For nearly six years, privacy advocates and regulators have been sounding the alarm about the urgent privacy implications of real-time bidding, warning that it is the foundation for alarming trends like “corporate surveillance in everyday life,” or “surveillance capitalism.” These warnings range from the loss of control over our personal information to cross-border violations and even grave threats to national security. This blog will explore what Real-Time Bidding is and how it works, its privacy implications, and some recommended practices for organizations using this technology.
What is real-time bidding (RTB)?
Real-time Bidding (RTB) is a digital advertising process in which ad space is bought and sold in real time, within milliseconds of a webpage, app, or other digital content loading. When a user visits a website or app with available ad space, that space is auctioned to advertisers through an automated exchange.
The steps for RTB are:
1. When someone loads a website or an app, a Supply-Side Platform (SSP) sends personal data, including sensitive information, to several advertising exchanges in a process known as a bid request. This bid request comprises personal and sensitive data such as user interests, demographics, browsing behavior, identification codes, and information that indicates what a person is currently doing online (known as bidstream data).
2. After receiving such a request, the advertising exchanges broadcast the bid to several Demand-Side Platforms (DSPs).
3. DSPs analyze this data to determine whether to bid on behalf of their client (the advertiser) and add the new data to the existing dossier on the individual.
4. After assessing whether the ad is a suitable match for the user, the highest bidder wins, and their ad is instantly displayed on the webpage or app.

While RTB enables highly targeted advertising, it also raises privacy concerns due to the vast amount of personal data shared in the process. Some key issues include:
Extensive data sharing: User data—including interests, browsing history, and even sensitive details—can be shared with a large number of companies, including ad exchanges and data brokers. Some businesses have emerged solely to collect and resell this data.
Cross-border data transfers: RTB often transmits personal data across international borders, sometimes to regions with little oversight. This opens the risk of data being accessed by unknown entities or even foreign governments, posing a serious threat to national security and individual privacy.
Lack of consent and control: Users typically have no direct control over how their data is shared or who can access it. Once bidstream data is broadcast, no technical safeguards prevent it from being used for unintended purposes, highlighting the urgent need for change.
The vast availability of personal data enables companies to engage in processing activities that may lead to invasive practices with uncertain legal grounds. Such activities encompass profiling and automated decision-making, large-scale processing, matching or merging datasets, analyzing or predicting behavior, location, or movements of individuals, and the undisclosed processing of sensitive information.
As digital advertising continues to evolve, businesses must balance the benefits of targeted ads with consumer privacy concerns and emerging regulations.
Enforcement and litigation risk
Federal Trade Commission (FTC)
Last year the FTC shed light on consumer data harvesting through RTB. A data broker collected large amounts of sensitive personal data from real-time bidding (RTB) exchanges. This data broker collected the bidstream data and retained it even after losing the bids. From 2018 to mid-2020, approximately 60% of the organization’s consumer data originated from RTB exchanges, including more than 2 billion unique mobile advertising identifiers (MAIDs) paired with location data.
The data broker violated the exchange terms by retaining and using the bitstream data, including location and other sensitive data, for non-advertisement purposes. Such personal information was further disclosed exposing consumers to privacy violations and potential misuse of their information.
The organization signed a Settlement with the FTC that included several orders, including the prohibition on collecting, purchasing, or otherwise acquiring or retaining covered information that the organization (directly or indirectly) accesses while participating in online advertising auctions for any purpose other than participating in such auctions.
Protecting Americans’ Data from Foreign Adversaries Act
Two privacy advocates filed the first-ever complaint under the new Protecting Americans’ Data from Foreign Adversaries Act (PADFAA), arguing that Google’s RTB technology broadcasts sensitive data without any security measures. This is concerning because Google is dominant in the ad tech industry.
According to the complaint, Google’s RTB system dominates online advertising and operates on 33.7 million websites, 92% Android apps, and 77% iOS apps. Much of Google’s $237.9 billion advertising revenue is RTB.
The complaint relies on a report published in 2023 by Enforce, America’s Hidden Security Crisis, which reveals how sensitive Google RTB data, including data from active U.S. military personnel, national security leaders, and judges, is available for purchase on the commercial data market.
Additionally, a public list maintained by Google includes the companies certified to receive RTB data, which have the word “Beijing” in the title, and foreign companies controlled by foreign adversary countries, which makes this data accessible to such countries, both directly and indirectly. PADFAA prohibits any company that generates revenue by granting access to data from transferring the data of U.S. individuals to a foreign adversary or any entity controlled by North Korea, China, Russia, or Iran.
The complaint argues that Google not only directly shares RTB data with foreign adversaries but also broadcasts sensitive personal data through RTB technologies so freely at a vast scale and without any protection that makes it available to foreign adversaries. At this point, Google cannot control what happens to the data after it is disclosed, even though their guidelines prohibit retaining and using RTB data as a form of “protection.” These guidelines, intended to safeguard user data, are insufficient to limit its use once broadcast.
Suggested practices
Here are some suggested practices for privacy compliance while using Real-Time Bidding (RTB) technologies:
- Minimize data collection and sharing: collect only the personal data necessary for ad placement and avoid using such data to expand existing individual dossiers.
- Obtain explicit user consent: implement a clear and transparent consent mechanism that informs users about using RTB and data collection.
- Ensure compliance with industry standards: Follow frameworks and principles set by industry self-regulatory organizations such as the Digital Advertising Alliance (DAA) and the Network Advertising Initiative (NAI).
- Strengthen security measures: Use security measures such as encryption to prevent unauthorized access, access controls to restrict who can handle RTB data, and conduct security audits to ensure compliance with data protection laws.
- Enforce data retention limits: Establish strict policies to delete bidstream data after a short period and ensure it is not stored or reused for purposes beyond bidding.
- Implement cross-border data transfer safeguards: Ensure compliance with applicable laws and regulations and conduct risk assessments before transferring data to third countries.
- Avoid secondary data use: Ensure that data is used solely for ad auctions, not for additional profiling or tracking.
- Enhance transparency and user control: Provide a clear privacy policy explaining RTB data collection and usage.
- Stay updated with legal and regulatory changes: Continuously monitor global privacy regulations affecting RTB and adapt processes to comply with new, evolving laws.
By implementing these suggested practices, organizations can balance effective advertising with strong privacy protections, reducing legal and reputational risks while respecting user rights.
Nymity Research
Get instant access to the latest in privacy regulations, legal summaries, and operational templates.
Start your free trialConsent & Preference Manager
Easily manage and orchestrate customer consent and preferences across brands and channels.
Learn more