ACTION FILE:
RTB online ad auctions

File summary:

The online advertising's Real-Time Bidding (RTB)is the biggest data breach ever recorded. It tracks and shares what people view online and their real-world location with countless companies. This happens 178 Trillion times every year in U.S. & Europe.1For detail on the scale of RTB see our report "The Biggest Data Breach ICCL report on the scale of Real-Time Bidding data broadcasts in the U.S. and Europe", ICCL, May 2022 https://www.iccl.ie/digital-data/iccl-report-on-the-scale-of-real-time-bidding-data-broadcasts-in-the-u-s-and-europe/

ICCL is fighting the RTB industry at court in multiple jurisdictions, and is litigating against the Irish Data Protection Commission to Court for failing to investigate RTB.

File contents: 

File contact: 
Dr Johnny Ryan

Latest updates & next milestones


Latest update: 

  • 16 January 2025 -U.S. Federal Trade Commission urged to Investigate Google’s RTB data in first ever complaint under new national security data law
    Read more ›

Next milestones: 

  • Decision awaited from the Brussels Markets Court in IAB Europe's appeal against the 2022 Decision that the "Transparency & Consent Framework" is unlawful.

The problem


Online Advertising's Massive Data Breach

Real-Time Bidding (RTB) is $117+ billion industry.2Market estimate in “Programmatic advertising spend in Europe 2019”, October 2020 https://web.archive.org/web/20220825205917/https://iabeurope.eu/wp-content/uploads/2020/10/Programmatic-Market-Advertising-Spend-2019-Report.pdf, slide 8; and "Brand Disruption 2020", IAB https://web.archive.org/save/https://s3.amazonaws.com/media.mediapost.com/uploads/IABBrandDisruption2020.pdf, p. 66. Estimate of value based on € to $ exchange rate of mid 2019 (€1=$1.1292). It tracks and shares what people view online and their real-world location 178 Trillion times every year in U.S. & Europe.3For detail on the scale of RTB see our report "The Biggest Data Breach ICCL report on the scale of Real-Time Bidding data broadcasts in the U.S. and Europe", ICCL, May 2022 https://www.iccl.ie/digital-data/iccl-report-on-the-scale-of-real-time-bidding-data-broadcasts-in-the-u-s-and-europe/ RTB is the biggest data breach ever recorded.

Almost every time you load a page on a commercial website or use an app an RTB auction occurs behind the scenes to determine what ad will appear in front of you. RTB auctions broadcast private information about what you are doing online, and where you physically are, to many other companies in order to solicit their bids for the opportunity to show you their ad. According to IAB Europe’s documentation, “thousands” of companies may receive data from a single RTB broadcast about a single person for a single ad.4"Pubvendors.json" (see documents section) uses the word "thousands". RTB companies documentation is indicative. For example, Microsoft (Xandr) allows 1,647 companies to receive RTB data about people. See "Third party providers which may receive Platform Data and other information", Microsoft Xandr, 2021, in the documents section, below. Google is no better.See "Ad technology providers" including "commonly used list" of companies that receive Google RTB data by default, Google, August 2022. As a result, your private data is broadcast to firms across the globe, including Russia and China, without any means of controlling what is then done with the data.5Industry documents confirm that there are no technical measures to limit what companies can do with this information, nor who they pass it on to. For example, see "pubvendors.json", IAB TechLab, in the documents section, below. This document attests that there are "no technical measures" to control the data.

The data broadcast about you includes things like what you are reading or watching or listening to, inferences about your sexual preferences, religious faith, ethnicity, health conditions, your political views, and where you physically are - sometimes right up to your GPS coordinates.6See for example the sample RTB bid requests from IAB and Google documentation, in the documents section, below. It also includes ID codes about you that help tie together many pieces of RTB data over time, so that very intimate profiles can be maintained about you and where you go and what you do.


Image

On average, a person in the U.S. has their online activity and location exposed 747 times every day by the RTB industry. In Europe, RTB exposes people’s data 376 times a day on average.7For detail on the scale of RTB see our report "The Biggest Data Breach ICCL report on the scale of Real-Time Bidding data broadcasts in the U.S. and Europe", ICCL, May 2022 https://www.iccl.ie/digital-data/iccl-report-on-the-scale-of-real-time-bidding-data-broadcasts-in-the-u-s-and-europe/

This massive data breach repeats every day.



Explainer


2 minute explainer clip
video
play-sharp-fill
Longer film about RTB
video
play-sharp-fill

ICCL reports & testimony


Reports & submissions 

Selected testimony & presentations

Selected file documents

Below is a (small) sample of evidence and legal submissions in this file so far.  

The "Open RTB Protocol" and Google "Authorized Buyers Protocol" 

"Content Taxonomy" sexuality, politics, ethnicity, etc. (“special category personal data”) in RTB bid request content and interest categories 

IAB "Audience Taxonomy" --- the rule book for secret dossiers about everybody on the internet 

Documents attesting to the absence of security in RTB 

Selected legal papers  

  • Lawsuit against Irish Data Protection Commission

Chronology


2017
Dr Johnny Ryan blows the whistle to the DPC and ICO while working for adtech company PageFair

2018 September
Dr Ryan files formal complaint while working at Brave Software. Duplicate complaint filed by allies in the UK

2018-2021
Duplicate complaints by 25 NGOs and individuals across the EU13NGO and individual complainants: Open Rights Group Dr Michael Veale Pakoptykon Foundation Eticas Foundation Bits of Freedom Dr Jef Ausloos Dr Pierre Dewitte Jose Belo Society for Civil Rights* Digitale courage* Digitale Gesellschaft* Netzwerk Datenschutzexpertise* Deutsche Vereinigung für Datenschutz* Italian Coalition for Civil Rights and Freedoms* La Ligue des Droits de l’Homme* Bulgarian Helsinki Committee* Association for the Defense of Human Rights in Romania* Italian Coalition for Civil Rights and Freedoms* Estonian Human Rights Centre* Peace Institute* Asociatia pentru Tehnologie si Internet* Defesa dos Direitos Digitais* GONG* Global Human Dignity Foundation* Homo Digitalis* Institute of Information Cyprus* (* denotes NGOs coordinated by Civil Liberties Union for Europe.) Dr Ryan submits several rounds of additional evidence.

2019 May
Irish Data Protection Commission (DPC) launches inquiry into Google's RTB system

2019 June
UK Information Commissioner's Office (ICO) publishes a report that confirms the complaint evidence, but takes no action

August 2020
ICCL opens an RTB action file when Dr Ryan joins the organisation

2021 June
We launch lawsuit at Landgericht Hamburg against IAB TechLab and Microsoft RTB company Xandr
Read more ›

2022 February 👍
Landmark decision from 28 EU data protection authorities on complaint led by ICCL confirms RTB's "TCF" consent system is illegal
Read more ›

2022 March
We launch case at Irish High Court against the Irish Data Protection Commission for not investigating RTB
Read more ›

2022 June
We are at the Brussels Markets Court against IAB Europe's appeal of the TCF decision

2022 September
Brussels Markets Court refers our questions to the European Court of Justice
Read more ›

2022 February
We lead complainants in legal action at the Brussels Markets Court against the Brussels Data Protection Authority's failure to allow complainants to view and comment on IAB Europe's "action plan"

2022 November
The United States Federal Trade Commission (FTC) is considering new privacy riles to protect internet users against tracking. The ICCL/Open Markets/TACD submission reveals the impact of tracking-based online advertising, to enable the FTC to act
Read more ›

2023 May
Brussels Markets Court hears complainants led by ICCL v Belgian Data Protection Authority on failure to disclose and hear views on IAB Europe consent action plan

2023 July
Irish High Court hears our appeal against the Data Protection Commission's failure to investigate Google's RTB security issues
Read more ›

2023 August
Irish High Court dismisses our appeal against the Data Protection Commission failure to investigate Google's RTB security issues

2023 September
Brussels Markets Court rejects IAB Europe’s immediate request to suspend enforcement. The Court will rule on the merits after the CJEU rules
Read more ›

2023 November 
We publish evidence of national security threat to Europe and the United States from RTB data leakage
Read more ›

2023 November 
We brief U.S. Assistant Attorney General Kanter on Google's RTB business (In November 2024 the U.S. DOJ requests a breakup of Google)

2024 February
The Hamburg Landgericht Court dismisses our case on procedural grounds.

2024 March 👍
The European Court of Justice agrees with our argument that data processed in the TCF is personal data and that IAB Europe is responsible
Read more ›

2024 June
Irish Court of Appeal dismisses our appeal against Data Protection Commission's failure to investigate Google's RTB security issues

2024 October
We publish evidence of the national security threat to Australia from RTB data leakage
Read more ›

2024 December
U.S. FTC acts against RTB firm Mobilewalla, following ICCL 2022 submission
Read more ›

2025 January
Brussels Markets Court to hold final hearing, following European Court of Justice Decision in March 2024


How to support
ICCL's work


The Irish Council for Civil Liberties has been at the forefront of every major rights advance in Irish society for over 40 years. We helped legalise homosexuality, divorce, and contraception. We drove police reform, defending suspects' rights during dark times. ICCL is Ireland’s leading human rights organisation, and our work on digital and data issues has global impact.

ICCL is completely independent from Government, and relies on donations and gifts. You make our work for human rights and freedom possible. Thank you.

Contact

Irish Council for Civil Liberties,
Unit 11, First Floor, 34, Usher's Quay,
Dublin 8

Phone: +353-1-9121640
Email: info@iccl.ie