Your data's auctioned off up to 987 times a day, NGO reports
Irish Council on Civil Liberties said this is first time the scope of real-time bidding is being measured
The average American has their personal information shared in an online ad bidding war 747 times a day. For the average EU citizen, that number is 376 times a day. In one year, 178 trillion instances of the same bidding war happen online in the US and EU.
That's according to data shared by the Irish Council on Civil Liberties in a report detailing the extent of real-time bidding (RTB), the technology that drives almost all online advertising and which it said relies on sharing of personal information without user consent.
The RTB industry was worth more than $117 billion last year, the ICCL report said. As with all things in its study, those numbers only apply to the US and Europe, which means the actual value of the market is likely much higher.
Real-time bidding involves the sharing of information about internet users, and it happens whenever a user lands on a website that serves ads. Information shared with advertisers can include nearly anything that would help them better target ads, and those advertisers bid on the ad space based on the information the ad network provides.
That data can be practically anything based on the Interactive Advertising Bureau's (IAB) audience taxonomy. The basics, of course, like age, sex, location, income and the like are included, but it doesn't stop there. All sorts of websites fingerprint their visitors - even charities treating mental health conditions - and those fingerprints can later be used to target ads on unrelated websites.
Google owns the largest ad network that was included in the ICCL's report, and it alone offers RTB data to 4,698 companies in just the US. Other large advertising networks include Xandr, owned by Microsoft since late 2021, Verizon, PubMatic and more.
Not included in ICCL's report are Amazon or Facebook's RTB networks, as the industry figures it used for its report don't include their ad networks. Along with only surveying part of the world that likely means that the scope of the RTB industry is, again, much larger.
Also, it's probably illegal
The ICCL describes RTB as "the biggest data breach ever recorded," but even that may be giving advertisers too much credit: Calling freely-broadcast RTB data a breach implies action was taken to bypass defenses, of which there aren't any.
So, is RTB violating any laws at all? Yes, claims Gartner Privacy Research VP Nader Henein. He told The Register that the adtech industry justifies its use of RTB under the "legitimate interest" provision of the EU's General Data Protection Regulation (GDR).
"Multiple regulators have rejected that assessment, so the answer would be 'yes,' it is a violation [of the GDPR]," Henein opined.
As far back as 2019, Google and other adtech giants were accused by the UK of knowingly breaking the law by using RTB, a case it continues to investigate. Earlier this year, the Belgian data protect authority ruled that RTB practices violated the GDPR and required organizations working with the IAB to delete all the data collected through the use of TC strings, a type of coded character used in the RTB process.
Johnny Ryan is no stranger to lawsuits: He left Brave, maker of the privacy-centric browser, to take his position at the ICCL, where he spearheaded several cases against the IAB and the practice of RTB.
According to the ICCL, it is currently involved in three ongoing cases involving RTB: One in Hamburg against Microsoft's Xandr advertising exchange, an Irish High Court case against the Data Protection Commission for failing to investigate RTB violations, and a third case in Brussels working against an IAB appeal against the earlier Belgian ruling.
The Brussels case, arguably the largest ruling against RTB thus far, centers around the IAB's Transparency and Consent Framework (TCF), which it developed in response to the passage of the GDPR. In the initial public comment version of the TCF, one section indicates that advertising publishers are worried about their liability around user data. In it, the IAB explicitly states it can't control the data that ad networks serve to bidders.
"Publishers recognize there is no technical way to limit the way data is used after the data is received by a vendor for decisioning/bidding on/after delivery of an ad," the document reads.
Newer versions of the TCF have added similar wording to the framework's disclaimer, which said that vendors themselves are responsible for compliance with the TCF, and the IAB makes no claims that following the framework will mean advertisers are in compliance with local laws.
Beating RTB: A game of "wait and see?"
Research from by Gartner and Forrester both predict the same near-term future for the adtech world: Regulations. With that in mind, the end of RTB may come soon.
- Google's FLoC flopped, boffins claim, because it failed to provide promised privacy
- EU, US close to replacing defunct Privacy Shield II
- Motivated by commerce, not conscience, Google bans ads for climate change consensus contradictors
- Which? survey finds people would actually pay the online giants not to take their data
Henein said that the IAB hasn't presented an alternative to RTB that preserves effectiveness and privacy. He said that Google's move to deprecate all third-party cookies in its Chrome browser – aka Privacy Sandbox – was a direct response; Google has since delayed the change until 2023.
Firefox, Henein said, has already done the same, and Chrome's control of the browser market could be the final nail if and when Google decides to kill third-party cookies.
Henein said that Google's alternative hasn't made the advertising industry entirely comfortable, as using it involves putting more control in Google's hands. He said that Microsoft's Parakeet is a better alternative to Google's because it protects user identity with a system roughly equivalent to a proxy that represents user likes and serves ads itself based on what it knows about users.
Henein said he doesn't believe that the EU will be able to take more action since the target is a type of technology, and he doesn't believe that the US has the necessary regulatory environment to do anything about it. Henein told us that he's an ardent privacy advocate, but still doesn't think the adtech industry should be demonized.
"It's a $500 billion a year industry that pays for a free internet and allows people of diverse backgrounds unbiased access to millions of services … surely we can find a way of addressing both the industries' needs to deliver the right ad to the right person AND protecting that person's rights to privacy," he added. ®