The document describes how real-time bidding (RTB) works in online advertising. It involves a visitor accessing a website, which triggers a bidding process among advertisers to display an ad on the site. The visitor's personal data is shared widely through the bidding process among publishers, supply-side platforms, demand-side platforms, data management platforms, exchanges, and advertisers. This raises privacy concerns about profiling and potential leaks of personal data. The document also notes the huge scale of data sharing, with leading exchanges processing tens to hundreds of billions of bid requests daily. It discusses legal risks to marketers under the GDPR and need for data protection impact assessments of RTB systems.
12. French regulator caught it with
68 million illegal RTB records.
Example
Vectaury: a small DSP/DMP/
trading desk in France. €3.5M
annual turnover in 2017 (though
subsequently won a €20M
investment).
DSP
13.
14.
15. Is 68 million
just 30%?
Then this small company
was sent personal data
¼ BILLION times via RTB
(in just one year)
16. website.com
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
17. Ad server
website.com
Ad server
javascript
Step 1.
User requests
webpage
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
18. Ad server SSP
Step 2.
Ad server
selects an SSP
website.com
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
19. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
website.com
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
Ad exchange
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
20. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
21. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
Winningbid
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
22. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
Winningbid
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
23. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
Winningbid
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Step 6.
Exchange serves
winning bid
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
24. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
MARKETERS
website.com
Winningbid
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Agency
ad server
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
25. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
Step 8.
Assets load
from CDN
MARKETERS
website.com
AD
Winningbid
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Agency
ad server
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
CDN
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
26. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
Step 8.
Assets load
from CDN
Step 9.
Agency ad server
loads verification
vendor
MARKETERS
website.com
AD
Winningbid
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Verification
javascript
Agency
ad server
Verification
vendor
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Channel of data leakage
Legend
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
CDN
Money
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
28. • What you are reading, or watching, or listening to.
• Categories of the content.
• Unique pseudonymous ID.
• Unique ID matched to ad buyer’s existing profile of you.
• Your location (can be your exact latitude and longitude).
• Granular description of your device.
• Unique tracking IDs / cookie match.
• Your IP address.*
• Data broker segment ID* when available.
Personal data in bid requests
*Depending on the version of “real time bidding” system
29. • What you are reading, or watching, or listening to.
• Categories of the content.
• Unique pseudonymous ID.
• Unique ID matched to ad buyer’s existing profile of you.
• Your location (can be your exact latitude and longitude).
• Granular description of your device.
• Unique tracking IDs / cookie match.
• Your IP address.*
• Data broker segment ID* when available.
Personal data in bid requests
*Depending on the version of “real time bidding” system
32. HUNDREDS OF BILLIONS OF RTB
BID REQUESTS, EVERY DAY.
Index Exchange 50 billionii
OpenX 60 billion+i
Rubicon Project Unknown. Claims to reach 1 billion people’s devices.iii
PubMatic 70 billion+iv
Oath/AOL 90 billionv
AppNexus 131 billionvi
Smaato 214 billionvii
Google DoubleClick Unknown. DoubleClick is the dominant exchange.
i. "OpenX Ad Exchange", OpenX (URL: https://www.openx.com/uk_en/products/ad-exchange/).
ii. “Tour IX’s Amsterdam and Frankfurt Data Centers”, Index Exchange, 2 July 2018 (URL: https://
www.indexexchange.com/tour-ix-amsterdam-frankfurt-data-centers/).
iii. “Buyers”, Rubicon Project, (URL: https://rubiconproject.com/buyers/).
iv. "How PubMatic Is Learning Machine Learning", PubMatic, 25 January 2019 (URL: https://pubmatic.com/
blog/learning-machine-learning/)
v. "Maximize yield with Oath's publisher offerings", Oath, 3 April 2018 (URL: https://www.oath.com/insights/
maximize-yield-with-oath-s-publisher-offerings/)
vi. 500 Billion / 29.6 = 18.6 billion impressions per day. Using AppNexus 1:11.5 ratio, this is 214 auctions per
day. 500+ impressions figure cited in “Optimize your mobile strategy”, Smaato, (URL: https://
www.smaato.com/).
vii. “Transacting at a peak of 11.4 billion daily impressions, our marketplace handles more traffic each day than
Visa, Nasdaq, and the NYSE combined” at https://www.appnexus.com/sell. Note that in 2017, AppNexus said
in “AppNexus Scales with DriveScale”, 2017, (URL: http://go.drivescale.com/rs/451-ESR-800/images/
DRV_Case_Study_AppNexus-final.v1.pdf) that 10.7 billion "impressions transacted" came as a result of
running 123 billion auctions. The impressions transacted to auctions ratio appears to be roughly 1:11.5.
Therefore, the 11.4 daily impressions reported in 2018 equates to 131 billion auctions per day.
Leading RTB exchanges, daily bid request estimates
35. ‘controller’ means the natural or legal person,
public authority, agency or other body which, alone
or jointly with others, determines the purposes and
means of the processing of personal data; where the
purposes and means of such processing are
determined by Union or Member State law, the
controller or the specific criteria for its nomination
may be provided for by Union or Member State law;
-GDPR, Article 4 (7)
38. Any controller involved in processing shall be liable
for the damage caused by processing which
infringes this Regulation. A processor shall be liable
for the damage caused by processing only where it
has not complied with obligations of this Regulation
specifically directed to processors or where it has
acted outside or contrary to lawful instructions of
the controller.
-GDPR, Article 82 (2)
39.
40.
41. Data protection-free zone
PublishersSSPsDSPDMPMarketer Ad Exchanges
A
Agency
Personal data are widely broadcast
in “RTB” bid requests
Shared liability under GDPR Article 82Legend Money Channel of data leakage
$
MARKETER RISK
FROM PROGRAMMATIC
ADVERTISING
Insurer and
Reinsurer Risk
43. Where a type of processing in particular using new
technologies, and taking into account the nature,
scope, context and purposes of the processing, is
likely to result in a high risk to the rights and
freedoms of natural persons, the controller shall,
prior to the processing, carry out an assessment of
the impact of the envisaged processing operations
on the protection of personal data. A single
assessment may address a set of similar processing
operations that present similar high risks.
-GDPR, Article 35 (1)
44. -GDPR, Article 35 (3)
…shall in particular be required in the case of:
(a)a systematic and extensive evaluation of personal
aspects relating to natural persons which is based on
automated processing, including profiling, and on
which decisions are based that produce legal effects
concerning the natural person or similarly
significantly affect the natural person;
(b)processing on a large scale of special categories of
data referred to in Article 9(1), or of personal data
relating to criminal convictions and offences referred
to in Article 10; or …
45. The controller shall consult the supervisory
authority prior to processing where a data
protection impact assessment under Article 35
indicates that the processing would result in a high
risk in the absence of measures taken by the
controller to mitigate the risk.
-GDPR, Article 36 (1)
47. How RTB data leakage supports untrustworthy websites
The Daily Bugle
///
Step 1.
User “John” visits
The Daily Bugle
48. How RTB data leakage supports untrustworthy websites
The Daily Bugle
///
Step 1.
User “John” visits
The Daily Bugle
Step 2.
Bid request
broadcasts personal
data about John
49. How RTB data leakage supports untrustworthy websites
The Daily Bugle
///
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
Step 2.
Bid request
broadcasts personal
data about John
John
50. Step 4.
The Daily Bugle is
paid €1 to show ad
to John
How RTB data leakage supports untrustworthy websites
The Daily Bugle
///
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
€1 advertisement
Step 2.
Bid request
broadcasts personal
data about John
John
51. Step 4.
The Daily Bugle is
paid €1 to show ad
to John
How RTB data leakage supports untrustworthy websites
The Daily Bugle
Step 5.
Later, John visits a
low quality website
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
///
Step 2.
Bid request
broadcasts personal
data about John
John
52. Step 4.
The Daily Bugle is
paid €1 to show ad
to John
How RTB data leakage supports untrustworthy websites
The Daily Bugle
Step 5.
Later, John visits a
low quality website
Step 6.
Bid request
announces John is
here
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
///
Step 2.
Bid request
broadcasts personal
data about John
John
53. Step 4.
The Daily Bugle is
paid €1 to show ad
to John
Step 7.
De5troyTru5t.com is paid
€0.1 to show ad to John
How RTB data leakage supports untrustworthy websites
The Daily Bugle
Step 5.
Later, John visits a
low quality website
Step 6.
Bid request
announces John is
here
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
€0.01 advertisement
///
Step 2.
Bid request
broadcasts personal
data about John
John
54. Step 4.
The Daily Bugle is
paid €1 to show ad
to John
Step 7.
De5troyTru5t.com is paid
€0.1 to show ad to John
How RTB data leakage supports untrustworthy websites
The Daily Bugle
Step 5.
Later, John visits a
low quality website
Step 6.
Bid request
announces John is
here
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
€0.01 advertisement
///
Step 2.
Bid request
broadcasts personal
data about John
Worthy sites lose their unique audience, and feed
a business model for the bottom of the Web.
John
55. The Daily Bugle
Step 1.
A bot masquerading
as a human visits
The Daily Bugle ///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters
56. The Daily Bugle
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
Step 2.
Bid request
broadcasts personal
data about Bot///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters
57. The Daily Bugle
Step 3.
100s of companies in the ad
auction can now re-identify
Bot as a Daily Bugle reader
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
Step 2.
Bid request
broadcasts personal
data about Bot
Bot
///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters
58. Step 4.
The Daily Bugle is
paid €1 to show ad
The Daily Bugle
Step 3.
100s of companies in the ad
auction can now re-identify
Bot as a Daily Bugle reader
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
€1 advertisement
Step 2.
Bid request
broadcasts personal
data about Bot
Bot
///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters
59. Step 4.
The Daily Bugle is
paid €1 to show ad
The Daily Bugle
Step 5.
Later, an
untrustworthy website
buts bot traffic
Step 3.
100s of companies in the ad
auction can now re-identify
Bot as a Daily Bugle reader
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
Step 2.
Bid request
broadcasts personal
data about Bot
Bot
///
Fake
///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters
60. Step 4.
The Daily Bugle is
paid €1 to show ad
The Daily Bugle
Step 5.
Later, an
untrustworthy website
buts bot traffic
Step 6.
Bid request
announces Bot is
here
Step 3.
100s of companies in the ad
auction can now re-identify
Bot as a Daily Bugle reader
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
Step 2.
Bid request
broadcasts personal
data about Bot
Bot
///
Fake
///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters
61. Step 4.
The Daily Bugle is
paid €1 to show ad
Step 7.
De5troyTru5t.com is paid
€0.1 to show ad to Bot
The Daily Bugle
Step 5.
Later, an
untrustworthy website
buts bot traffic
Step 6.
Bid request
announces Bot is
here
Step 3.
100s of companies in the ad
auction can now re-identify
Bot as a Daily Bugle reader
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
€0.01 advertisement
Step 2.
Bid request
broadcasts personal
data about Bot
Bot
///
Fake
///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters
62. serve page
request page
request bid
request segment
request bid
cookie to SSP
deliver ad
sync
deliver segment
sync
ad request
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange
63. Buyer SellerDistribution
Marketer
$ DMP DSP Ad Exchange SSP
Site
MARKET OVERVIEW (NOW)
PERSONAL DATA IN IAB / GOOGLE RTB
Extracts 70-55% of
buyer’s media budget.
Unique audience
commodified and
arbitraged.
Untrustworthy sites
business model
enabled.
Bot fraud boosted.
70% figure from the Guardian
and Rubicon case in 2017. 55%
figure from “The Programmatic
Supply Chain: Deconstructing the
Anatomy of a Programmatic
CPM”, IAB, March 2016.
Victims of massive
fraud.
71. Personal data in bid requests
• What you are reading, or watching, or listening to.
• Categories of the content.
• Unique pseudonymous ID.
• Unique ID matched to ad buyer’s existing profile of you.
• Your location (can be your exact latitude and longitude).
• Granular description of your device.
• Unique tracking IDs / cookie match.
• Your IP address.*
• Data broker segment ID* when available.
*Depending on the version of “real time bidding” system
72. • What you are reading, or watching, or listening to.
• Categories of the content.
• Your approximate location.
• General description of your device.
• Your approximate IP address.
Non-Personal data in bid requests
Person is in Camden in London, UK. Reading
an article about Tesla motors on TechCrunch.
Using Safari on a Mac.
73. This Regulation applies to the processing of
personal data wholly or partly by automated means
and to the processing other than by automated
means of personal data which form part of a filing
system or are intended to form part of a filing
system.
-GDPR, Article 2 (1)
75. Buyer Seller
Extracts 70-55% of
buyer’s media budget.
Distribution
Marketer
$ DMP DSP Ad Exchange SSP
Site
Unique audience
commodified and
arbitraged.
Untrustworthy sites
business model
enabled.
Bot fraud boosted.
70% figure from the Guardian
and Rubicon case in 2017. 55%
figure from “The Programmatic
Supply Chain: Deconstructing the
Anatomy of a Programmatic
CPM”, IAB, March 2016.
Victims of massive
fraud.
MARKET OVERVIEW (NOW)
PERSONAL DATA IN IAB / GOOGLE RTB
76. Buyer Seller
Extracts much lower%
of buyer’s media budget.
Distribution
Unique audience
become immune to
commodification and
arbitrage.
No opportunity for
untrustworthy sites.
Bot fraud reduced.
Bot fraud opportunity
reduced.
MARKET OVERVIEW (POST-FIX)
NON-PERSONAL DATA IN IAB / GOOGLE RTB
Marketer
$ DMP DSP Ad Exchange SSP
Site
77. Real Time Bidding hurts worthy
publishers, and enables a
business model for untrustworthy
sites, and enables the profiling of
every single online person, and
steals marketers money, and
exposes them to risk.
This can be easily fixed, if we
demand it. RTB needs reform.
78. johnny@brave.com
@johnnyryan
For updates, sign up to Brave Insights, a mailing list for analysts,
researchers, and regulators at
https://brave.us18.list-manage.com/subscribe?u=e38d85b519352e2b40c9b899e&id=4384bd4cba