RTB RIP? The Writing Could Be On The Wall For Real-Time Bidding In Europe

Real-time bidding (RTB) is a flashpoint in the debate over the future of programmatic advertising.

But whether the practice of using personal data in a real-time ad auction is lurching toward its deathbed in Europe, thanks to the General Data Protection Regulation (GDPR), or whether companies will just need to update how they collect consent for data processing, industry representatives agree that RTB is facing an existential crisis.

“There is a latent question in the air,” said Townsend Feehan, CEO of IAB Europe. “Is it possible to do programmatic in a way that complies with the GDPR?”

Battle lines

Feehan believes it is possible, as long as the industry figures out how to execute in a way that respects consumer consent, hence all the work being placed into the IAB’s Transparency and Consent Framework (TCF).

Yet, privacy advocates have been lodging simultaneous complaints with data protection authorities up and down the EU over the legality of RTB and the viability of the TCF.

The problem with the IAB’s framework, said Michael Veale, a tech policy researcher at University College London, is that it’s “about legitimizing something that is quite deeply flawed.”

Even if it were possible for someone to provide truly informed consent for the sort of data processing that takes place alongside every bid request in a real-time auction, that doesn’t account for data protection, a core tenet of GDPR, said Veale.

Veale is responsible for many of the complaints on file with European regulators right now, along with co-complainants Johnny Ryan, Brave’s chief policy officer, and Jim Killock, director of the Open Rights Group.

“The framework completely ignores the principle notion of data protection,” Veale said. “Data needs to be kept secure, minimized and it can’t be disseminated among numerous parties – and that’s regardless of any transparency.”

Building steam

Over the last year, European regulators have played their cards close to vest, with only limited cookie-related enforcement actions.

Expect that to change, said Alex van der Wolk, global co-chair of the privacy and data security group at Morrison & Foerster.

The investigations are starting to pile up. In late May, Ireland’s Data Protection Commission opened a formal investigation into whether the processing of data through Google’s DoubleClick ad exchange violates the law.

And data protection authorities, including those in France and the United Kingdom, are updating their outmoded cookie guidelines to be more in line with GDPR.

Implied consent, for example, will no longer be enough to place nonessential tracking cookies, and anyone using third-party cookies will have to clearly and specifically name the third parties involved and what they’re doing with whatever data is collected.

“RTB often makes use of cookies, or similar regulated technologies, and EU regulators are tightening the screws on the use of cookies,” van der Wolk said.


EU regulators have become more definitive with their language. The Information Commissioner’s Office, the United Kingdom’s data protection watchdog, issued a report in June on RTB and the ad tech industry that called the former “intrusive and unfair” and the latter “immature in its understanding of data protection requirements.”

The ICO report also dings the current version of the IAB’s Transparency and Consent Framework for suggesting that legitimate interest is a workable legal basis for dropping tracking cookies. (It ain’t, according to the ICO.)

For now, the UK regulator isn’t planning to nail anyone to the wall. It’s taking a “measured and iterative approach” and looking to undertake another industry review at some point toward the end of the year or in early 2020.

The ICO’s actions however underscore how regulators are unafraid to get into the guts of the ad tech ecosystem, and that should leave an uncomfortable feeling in the bowels of any business that relies too heavily on third-party data, regardless of where its customers are based.

It’s more than possible that US regulators could take a cue from Europe when the California Consumer Protection Act takes effect in January 2020.

“As far as I can tell, though, in this industry, not a lot of people care about how bad they look,” said Brave’s Ryan. “Ad tech benefits from the status quo.”

Business can’t be as usual

But the status quo isn’t sustainable, and anyone that isn’t prepared to change hasn’t been paying attention, said Alessandro De Zanche, an independent audience strategy consultant based in London.

“If you claim there is still confusion because of a lack of clarity, you’re doing so in bad faith,” De Zanche said. “The ICO’s report reiterates, yet again, what is and isn’t lawful, and we are progressively moving toward a moment in time when regulators will start issuing fines.”

Is there a compromise, though?

Just take personal data out of the equation, Ryan suggested, and problem solved. There’s nothing dubious about real-time bidding if it doesn’t touch personal data. Aka, do contextual.

Retargeting wouldn’t work and frequency capping would have to change, but without personal data, RTB doesn’t even fall under the scope of GDPR anymore. “It’s a way that the majority of RTB can still happen,” Ryan said.

But RTB without targeting, why bother? said Brian O’Kelley, founder and former CEO of AppNexus.

“I’m calling BS – you can’t stop targeting and keep doing RTB,” O’Kelley said. “Making RTB untargetable kills it, and it’s not the right conversation to be having, it’s not an honest conversation.”

The more important issue isn’t what’s going to happen with RTB, he said, it’s finally figuring out how to gauge consumer choice and actually deliver on it.

“That has been the fight for 20 years now: Can you target me without my consent and, if so, how much?” O’Kelley said. “That is the real conversation and the mechanisms are secondary to that conversation.”

OK, but is RTB, one of those mechanisms, incompatible with GDPR?

“Yes,” said O’Kelley, who helped originate RTB when he was CTO at Right Media in the early 2000s. “I think it probably is.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. OpenRTB made media much more competitive, resulting in the creation of hundreds of new company and thousands of jobs. Of course, these benefits have to weighed against the harm caused by anonymous IDs. Can someone post an example of someone being harmed by an anonymous ID? Can whoever considers their cookie numbers “personal” speak up??

  2. RTB won’t go away. There are many other data signals that can be used to tailor a message in a meaningful, efficient way. Day, time, anonomyzed geo and – as mentioned in the article – and IMO most important – in-moment context. All of that does not require to collect personal data. But for sure – RTB retargeting will have a hard time (in Europe).

  3. Justin Scarborough

    How many of those jobs were created in Europe? I don’t think it’s lost on EU regulators that the majority of all wealth creation with the consumer internet as we know it (not just RTB) has largely passed them over. Similar to Apple, they have nothing to lose while publishers, the open web, and consumers suffer.

  4. That’s a good point, Justin. I wish the article had mentioned that the company that brought this complaint, Brave Software, is an American company that operates an ad network competing unsuccessfully with OpenRTB.

  5. No way RTB goes away. Not only has the competitive landscape changed due to the implementation of RTB but the benefits out way the risks. Has there been any real examples of issues with targeting data? Or are we ignoring that we use all these data collection apps and tools and think it’s really free? Everything comes at a cost and having data collected is one of those costs. RTB isn’t going anywhere but rather just a thing for us marketers to argue about.

  6. Jonathan Leduc

    Joey, it’s definitely a win for everyone when consumers who are happy to trade their data for free content do. Opt in isn’t the issue. This is where RTB will continue to thrive. The issue is that most often consumers aren’t aware of this trade, which makes it no longer consentual (often inappropriately called opt out). As a consumer myself who feels inhibited in an echo-chamber with a narrow perspective and prefers to get exposed to an unfiltered, untargeted broader internet, it’s important to ensure personal data is respected. So the conversation isn’t about whether or not personal data should be collected without consent. As Brian O’Kelley mentioned, it’s about how to implement a solution that makes it consentual.