Contributors: Noopur Yadav, Sharanya Chowdhury, Aditi Tiwari
Introduction to Real Time Bidding
“Every day it (RTB) broadcasts this data (private or sensitive) about you to a host of companies continuously, enabling them to profile you.”- Irish Council for Civil Liberties (ICCL)
Remember how one moment we’re looking up something and next moment it appears all over our Instagram feed as ads. This is not manifestation, but a systematic process known as Real-Time Bidding (RTB). We all have come across such targeted advertising in our daily lives. Real-Time Bidding (RTB) efficiently matches advertisers with their target audience by using automated systems and real-time data. As such, RTB underpins the shift from generic mass advertising to personalised, data-driven and targeted marketing making large-scale ad campaigns “more profitable” in the digital age. Unlike traditional advertising models that rely on bulk purchases of ad space, RTB allows advertisers to assess each individual impression in real time and bid accordingly based on the user’s profile and relevance, using bidstream data.
Major RTB platforms use the Transparency & Consent Framework developed by Interactive Advertising Bureau (IAB), Europe. The framework aims to ensure websites, advertisers and ad agencies obtain, record and update consumer consent for data processing in compliance with privacy regulations for digital advertising purposes such as RTB. However, recently Belgium ruled the ‘Transparency & Consent Framework’ (TCF) illegal. Moreover the Irish Council For Civil Liberties (ICCL) released a report titled “The Biggest Data Breach,” calling the scale of Real-Time Bidding (RTB) data broadcasts in the U.S. and Europe a data breach. The figures reflect Google’s RTB breach by allowing 4,698 companies to receive RTB data about people in the U.S. Interestingly, Google has a global presence hence, no country can be ruled out of the possibility of being part of Google’s RTB data breach. Hereby, questioning RTB’s inherent data collection and dissemination practices pose significant threats to individual privacy. RTB works on a complex ecosystem at a breakneck speed. It becomes important to understand the process of Real time bidding and its intersection with data privacy.
How does RTB Work?
Real Time Bidding works on purchasing digital advertising space through automated software leveraging real-time data. The whole process is facilitated by Ad exchange websites. An Ad exchange brings together advertisers and publishers similar to an intermediary for buying and selling ad impressions. A publisher’s supply-side platform (SSP) (ad inventory) represents the publisher by connecting it to multiple ad exchanges and Demand Side Platforms (DSPs). While DSPs represent the Advertiser and automate buying ad impressions in real time for the advertisers.
Take, for example, a mobile game ‘X’. One can notice advertisements between the game levels. The underlying process is such that when a player logs in, the X’s SSP runs an auction for the available ad impression for all the advertisers interested in showing an ad to that player. The demand is sent to the ad exchange websites which in turn notify the DSP’s of interested advertisers. The advertisers make their bid on the ad exchange websites and, in a split second, the highest bidder is chosen. At last, the winning ad flashes on the screens of the players in between the levels.
Figure 1: RTB in Process
This granular targeting not only improves return on investment (ROI) for advertisers but also increases revenue for publishers by maximising the value of each ad impression. DSPs help advertisers adjust bids and spend only on impressions that match their audience criteria using campaign performance data and predictive analytics. Publishers use analytics to command higher prices for users with higher engagement and conversion rates and increase revenue potential for ad inventory through smart monetisation of the unsold inventory.
RTB has become central to Programmatic Advertising. The global sales of Real-time bidding in 2023 were USD 13,582.3 million and the market size is projected to grow from USD 21 billion in 2025 to USD 141 billion by 2035 at a rate of 20.98% CAGR (Compound Annual Growth Rate). To put it simply Real- time bidding sector is expanding more than 3 times faster than India’s overall GDP. It is responsible for the majority of programmatic spending globally, dominating the digital ad market currently. RTB has changed the landscape of digital advertising by integrating auction-based pricing and data driven targeting in real time. It has ensured efficient marketing to match the rapid change in market shifts and consumer behaviour.
Wondering how this RTB efficiently targets the right audience in the blink of an eye? Read along.
What makes RTB a game changer? – The Data Privacy Conundrum
The whole programmatic advertising ecosystem collects and utilises user information to efficiently connect the advertisers with the target audience. This includes details like demographics and browsing behaviour, location and also device information of the user. The user data is shared as bidstream data, short for bidstream location data which consists of any data connected to publisher’s bid request. Primarily this data is collected by setting cookies, capturing IP addresses (sometimes GPS data when enabled permission to access location) on mobile apps, contextual data and browsing history (including page URL). The concerning part is that the data shared involves sensitive personal information about the user. According to UK’s DPA, the ICO, report, companies involved in RTB “were collecting and trading information such as race, sexuality, health status or political affiliation” without consent from affected users.
Websites enable other companies/websites to track you through a combination of third-party trackers (including cookies), data aggregation and pattern recognition. To put it simply, they record your preferences and information to let advertisers show you personalised ads based on your interests and online activity. According to Federal Trade Commission, US, websites can track your online activity about what you do online through cookie or pixel to identify you even after you leave the site. This is particularly dangerous when looked from the lens of data privacy. The underlying data collection process involved in RTB can lead to detailed profiling revealing sensitive information of individuals without consent, potentially at the behest of data brokers to exploit. Sarah Bird, Ilana Segall, and Martin Lopatka in their paper titled Replication: Why We Still Can’t Browse In Peace have discussed how your web browsing habits can create a composite sketch of your identity even when not explicitly shared. In January 2024, the U.S. Federal Trade Commission (FTC) filed enforcement actions against two data brokers, Mobilewalla and Gravy Analytics, we can understand the critical challenges involved with data collection practice in RTB by studying the case closely. This is the first case to focus on collection and consumer data through RTB ad exchange.
Lack of User Consent:
Firstly, FTC found that Mobilewalla collected consumer information, without consent, from real-time bidding exchanges (ad exchange). This data included consumers’ mobile advertising identifiers and precise geolocation data and then shared the information with third parties such as Gravy Analytics. Gravy Analytics is a data broker and purchased consumer data from data suppliers and sells such consumer data to its customers, which included both commercial and government entities. All of this took place without any user consent which could be deduced from the fact that Gravy Analytics failed to verify that the data suppliers obtained consent from consumers to collect, use and share their precise geolocation for purposes used by it.
Profiling:
Secondly and most importantly the companies were not only storing and selling the data but also creating inferences derived from the location data about consumers. They used geofencing (virtual geographical boundary) to identify and categorize consumers into lists of related medical conditions, places of worship and other sensitive characteristics to be sold to third parties. On which Director of FTC’s Bureau of Consumer Protection stated that “Surreptitious surveillance by data brokers undermines our civil liberties and puts servicemembers, union workers, religious minorities, and others at risk.” The case critically highlights how user data can be used to build profiles for commercial profits easily for surveillance.
Broadcasting problem:
Lastly, when a bidding request is generated every participant in the auction receives the same detailed data, regardless of whether they win or lose the bid. Once bidstream data is sent out, control over it is lost. Every company that receives a bid request can potentially store, analyse, and use that data, whether or not they win the auction including Ad exchanges and SSPs, DSPs, Data brokers and analytics firms. Mobilewalla took advantage of this process to collect consumer data (including sensitive personal information) without consent.
Recently, the Irish Council For Civil Liberties (ICCL) released a report titled “The Biggest Data Breach,” calling the scale of Real-Time Bidding (RTB) data broadcasts in the U.S. and Europe a data breach. The figures reflect Google’s RTB breach by allowing 4,698 companies to receive RTB data about people in the U.S. Interestingly, Google has a global presence hence, no country can be ruled out of the possibility of being part of Google’s RTB data breach.
Impact on Privacy: why it matters?
The case study above highlights that users are unaware of the extent of their data being collected and shared during Real Time Bidding auctions. As individuals are getting more involved with digital services over the internet, they have also put themselves in danger of exposing their sensitive personal information. The uncontrolled nature of RTB makes it difficult for individuals to understand who has access to what information and how is it used. Vague consent mechanisms involving cookie policies and Opt-in or Opt-out are not truly informed or granular. This makes it nearly impossible for users to navigate consent notices to selectively control who receives their data and for what purposes. Hence, conveniently giving way to potential exploitation of their data (such as profiling using geo-location).
Over the years profiling has become the most common way to use an individual’s data against them. Two reports by Johnny Ryan and Wolfie Christl- America’s hidden security crisis and Europe’s hidden security crisis, show how the private details of people working in intelligence, the military, and other sensitive industries can be obtained by foreign states and their intelligence services. The reports cite Near Intelligence and Rayzone as examples of surveillance companies able to tap into RTB data in this way. The detailed information on users11 allows what the reports call “Cambridge Analytica-style psychological profiling of target individuals’ movements, financial problems, mental health problems and vulnerabilities, including if they are likely survivors of sexual abuse.” The opportunity for blackmail is evident, something that is particularly serious when the people targeted are in positions of power or have access to sensitive information. In early 2025, the DOJ finalized a rule restricting the cross-border flow of bulk sensitive personal data to entities connected to six designated countries of concern: China, Cuba, Iran, North Korea, Russia and Venezuela. The rule applies to data in any form, including “anonymized, pseudonymized, de-identified, or encrypted,” due to the risk that data can be reidentified through technical means and data linkage. It specifically addresses data commonly collected through commercial technologies, including ad tech.
Excessive regulation risks:
- Stifling innovation
- Overly burdensome compliance requirements on technology providers and advertisers
- Consolidating market power (Increased costs and limited ability of smaller players to compete among a few large actors)
- Reduced personalization capabilities
- Diminishing user experience and effectiveness of advertising campaigns.
- Offshore or underground data flows
- Circumventing regulation in turn weakening enforcement
This calls for proportional regulation that ensures accountability and transparency while preserving the benefits of RTB. Ad-tech requires legal and policy approaches that are adaptive, evidence-based, and multi-stakeholder to effectively mitigate risks without shutting down the ecosystem.
The Way Forward
The harm from unbridled RTB power is far-reaching. Excessive data collection and profiling threaten fundamental rights such as privacy, freedom of expression, and equal treatment when in control of private companies or state actors without adequate oversight. Abuse of RTB data can enable intrusive surveillance, discrimination, and manipulation of public opinion.
The notion of eliminating RTB is neither feasible nor desirable. It plays a central role in the online advertising ecosystem. However, over-regulation in this domain can also produce significant drawbacks that must be carefully weighed. The Digital Services Act prohibits targeted ads based on sensitive categories (ethnicity, religion, sexual orientation) and mandates annual audits for large platforms (Meta, Google) to assess systemic risks. While aiming to curb misinformation, these requirements compel platforms to allocate massive resources to compliance, audit, and data suppression, risking stifling innovation, reducing competition, and increasing costs for smaller player.
