log in
All Articles | Back

Member Articles

Fear of Brave? An Analysis of GDPR Challenges to Behavioral Advertising 

by Matt Savare

Published: November, 2018

Submission: July, 2019


On September 12, 2018, a complaint was submitted to the Irish Data Protection Commission1on behalf of Johnny Ryan, Chief Policy and Industry Relations Officer at Brave Software, Inc., seeking to trigger, for the first time, an EU-wide investigation into certain data practices within the digital advertising industry. On the same day, a companion complaint was filed with the UK Information Commissioner’s Office2on behalf of Jim Killock of the Open Rights Group, a non-profit organization, and academic Michael Veale of University College London.

The complaints (the “Complaints”), which are essentially identical in nature and rely, in part, on an accompanying written report from Ryan3(the “Ryan Report”), allege that (i) OpenRTB and Authorized Buyers, the most widely used real-time bidding (“RTB”) protocols promulgated by IAB Technology Laboratory (“IAB Tech Lab”) and Google, respectively, are “mass data broadcast mechanisms” that violate the General Data Protection Regulation (the “GDPR”); (ii) there are no technical measures or adequate controls to support data protection during the RTB process; and (iii) legitimate interest can never be a valid legal basis in the context of widely broadcast RTB bid requests.4

Although this is not the first assault on behavioral advertising and real-time bidding,5it is the first broad one under GDPR and could have profound implications across the entire digital advertising ecosystem. Although the Complaints raise certain concerns over transparency, consumer control, data security, and accountability, many of their allegations and arguments are hyperbolic or misleading, and, in certain cases, incorrect both as a matter of fact and as a matter of law. As such, although the Complaints are helpful to crystallize and shine the light on important issues, they do not demonstrate pervasive industry-wide violations of GDPR or that a massive EU-wide assessment into RTB is warranted. Rather, specific and particularized allegations of GDPR violations should be investigated, as is the case with any other industry.

I. The Backstory

From smartphones and tablets to over-the-top platforms and social media networks, content is increasingly – and in many industries exclusively – being created and consumed digitally. Concomitant with this digital transformation in media, entertainment, and journalism has been the rapid and widespread adoption of digital advertising (“AdTech”).6Significantly, in 2017, AdTech revenue overtook broadcast and cable television advertising revenue for the first time and became an $88 billion industry in the U.S. alone. That figure is poised to rise to $107 billion by the end of this year.7

Despite its prevalence, AdTech, particularly online behavioral advertising (“OBA”), has been a lightning rod for criticism from privacy advocates. OBA is the serving of relevant and targeted advertisements to an individual based on information collected regarding his or her interactions with content on one or more digital properties. Such information is often collected via cookies, pixel tags, software development kits, and/or application program interfaces (“APIs”), depending on the type of digital property (e.g., website or mobile application), and utilized in the RTB process.

RTB facilitates “programmatic” (or automated) buying or selling of digital advertising and is carried out through technical protocols (e.g., OpenRTB and Authorized Buyers) implemented by various organizations. At a high level, RTB works as follows: A company (in AdTech parlance, a “Publisher”) owns or controls available ad space (“Ad Inventory”) on a website or other digital property. When an end user visits the Publisher’s online property, an organization such as a supply-side platform (“SSP”) or ad exchange will send a request on behalf of the Publisher soliciting buyers to bid on this available Ad Inventory on a per-impression basis. This bid request is received typically by a demand-side platform (“DSP”), which is an organization that connects buy-side organizations such as advertisers and agencies to a multitude of Publishers. In real-time, numerous advertisers and agencies simultaneously analyze the bid request and then make their bids to purchase the ad impression. The winning buyer will have its advertisement displayed on the Publisher’s digital property for that particular impression. This entire RTB process takes milliseconds from start to finish.





1 Ravi Naik, Grounds of Complaint to the Data Protection Commissioner 1, https://brave.com/DPC-Complaint-Grounds-12-Sept-2018-RAN2018091217315865.pdf.
2 Ravi Naik, Submission to the Information Commissioner – Request for an Assessment Notice/Invitation to Issue Good Practice Guidance Re “Behavioural Advertising” 1, https://brave.com/ICO-Complaint-.pdf.
3 Johnny Ryan, Report from Dr. Johnny Ryan – Behavioural advertising and personal data 1, https://brave.com/Behavioural-advertising-and-personal-data.pdf.
4 Naik, supra note 3, at 2, 3, 12; Ryan, supra note 4, at 3, 5.
5 For example, on April 8, 2010, three privacy groups filed a complaint with the United States Federal Trade Commission (“FTC”) claiming that certain advertising practices, including real-time bidding, constituted unfair and deceptive business practices. In their complaint, the Center for Digital Democracy, the US Public Interest Research Group, and the World Privacy Forum requested that the FTC investigate companies engaging in behavioral advertising, enjoin them from certain types of behavioral advertising, award consumers compensatory damages, and require any real-time tracking and bidding system to take greater steps to protect the privacy and economic welfare of US consumers.
6 We use the term “AdTech” here to describe the digital advertising industry because this is the term used in the Ryan Report.
7 Interactive Advertising Bureau, https://www.iab.com/news/digital-ad-spend-reaches-all-time-high-88-billion-2017-mobile-upswing-unabated-accounting-57-revenue/ (last visited October 24, 2018).
8 EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 (L 119) 111 [hereinafter GDPR].
9 Under the GDPR, a controller’s purposes for processing personal data must be assigned a “legal basis.”  The GDPR provides six different legal bases to choose from, the most applicable to the RTB context being (i) the inspanidual has “given consent to the processing of his or her personal data for one or more specific purposes” or (ii) the processing is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party . . . .” GDPR, 118-119.
10 A discussion of Google’s Authorized Buyers protocol is beyond the scope of this article.
11 Naik, supra note 3, at 2-3.
12 Johnny Ryan, Re: feedback on the beta OpenRTB 3.0 specifications, https://brave.com/iab-rtb-problems/feedback-on-the-beta-OpenRTB-3.0-specification-.pdf.
13 Case C-210/16, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2018:388, para. 36-39.
14 IAB Technology Laboratory, Reference Model, OpenRTB Specification 3.0, https://github.com/InteractiveAdvertisingBureau/openrtb/blob/master/OpenRTB%20v3.0%20FINAL%20DRAFT.md(last visited November 12, 2018).
15 Id.; Specification.
16 Ryan, supra note 4, at 4, 12-13.
17 Id. at 12-13.
18 IAB Technology Laboratory, Media Objects, AdCOM Specification v1.0, https://github.com/InteractiveAdvertisingBureau/AdCOM/blob/master/AdCOM%20v1.0%20FINAL%20DRAFT.md(last visited November 12, 2018).
19 Id.; Specification.
20 CNIL, Blockchain and the GDPR: Solutions for a responsible use of the blockchain in the context of personal data, https://www.cnil.fr/en/blockchain-and-gdpr-solutions-responsible-use-blockchain-context-personal-data (last visited November 7, 2018).
21 Ryan, supra note 4, at 7.
22 Naik, supra note 3, at 3.
23 Ryan, supra note 4, at 3, 5.





WSG Member: Please login to add your comment.


WSG's members are independent firms and are not affiliated in the joint practice of professional services. Each member exercises its own individual judgments on all client matters.

HOME | SITE MAP | GLANCE | PRIVACY POLICY | DISCLAIMER |  © World Services Group, 2020