The most directly valuable bidstream data is GPS or location info. Location data is the only piece of the bidstream that is actively excised and sold separately, typically by app developers or publishers to location data specialists for targeting or attribution – such as whether a person who saw a Home Depot ad walked into a Home Depot the next week.
The demand-side tech companies that see the most bidstream data don’t own the data and risk crippling penalties from regulators and clients if they were to use bidstream data beyond setting a bid for an impression.
The publisher owns the data and sometimes gives contractual permissions for an SSP or DSP to use bidstream data for forecasting or measuring campaigns, but typically vendors are explicitly forbidden from using bidstream data for derivative products. For instance, a DSP wouldn’t be allowed to use bidstream data to create an ID graph or use location data for its own attribution, said Ari Paparo, founder and CEO of the DSP Beeswax.
The data can have value at an aggregate level though, especially since DSPs see bidstream data for all bids, not just when they win an impression.
Brands can use historical bidstream data to see how different geos, browsers or URLs index for specific, high-value audience segments, said Max Jaffe, GroupM’s programmatic practice lead. “In that way it gives us a good sense of how efficient we can be for bidding in areas where there’s true scarcity.”
The way to get the most value out of bidstream data is, unfortunately, to misuse it. An unscrupulous DSP could monitor the bidstream for sites with valuable audiences, pull cookies or IP addresses, which can be retargeted, and then find the same users on cheaper sites.
As buyers and vendors sharpen their identity practice and adopt products like Ads.txt, that kind of basic bidstream fraud is harder to pull off. But it isn’t just buyers misusing bidstream data.
Some publishers and SSPs have taken up a practice dubbed “declaration fraud,” soliciting better rates by misrepresenting the size of video ad units.
Bidstream identity data assets, like a cookie or cookie-based IDs created by the Advertising ID Consortium or Digitrust, are tightly controlled. But for years, companies used non-identity data as an identity workaround, often called fingerprinting.
An advertiser may not recognize the same Safari user when she moves from site to site because Safari blocks cookies. But by collecting many bidstream data points, like Wi-Fi or IP address, screen size and orientation, CPU speed, battery details and clock format, an advertiser can identify someone without a cookie or ID.
“With enough technical signatures you could say it’s likely the same person if you see the same signatures again,” said Victor Wong, founder and CEO of the ad server Thunder. The identity connection is brittle, but it is a way to scale campaigns without licensing deterministic data, which can be expensive, he said.
Quantcast evaluated the tactic but decided the risks weren’t worth the diminishing returns, said Somer Simpson, director of product. In the EU, creating identity workarounds without permission is punishable under GDPR, and Apple is aggressively closing data loopholes that were used for fingerprinting.
New in the bidstream
One reason bidstream discussions are bubbling up more is because the bidstream itself went through a recent renovation.
The IAB’s OpenRTB 3.0 spec, released last summer, includes new data fields, media channels and security features for a new era of bidstreaming. Unlike previous OpenRTB updates, the 3.0 spec is not reverse compatible, which means publishers and ad tech companies must abandon the old version and rewrite their code.
The previous OpenRTB protocols didn’t anticipate header bidding or new media channels, like audio or CTV, and also were built for standard ad units and less complex transactions, said Neal Richter, CTO of Rakuten Marketing and one of the leaders of the IAB’s OpenRTB working group that developed the new spec.
Ads.cert is an openRTB 3.0 feature that improves security by cryptographically connecting an impression to a publisher’s page. Ads.txt guarantees a vendor is authorized by a publisher, but is vulnerable to bad actors weaseling into Ads.txt permissions to mask fraudulent inventory.
The OpenRTB 3.0 bidstream also includes an open field for identity signals, which is used mainly for cookies and cookie-based IDs, but is designed to be flexible if new ID products gain adoption, Richter said.
Many in the industry are excited about the chances to bring more data into the bidstream, since the new IAB protocol is more flexible.
The new spec introduces bidstream fields for new kinds of data DSPs and SSPs must pass back and forth, like viewability and brand safety guarantees, said Isaac Schechtman, BidSwitch’s sales engineering director.
Data and onboarding companies are getting into the bidstream too, he said. Companies like LiveRamp, Epsilon and Experian can now sync deterministic IDs in the bidstream.
“What I’d like to see and see more is passing things like take rate or SSP fees in the bidstream directly,” Jaffe said.
Currently buyers can wrangle data from their exchanges to try and establish SSP and DSP take rates, he said. “But now that transparency can be a selling point there’s talk about how to factor that into future bid requests.”