“RTB is the biggest data breach ever recorded,” argues a new study that compounds the growing accusations toward the high-frequency media trading technique that relies on the extensive use of customer data.
Irish Council for Civil Liberties (ICCL) data indicates that real-time bidding (RTB) “tracks and shares what people view online and their real-world location 294 billion times in the U.S. and 197 billion times in Europe every day.”
Why it matters
From an industry perspective, it’s one of the sketchier areas of advertising that contributes to its bad name among the public. In some jurisdictions it creates a compliance nightmare. For most companies, the opaque market that results from programmatic advertising causes big problems for traceability.
But this report also asks big questions about what GDPR has actually done to reign any of this bad behaviour in. Not only is there a consent problem but increasingly one of security, especially following the draft US Supreme Court decision to ban abortion, and the risk that online searches for such services could now suppose for users.
What’s this about?
Reported by TechCrunch here, the full report, available here, is based on data from confidential sources and estimates that web user data (online activity, location, etc) is exposed hundreds of times a day depending on geography:
The average American has their data exposed 747 times each day.
The average European has their data exposed 376 times a day.
The report also suggests that some of these figures are relatively conservative estimates, given that its sources cover Google and Microsoft (which owns Xandr), but don’t include Facebook or new advertising giant Amazon.
Of course, Google says it doesn’t share personally identifiable information with partners and limits targeting capabilities based on sensitive information. Still, its work on the privacy sandbox that will help move past the cookie implies that there are better ways of managing online advertising.
What’s RTB again?
Real-time bidding is a form of programmatic media buying on a per-impression basis. When a user arrives at a publisher website, a bid request (including information about the user’s interests or profile) will then flow through the system to an ad exchange where advertisers bid for the chance to show that user an ad. It’s an old technology, by digital standards – WARC covered it back in 2012 – and was intended to improve pricing efficiency.
You probably knew this, but it is both complicated and boring, so it’s fair enough if you didn’t.
It has come under sustained criticism for a long time, especially from officials in Europe. In 2019, the UK’s data protection regulator warned about the adtech world’s “immature” understanding of data protection requirements.
More recently, the Belgian data protection regulator said that the IAB Europe’s Transparency and Consent Framework, an off-the-peg solution to gain GDPR compliance for real time bidding, was itself found to not be GDPR compliant.
But in the US, where there is no overarching data protection control, examples of malevolent uses of RTB data are widespread – and mentioned in the report. Black Lives Matter protesters were profiled, US security services have tracked people’s phones without a warrant.