Risks and uncertainties of Programmatic Advertising and Real-Time Bidding: United Kingdom and French Supervisory Authorities express their opinion


Main background information

In the last weeks of June, it can be noticed that two European Data Protection Authorities focused their attention on the subject of ‘Programmatic Advertising’; namely, the Information Commissioner’s Office (“ICO”)[1] in the United Kingdom, and the Commission Nationale de l’Informatique et des Libertés (“CNIL”)[2] in France. Moreover, the CNIL recently rendered a formal notice to a company which was carrying out targeted advertising through the use of Programmatic Advertising technologies, in order to warn it that if it does not comply with the applicable data protection law within three months, it would be subject to a sanction. The critical aspects of the processing that were identified by the CNIL derive from (i) the lack of transparency in the information relating to the processing that the company was providing, as well as the text utilised to collect consent from the data subjects, (ii) the collection of a single consent to carry out multiple processing activities, and (iii) the unlawful disclosure of personal data to third parties.

Programmatic Advertising is an automated mechanism for the purchase and sale of advertising space online through computer platforms. This transaction is based almost exclusively on the analysis of personal data of the recipients of the advertising content, on the basis of which the allocation of such spaces takes place. Be cautious – there should be no overlap between Programmatic Advertising and Real Time Bidding (“RTB”), as the latter is only a specification of the former. In fact, the RTB is nothing more than a real time auction, between a publisher and indefinite advertisers (when the auction is open and not private), with its object being the online advertising space. Additionally, the auction is based on the personal data of the internet user, which is collected by the publisher through a set of technologies that operate directly on the browser and/or on the user’s device. The personal data constitutes the content of the so-called bid request, a real proposal launched by the publishers, or rather by their intermediaries, to the advertiser basin. Therefore, it follows that the more detailed the bid requests are, the higher the advertiser’s offer for the purchase of the advertising space visible to that specific end user will be (since the conversion rate for their advertisement can be much higher).

It is therefore understandable why the two Supervisory Authorities felt there was a need to express an opinion on the implications of these processes, raising several profound criticalities of the system in relation to the legislation of the European Regulation 2016/679 (“GDPR” or “Regulation”). As will be seen in greater detail below, but as can be perfectly understood from the documents published by the Authorities, the main issues that the system presents with respect to the provisions of the law are linked to the obligations of transparency, the lawfulness of processing activities as understood by the Regulation, the principle of data minimisation and the principle of privacy by design.


Main issues

The principle of transparency, one of the fundamental principles of the Regulation, ‘requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand by the person concerned […]. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing[3]. This principle is the first to be infringed because of the very nature of the RTB as an open auction to indefinite and indeterminate persons. This was the first aspect on which the ICO has intervened, by pointing out that despite current practices in the RTB ecosystem, the request for the consent of the Data Subjects for the processing which takes place by operators does not meet all requirements that must be respected to comply with the legislation. Among the requirements of the GDPR dedicated to the regulation of the information to be provided, Article 13 for the processing of data collected from data subjects and Article 14 when such data are collected from third parties, the information on the recipients of any transfers of data, or the categories to which they belong must also be included. But in the reality of Real-Time Bidding, the subject required to collect consent for this type of data processing, as highlighted by the ICO, “has no means of determining which third parties the data will be shared with. This leads to extensive lists of organisations who the data ‘might’ be shared with, depending on the specifics of the auction process”.

As mentioned earlier, the purposes of the processing must be specified in the information addressed to the Data Subjects. As the ICO confirmed in its report, once the bid request has been generated by the owner of the site visited and then disseminated within the platform that the auction takes place, the final use of the data contained in that request often exceeds the contractual purposes of the RTB. Other than this, the ICO explains that the bid request constitutes the basis on which other parties can build the profiles of the various users traced, due to the additional information received by other sources:

The nature of the processing is what leads to the risk of ‘data leakage’, which is where data is either unintentionally shared or used in unintended ways. Multiple parties receive information about a user, but only one will ‘win’ the auction to serve that user an advert. There are no guarantees or technical controls about the processing of personal data by other parties, e.g., retention, security etc. In essence, once data is out of the hands of one party, essentially that party has no way to guarantee that the data will remain subject to appropriate protection and controls”.

What further complicates any attempt by the RTB to comply with applicable law is the quantity and quality of personal data that is processed and shared: the Interactive Advertising Bureau (“IAB”) , which is one of the most representative trade associations of operators in this market, with its “GDPR Transparency and Consent Framework” has set up procedures for gathering consents and processing of personal data in general, which have become among the core and most adopted procedures to gain access to the devices of individuals located in EU by companies around the world. The same procedure allows the inclusion of 595 different types of personal data in the bid request, 4% of which belong to special categories of data as referred to in Article 9 GDPR. Among the most sensitive (but also shocking) categories that emerged from reading the Content Taxonomy Mapping of the IAB tech lab (a non-profit consortium that develops and provides technical standards, software and services to companies operating in the global digital media reality) are “gay life”, “Incest/Abuse support”, “Atheism/Agnosticism”.

Among the consumer rights representatives who have presented evidence against Google, IAB and other ad tech companies, are the Polish, Irish and British ones, which have shown that these giants acting on European territory make extensive use of personal data of web users, which are processed on a large scale and on a continuous basis (‘this occurs hundreds of billions of times a day’). With regard to this evidence, they also complain about the lack of transparency with respect to both the way in which the RTB is carried out and the identity of the recipients of the data; the impossibility for Data Subjects to exercise their rights in the absence of guarantees of access and of the possibility of verification of the data contained in the bid requests, of correction or deletion of the same data, as well as of access to the types of profiling carried out by advertisers on the basis of those data. Following the actions taken by the above-mentioned representative groups, the Irish Data Protection Authority (the Data Protection Commission) officially started its inspections against Google Ireland Limited on 22 May 2019.

The use of data within the RTB, as denounced in the aforementioned evidence, contrasts with another fundamental principle of the Regulation: the principle of data minimisation, contained in the Article 5 GDPR, which requires that data are “adequate, relevant and limited to what is necessary for the purposes for which they are processed“. From the text of the above-mentioned Authorities, it emerges that the amount of personal data collected within the Real-Time Bidding goes beyond the purposes of this scheme, as these purposes seem to be achievable through less invasive methods for the privacy of Data Subjects. In confirmation of the above, Dr. Johnny Ryan (Chief Policy and Industry Relations Officer for an Internet Browser particularly sensitive to privacy, with which the ICO has begun its collaboration), explained in his report that the bid requests do not necessarily have to contain the personal data of users to allow this type of targeted advertising to work, since it would be sufficient, , in his opinion, that the same targets refer to the general context to which reference is made rather than to individuals. This, however, would not allow companies and their partners to proceed with the profiling of potential users/consumers of their services/products. Consequently, the RTB – as a structured and widely used scheme, discourages most companies from the idea of an alternative system. It is precisely this high level of circulation, that has also led the French Supervisory Authority to express its opinion on the subject, without, however, concluding its study on the Programmatic Advertising, and referring to further details in the work on the new guidelines for the use of cookies that began in July, and to those that will take place in the second half of this year, relating to the “Operating procedures for the collection of consents“.


Practical implications

In conclusion, in the light of the critical privacy issues of the RTB and the amount of companies that have adopted these technologies, it is necessary to warn companies that intend to use the technologies of programmatic advertising. At the present stage, this practice may expose them to serious risk of sanctions and violations, given the existence of the principle of accountability that the Data Controller must adhere to: a principle that is found throughout the entire Regulation and that identifies the role of the data controller as responsible for the compliance, both formal and substantial, of the processing of personal data in relation to the legislation. Not only that, compliance with the Regulation in the processing personal data must also be demonstrated. In the case of Real-Time Bidding, given the nature of the critical points which suggest that this processing presents a high risk to the rights and freedoms of the data subjects, one of the compliance tools that must be used is the Data Protection Impact Assessment (“DPIA”) referred to in Article 35 GDPR. Specifically, Annex 1 to provision no. 467 of 2018 [doc. 9058979], published by the Italian Data Protection Authority, and concerning the types of processing subject to the requirement of an impact assessment, leaves no room for doubt, since Real-Time Bidding meets, by way of example, at least four of the requirements listed thereinafter:

  • Large-scale assessment or scoring measures, as well as measures involving the profiling of the persons concerned […] concerning ‘aspects relating to their occupational performance, economic situation, health, personal preferences or interests, reliability or behaviour, location or travel’;
  • Large-scale processing of highly personal data;
  • Processing using innovative technologies;
  • Processing involving the exchange of data between different data controllers on a large scale by telematic means.



[1] https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf

[2] https://www.cnil.fr/fr/ciblage-publicitaire-en-ligne-quel-plan-daction-de-la-cnil

[3] Whereas Recital 39 GDPR: “Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing”.