How Real-Time Bidding Works - and Why It Matters for Privacy
Real-time bidding (RTB) is the mechanism behind most display advertising on the web. When a visitor loads a page with ad space, an auction takes place in under 100 milliseconds. The publisher's supply-side platform (SSP) sends a bid request containing data about the visitor - including IP address, location, browsing history, device type, and sometimes inferred interests - to dozens or hundreds of demand-side platforms (DSPs) simultaneously.
Only one DSP wins the auction and serves the ad.
The privacy problem is straightforward: every participant in the auction receives the bid request data, regardless of whether they win. According to research by the Irish Council for Civil Liberties, a typical EU user's data is shared an average of 376 times per day through RTB. In the United States, that figure rises to 747. The bid stream - the flow of bid requests across the advertising ecosystem - represents one of the largest continuous data broadcasts in existence.
Header bidding, a variant of RTB where multiple SSPs are queried before the ad server makes a decision, amplifies the issue. Because header bidding runs several parallel auctions, the same visitor's data may be sent to even more parties per page load.
What Personal Data Flows Through the Bid Stream
A single bid request typically contains far more data than most publishers realise. The GDPR defines personal data broadly under Article 4(1), and bid requests routinely include identifiers that fall squarely within scope.
| Data Field | Example | GDPR Classification |
|---|---|---|
| IP address | 203.0.113.42 | Personal data (recital 30) |
| Cookie IDs | _fbp, _ga, DSP sync IDs | Online identifiers (Article 4(1)) |
| Precise geolocation | Latitude/longitude to street level | Personal data; possibly special category |
| Device fingerprint | User agent, screen resolution, language | Personal data when combined |
| Page URL / content | Full URL of the page being viewed | Reveals browsing behaviour |
| IAB content taxonomy | Health, finance, politics categories | May constitute special category data |
Content taxonomy categories are particularly risky. If a visitor is reading a page categorised under health or political topics, that classification travels through the bid stream and can be used to build sensitive profiles, even if no single buyer intended to do so.
The Belgian DPA Decision and IAB Europe's TCF
The IAB Transparency and Consent Framework (TCF) was designed to standardise how consent is collected and communicated in programmatic advertising. The Transparency and Consent String (TC String) encodes a user's preferences and travels alongside bid requests, theoretically ensuring that only consented processing takes place.
In February 2022, the Belgian Data Protection Authority (APD) found that the TCF itself breached the GDPR. The APD ruled that the TC String constitutes personal data, that IAB Europe acts as a joint controller for its processing, and that the framework failed to meet transparency obligations under Articles 12 to 14.
On 14 May 2025, the Brussels Market Court upheld the finding and reimposed a fine of EUR 250,000 on IAB Europe. The Court confirmed that the TC String is personal data and that IAB Europe bears joint controller responsibility for its processing within the framework. It did narrow the scope slightly, ruling that IAB Europe is not a controller for downstream RTB data processing.
In January 2026, IAB Europe announced a successful appeal against some corrective measures imposed by the APD. The legal saga continues, but the core finding stands: the industry's own consent mechanism has been found non-compliant with the regulation it was built to satisfy.
Why RTB Struggles with GDPR Compliance
The tension between RTB and the GDPR is not merely procedural. It reflects a fundamental architectural conflict. Several GDPR principles are difficult or impossible to satisfy within the current RTB model.
Data Minimisation (Article 5(1)(c))
Bid requests broadcast data to all auction participants, not just the winner. There is no technical mechanism to restrict data access to only those parties that need it for a specific, defined purpose. Every DSP receiving the bid stream holds data about users whose ads they will never serve.
Purpose Limitation (Article 5(1)(b))
Once bid stream data leaves the SSP, publishers have limited visibility into how that data is used downstream. DSPs, data brokers, and other intermediaries may retain and repurpose bid stream data for audience building, profiling, or resale - purposes far removed from the original ad auction.
Lawful Basis (Article 6)
The EDPB and multiple DPAs have indicated that consent is the appropriate legal basis for RTB processing, not legitimate interest. Obtaining valid, informed, specific consent for the broadcast of personal data to hundreds of unknown recipients is, at best, a significant challenge. The Belgian APD's findings suggest it may be structurally impossible under the current TCF model.
Header Bidding Amplifies the Problem
Traditional RTB sends bid requests through a single SSP to a set of DSPs. Header bidding changed the economics by allowing publishers to query multiple SSPs simultaneously from the page header, increasing competition and revenue.
From a privacy perspective, this multiplication is costly. A publisher using five header bidding partners, each connected to 50 DSPs, could broadcast a visitor's data to 250 or more entities per page load. Across a typical browsing session of 20 page views, that amounts to 5,000 data transmissions - before the visitor has meaningfully interacted with any advertisement.
Server-side header bidding, where the auction runs on a server rather than in the browser, reduces some client-side exposure but does not eliminate the core issue. The bid stream still flows to dozens of buyers. Server-side approaches shift where the data is processed, not whether it is shared.
Data Leakage: The Unseen Risk for Publishers
Bid stream data leakage occurs when auction participants retain, aggregate, or resell data from bid requests they did not win. Because bid requests are broadcast rather than point-to-point, there is no enforceable technical barrier preventing this.
The consequences for publishers are significant. Under GDPR Article 26, joint controllers must have an arrangement determining their respective responsibilities. A publisher using RTB may be jointly responsible for processing carried out by any party in the bid chain, even if the publisher has no direct relationship with that party and no knowledge of their data practices.
This creates a vendor risk problem that is practically unmanageable at scale. A typical programmatic setup involves hundreds of vendors, many of whom subcontract to further parties. Conducting meaningful due diligence on every entity that receives bid stream data is not realistic for most publishers.
What Publishers Should Do Now
Complete withdrawal from programmatic advertising is not a realistic option for most ad-funded websites. There are, however, concrete steps that reduce exposure.
Audit Your Bid Partners
Review every SSP and header bidding wrapper in use. Reduce the number of demand partners to those that provide meaningful revenue. Fewer partners means fewer bid stream recipients. Run a cookie scan to identify exactly which marketing cookies your ad stack sets.
Implement Proper Consent Before Auctions Fire
Ensure your consent management platform collects valid consent before any bid requests leave the page. This means blocking ad scripts until consent is granted - not merely recording a preference after the fact. Google Consent Mode v2 can help bridge the gap for measurement, but it does not replace the need for prior consent.
Consider Contextual Alternatives
Contextual advertising - targeting ads based on page content rather than user profiles - eliminates much of the bid stream privacy risk. Google's Privacy Sandbox initiatives, including the Topics API, aim to reduce reliance on cross-site tracking, though their privacy credentials remain debated.
Document Your Processing
Maintain records of processing activities that specifically cover programmatic advertising data flows. If a DPA investigates, you will need to demonstrate that you understand where visitor data goes and on what legal basis.
Frequently Asked Questions
Is real-time bidding legal under GDPR?
RTB is not banned outright, but multiple DPAs have found that current implementations breach GDPR principles. Valid prior consent is required before bid requests containing personal data are broadcast to auction participants.
What is the IAB TCF and why was it found non-compliant?
The IAB Transparency and Consent Framework standardises how consent signals travel through the ad tech chain. The Belgian DPA ruled in 2022 that the TC String is personal data and that the framework fails GDPR transparency requirements. The Brussels Market Court upheld a EUR 250,000 fine in May 2025.
How many companies receive my data through a single RTB auction?
A single bid request can reach dozens to hundreds of demand-side platforms. With header bidding running multiple parallel auctions, a single page load may broadcast visitor data to 250 or more entities.
Does header bidding make the privacy problem worse?
Yes. Header bidding queries multiple supply-side platforms simultaneously, each connected to their own set of DSPs. This multiplies the number of parties receiving bid stream data compared to traditional single-SSP auctions.
Can publishers be held liable for bid stream data leakage?
Under GDPR Article 26, publishers may be considered joint controllers with parties in the bid chain. This means potential liability for downstream data misuse, even by companies the publisher has no direct contract with.
What is the alternative to real-time bidding for website advertising?
Contextual advertising targets ads based on page content rather than user data, avoiding most bid stream privacy issues. Direct ad sales, sponsorship models, and privacy-focused programmatic solutions that limit data sharing also exist.
Take Control of Your Cookie Compliance
If your website runs programmatic advertising, the cookies and trackers in your ad stack may be sharing visitor data before consent is collected. Start with a free scan to see exactly what your site sets, then configure your consent banner to block ad scripts until visitors give permission.
