User “John” visits
The Daily Bugle
Step 2.
Bid request
broadcasts personal
data about John

78. How RTB data leakage supports untrustworthy websites
The Daily Bugle
///
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
Step 2.
Bid request
broadcasts personal
data about John
John

79. Step 4.
The Daily Bugle is
paid €1 to show ad
to John
How RTB data leakage supports untrustworthy websites
The Daily Bugle
///
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
€1 advertisement
Step 2.
Bid request
broadcasts personal
data about John
John

80. Step 4.
The Daily Bugle is
paid €1 to show ad
to John
How RTB data leakage supports untrustworthy websites
The Daily Bugle
Step 5.
Later, John visits a
low quality website
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
///
Step 2.
Bid request
broadcasts personal
data about John
John

81. Step 4.
The Daily Bugle is
paid €1 to show ad
to John
How RTB data leakage supports untrustworthy websites
The Daily Bugle
Step 5.
Later, John visits a
low quality website
Step 6.
Bid request
announces John is
here
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
///
Step 2.
Bid request
broadcasts personal
data about John
John

82. Step 4.
The Daily Bugle is
paid €1 to show ad
to John
Step 7.
De5troyTru5t.com is paid
€0.01 to show ad to John
How RTB data leakage supports untrustworthy websites
The Daily Bugle
Step 5.
Later, John visits a
low quality website
Step 6.
Bid request
announces John is
here
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
€0.01 advertisement
///
Step 2.
Bid request
broadcasts personal
data about John
John

83. Step 4.
The Daily Bugle is
paid €1 to show ad
to John
Step 7.
De5troyTru5t.com is paid
€0.01 to show ad to John
How RTB data leakage supports untrustworthy websites
The Daily Bugle
Step 5.
Later, John visits a
low quality website
Step 6.
Bid request
announces John is
here
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
€0.01 advertisement
///
Step 2.
Bid request
broadcasts personal
data about John
Worthy sites lose their unique audience, and feed
a business model for the bottom of the Web.
John

84. The Daily Bugle
Step 1.
A bot masquerading
as a human visits
The Daily Bugle ///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters

85. The Daily Bugle
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
Step 2.
Bid request
broadcasts personal
data about Bot///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters

86. The Daily Bugle
Step 3.
100s of companies in the ad
auction can now re-identify
Bot as a Daily Bugle reader
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
Step 2.
Bid request
broadcasts personal
data about Bot
Bot
///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters

87. Step 4.
The Daily Bugle is
paid €1 to show ad
The Daily Bugle
Step 3.
100s of companies in the ad
auction can now re-identify
Bot as a Daily Bugle reader
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
€1 advertisement
Step 2.
Bid request
broadcasts personal
data about Bot
Bot
///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters

88. Step 4.
The Daily Bugle is
paid €1 to show ad
The Daily Bugle
Step 5.
Later, an
untrustworthy website
buts bot traffic
Step 3.
100s of companies in the ad
auction can now re-identify
Bot as a Daily Bugle reader
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
Step 2.
Bid request
broadcasts personal
data about Bot
Bot
///
Fake
///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters

89. Step 4.
The Daily Bugle is
paid €1 to show ad
The Daily Bugle
Step 5.
Later, an
untrustworthy website
buts bot traffic
Step 6.
Bid request
announces Bot is
here
Step 3.
100s of companies in the ad
auction can now re-identify
Bot as a Daily Bugle reader
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
Step 2.
Bid request
broadcasts personal
data about Bot
Bot
///
Fake
///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters

90. Step 4.
The Daily Bugle is
paid €1 to show ad
Step 7.
De5troyTru5t.com is paid
€0.01 to show ad to Bot
The Daily Bugle
Step 5.
Later, an
untrustworthy website
buts bot traffic
Step 6.
Bid request
announces Bot is
here
Step 3.
100s of companies in the ad
auction can now re-identify
Bot as a Daily Bugle reader
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
€0.01 advertisement
Step 2.
Bid request
broadcasts personal
data about Bot
Bot
///
Fake
///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters

91. Buyer Seller
Extracts 70-55% of
buyer’s media budget.
Distribution
Marketer
$ DMP DSP Ad Exchange SSP
Site
Unique audience
commodified and
arbitraged.
Untrustworthy sites
business model
enabled.
Bot fraud boosted.
70% figure from the Guardian
and Rubicon case in 2017. 55%
figure from “The Programmatic
Supply Chain: Deconstructing the
Anatomy of a Programmatic
CPM”, IAB, March 2016.
MARKET OVERVIEW (NOW)
PERSONAL DATA IN IAB / GOOGLE RTB
Victims of massive
fraud.
2019 estimates range from $5.7B
(ANA) - $42B (Juniper Research).

92. Extracts much lower %
of buyer’s media budget.
Unique audience
become immune to
commodification and
arbitrage.
No opportunity for
untrustworthy sites.
Bot fraud reduced.
Bot fraud opportunity
reduced.
MARKET OVERVIEW (POST-FIX)
NON-PERSONAL DATA IN IAB / GOOGLE RTB
Marketer
$ DMP DSP Ad Exchange SSP
Site
Buyer SellerDistribution

93. Brands

94. PublishersMarketer
$
Shared liability under GDPR Article 82Legend Money Channel of data leakage
Marketer risk from programmatic advertising

95. PublishersSSPsDSPDMPMarketer Ad Exchanges
AAgency
$
Shared liability under GDPR Article 82Legend Money Channel of data leakage
Marketer risk from programmatic advertising

96. Data protection-free zone
PublishersSSPsDSPDMPMarketer Ad Exchanges
AAgency
Personal data widely broadcast in “RTB” bid requests
$
Insurer and
reinsurer risk?
Shared liability under GDPR Article 82Legend Money Channel of data leakage
Marketer risk from programmatic advertising

97. -GDPR, Article 4 (7)
‘controller’ means the natural or legal
person, public authority, agency or other body
which, alone or jointly with others, determines
the purposes and means of the processing of
personal data; where the purposes and means
of such processing are determined by Union or
Member State law, the controller or the
specific criteria for its nomination may be
provided for by Union or Member State law;

98. European Court of Justice
10 JULY 2018

100. European Court of Justice
5 JUNE 2018

102. -GDPR, Article 82 (2)
Any controller involved in processing shall be
liable for the damage caused by processing
which infringes this Regulation. A processor
shall be liable for the damage caused by
processing only where it has not complied
with obligations of this Regulation specifically
directed to processors or where it has acted
outside or contrary to lawful instructions of
the controller.

105. Data protection
impact assessments

106. -GDPR, Article 35 (1)
Where a type of processing in particular using new
technologies, and taking into account the nature,
scope, context and purposes of the processing, is
likely to result in a high risk to the rights and
freedoms of natural persons, the controller shall,
prior to the processing, carry out an assessment of
the impact of the envisaged processing operations
on the protection of personal data. A single
assessment may address a set of similar processing
operations that present similar high risks.

107. -GDPR, Article 35 (3)
…shall in particular be required in the case of:
(a)a systematic and extensive evaluation of personal
aspects relating to natural persons which is based on
automated processing, including profiling, and on
which decisions are based that produce legal effects
concerning the natural person or similarly
significantly affect the natural person;
(b)processing on a large scale of special categories of
data referred to in Article 9(1), or of personal data
relating to criminal convictions and offences referred
to in Article 10; or …

108. The controller shall consult the supervisory
authority prior to processing where a data
protection impact assessment under Article 35
indicates that the processing would result in a high
risk in the absence of measures taken by the
controller to mitigate the risk.
-GDPR, Article 36 (1)

109. Document: The EU’s proposed new cookie rules
Author: IAB Europe
Date: June 2017

110. MODELS

111. Conventional
“Broadcast” Behavioral

112. Conventional
“Broadcast” Behavioral
Reduced data
“Broadcast” Behavioral?

113. • What you are reading, or watching, or listening to.
• Categories of the content.
• Unique pseudonymous ID.
• Unique ID matched to ad buyer’s existing profile of you.
• Your location (can be your exact latitude and longitude).
• Granular description of your device.
• Unique tracking IDs / cookie match.
• Highly specific timestamp.
• Your IP address.*
• Data broker segment ID* when available.
*Depending on the version of “real time bidding” system
Conventional
“Broadcast” Behavioral

114. • What you are reading, or watching, or listening to.
• Categories of the content.
• Your approximate location.
• General description of your device.
• Your approximate IP address.
• Impression ID for buyer transparency.
Person in Dublin (South Dublin) is reading an
article about data law on IrishTimes.com. Using
Safari on an iPhone X or higher.
Reduced data
“Broadcast” Behavioral?

115. Conventional
“Broadcast” Behavioral
Reduced data
“Broadcast” Behavioral?

116. Conventional
“Broadcast” Behavioral
“Local” Behavioral
Reduced data
“Broadcast” Behavioral?
///

117. Private profiles.
If you opt-in, the Browser builds a
profile that stays private on the
device. No one (including Brave)
ever gets it.
Machine learning on the device
decides what ad is shown, and
when.
“Local” Behavioral
///

118. Conventional
“Broadcast” Behavioral
“Local” Behavioral
Reduced data
“Broadcast” Behavioral?
///
1 2 3

119. Perception

125. N20
C02

126. N20
C02
Regulatory incentive
CLEAN INDUSTRY
Regulatory disincentive
DIRTY INDUSTRY

127. Ads (Private)Ads (Huge Data Breach)
Regulatory incentive
CLEAN INDUSTRY
Regulatory disincentive
DIRTY INDUSTRY
N20
C02

128. Google
display
Facebook
display
Brave
.46%
.9%
14%
"Brave reaches 8 million monthly active users and delivers nearly 400 privacy-preserving ad campaigns", Brave, 16 October 2019 (URL: https://brave.com/brave-reaches-8-million-monthly-active-users-and-delivers-nearly-400-privacy-preserving-ad-campaigns/);
"Average display advertising clickthrough rates", Smart Insights, 10 September 2019 (URL: https://www.smartinsights.com/internet-advertising/internet-advertising-analytics/display-advertising-clickthrough-rates/); "Average click-through rate: average CTR
calculator", WordStream (URL: https://www.wordstream.com/average-ctr); "Facebook Ad Benchmarks for your industry", WordStream, 27 August 2019 (URL: https://www.wordstream.com/blog/ws/2017/02/28/facebook-advertising-benchmarks).
Google
search
1.91%
ough RateAverage Click Thr

129. 1. RTB is a the biggest data breach yet.

130. 1. RTB is a the biggest data breach yet.
2. Its implications are profound:
compromised elections, collapse of
worthy media, mass surveillance…

131. 1. RTB is a the biggest data breach yet.
2. Its implications are profound:
compromised elections, collapse of
worthy media, mass surveillance…
3. DPIAs for advertisers should be keeping
law firm billings healthy.

132. 1. RTB is a the biggest data breach yet.
2. Its implications are profound:
compromised elections, collapse of
worthy media, mass surveillance…
3. DPIAs for advertisers should be keeping
law firm billings healthy.
4. Adtech reform is possible and inevitable.

133. johnny@brave.com
For updates, sign up to Brave Insights, a mailing list for
analysts, researchers, and regulators at brave.com/insight/