New European law protects readers, media from real-time bidding dangers

By Michelle Palmer Jones


Nashville, Tennessee, United States


In the publishing industry, when we think of the word “broadcast,” we think radio and television. While we know and love those mediums, the type of broadcast INMA members learned about during Wednesday’s Webinar is not as favourable. 

Dr. Johnny Ryan, senior fellow for Irish Council for Civil Liberties and Open Market Institute, led a fiery discussion on the unlawful broadcast of personal data and how it is significantly and negatively affecting publishers. 

Ryan discussed a landmark decision from February 2, 2022, of 28 data protection authorities in Europe that claims the so-called transparency and consent framework surrounding real-time bidding (RTB) is unlawful and all data obtained through it is unlawful, too. 

“Instead of protecting the personal data, this industry has been broadcasting it — literally throwing it to the wolves. And it turns out that’s illegal,” Ryan said.  

What does RTB mean to a reader?

Let’s say a user goes to a publisher's Web site on a computer or mobile device. There’s an empty space where an ad will be shown to the user. The publisher has not sold the space directly, so it will tell an auction that there is a user present, giving characteristics about the user that should entice an advertiser to want to show its ad to that user.

Each auction or ad exchange sends the user’s information to tech firms known as demand side platforms or DSPs. The DSPs that receive the information about the user represent advertisers. In the example he gave, Ryan called the user Mark after INMA’s own Executive Producer/Interactive Mark Challinor. 

“In theory, the right advertiser will want to show their ad to Mark more than anyone else, and they will bid the most for his attention. So in a split second, the ad is shown to Mark,” Ryan said. “Some publishers get very excited about it as well because they aren’t thinking about the medium- and long-term impact to their business. The reason data protection people are appalled by it is the following: Once the data about Mark leaves, we have no idea at all what might then happen to it.”

Ryan gave an example of one small DSP caught with 68 million illegal real-time-bidding records. What is even worse, Ryan said, is the platform claims to dump 70% of what they obtain and dump all data after a year. 

Dr. Johnny Ryan, senior fellow for Irish Council for Civil Liberties and Open Market Institute, explains the danger from just one small company to personal data.
Dr. Johnny Ryan, senior fellow for Irish Council for Civil Liberties and Open Market Institute, explains the danger from just one small company to personal data.

“Which raises another question: How much did they actually get? I mention this to you now to give you a sense of the scale of the problem because it will help to understand where the decision came from and why it’s not going away.” 

What does RTB mean to a media company?

Ryan then walked through what happens when someone visits a media company’s property or loads one of its Web sites. The Web browser receives the editorial content and then, behind the scenes, information about the person who’s loading the page is sent out to tens or thousands of companies — even if there’s only one single action occurring. 

Ryan explained the happenings through a very busy flow chart:

Look complicated? It is, which is part of the problem.
Look complicated? It is, which is part of the problem.

“The impression to take from that is: That is a lot of arrows and that’s an accurate impression,” Ryan said. “The question is what’s in those arrows. We know what’s in those arrows because the industry standard is actually documented. It’s public.” 

Ryan says the industry standard says you can have 595 different types of information in one of these bid requests. This includes things like the domain name or entire URL.

“Next we have identifiers that are highly unique to this individual so we can stitch together what we just learned about them now with what we learned about them 30 seconds ago or a week or a month or a year ago,” Ryan said. “Now we see we’re dealing with a young lady and we’re getting more information about her device, her IP address, and the type of software she’s using.”

You can also get her exact or approximate latitude and longitude. 

“The extent of the problem is not limited to data protection law because the problem is also a market problem,” Ryan said.

Ryan showed the Google privacy and terms page and deciphered it in his own words: “What this really means is Google takes data from your property and it uses it to sell ads at a higher margin on its own property. For the last 15 years, you have been allowing your audience data to leave your property and to be used by other companies on their own properties.”

Here’s how the leakage of data works based of an example Ryan gave:

A user starts looking at business articles, then starts looking at ads for expensive cars on a high-end publisher’s site. A broadcast then goes out that the user is a high roller and wants to buy a car. In the short term, the publisher thinks it's a win because a high-end car ad shows up on the site. But then that user could later visit a lower-end Web site. A broadcast goes out to the low-end and other sites. They can all identify the user.  

“They don’t have to pay the high-end publisher for the user,” Ryan said. “They can get the high-end audience and show them an expensive car ad at pennies on the dollar, so the ad is shown at a huge discount. Worthy sites lose their unique audience and feed a business model for the bottom of the Web.” 

The industry does not understand how bad this problem is, Ryan said. To make matters worse, real-time bidding also allows fraudsters to steal from publishers and advertisers. A bot can visit a high-end publisher’s site and route to a criminal Web site. This is known to be happening but the scale is not understood. 

Current RTB systems make fraud too easy.
Current RTB systems make fraud too easy.

The new law

The decision on February 2 made it clear, Ryan says, that this is personal data and legally it has to be kept secure. 

Ryan used an example of header bidding, where there’s an auction of auctions where you could have two different data exchanges, each of which sends the information about a person to tens or hundreds of different companies. 

Ryan also scrolled through one single ad exchange called Xandr to really get across a sense of the scale of the problem: “This is a document with 156 pages that lists all the companies Xandr claims the right to send information about the person visiting your page to.”

This example could be the result of a single bid request or many but either way, Ryan said. There are 1,647 companies on the list. He also mentioned Google, AT&T, and Verizon have tens or hundreds of billion of these broadcasts daily around the world.

The new general data protection regulation makes it clear there must not be a data breach and that personal data must be protected. Thousands of companies can receive this data through RTB, and there are no technical means to determine what happens to the data after that.

In the February 2 decision, authorities said RTB that it does not meet the requirements of data protection law, and all of the data collected under the consent part has to be deleted.

All around the world, there are provisions of data or privacy protection law that are very close to the general data protection regulation (GDPR) and there are many infringements identified in the decision, Ryan said.

“For anyone who isn’t active in the European market, I think it might be important for you to research the infringements that have been identified and whether they engage your local jurisdiction’s law,” he said. 

Workarounds to RTB

Ryan said he wants publishers to consider three models of free advertising that are more protective of personal information.

1. Real-time bidding but with a huge caveat: Take personal data out. “Instead of putting out all of this personal information, some of which can be highly compromising, you remove the personal data,” Ryan said. “So the only data that leaves the platform is non personal data. Another benefit is GDPR relates to personal data, not non-personal data, so the question of whether or not to get consent for this is moot. You don’t need it because you’re not dealing with personal data.”

2. Contextual advertising. Studies by IAB Europe show people prefer ads that matched the content they were reading, he said.

3. “Local behavioural,” where highly personal data is only stored on the device and the matching of the ads happens solely on the device.

“If I’m a publisher I don’t want to lose power the same way I’ve been losing it since digital became digital,” Ryan said. “Publishers have had pain from digital for as far as I can see since the commercialisation of the Web in the mid-‘90s, and the story has been getting worse and worse all the way through.”

News publishers should confront the reality of what real-time bidding is and realise it’s not sustainable. 

“If you’re trying to get to grips with this, a strategy I would be pushing for for publishers is I would be trying to strong arm the IAB (Interactive Advertising Bureau) to remove personal data from the real-time bidding specification so that everyone across the entire market was now sending only non-personal bid requests using RTB.”

About Michelle Palmer Jones

By continuing to browse or by clicking “ACCEPT,” you agree to the storing of cookies on your device to enhance your site experience. To learn more about how we use cookies, please see our privacy policy.