File summary:
The online advertising's Real-Time Bidding (RTB)is the biggest data breach ever recorded. It tracks and shares what people view online and their real-world location with countless companies. This happens 178 Trillion times every year in U.S. & Europe.1For detail on the scale of RTB see our report "The Biggest Data Breach ICCL report on the scale of Real-Time Bidding data broadcasts in the U.S. and Europe", ICCL, May 2022 https://www.iccl.ie/digital-data/iccl-report-on-the-scale-of-real-time-bidding-data-broadcasts-in-the-u-s-and-europe/
ICCL is fighting the RTB industry at court in multiple jurisdictions, and is litigating against the Irish Data Protection Commission to Court for failing to investigate RTB.
File contents:
- The problem
- Latest updates & next milestones
- ICCL reports & testimony
- Sample evidence
- Chronology of ICCL action
File contact:
Dr Johnny Ryan
Latest updates & next milestones
Latest update:
- 16 January 2025 -U.S. Federal Trade Commission urged to Investigate Google’s RTB data in first ever complaint under new national security data law
Read more ›
Next milestones:
- Decision awaited from the Brussels Markets Court in IAB Europe's appeal against the 2022 Decision that the "Transparency & Consent Framework" is unlawful.
The problem
Online Advertising's Massive Data Breach
Real-Time Bidding (RTB) is $117+ billion industry.2Market estimate in “Programmatic advertising spend in Europe 2019”, October 2020 https://web.archive.org/web/20220825205917/https://iabeurope.eu/wp-content/uploads/2020/10/Programmatic-Market-Advertising-Spend-2019-Report.pdf, slide 8; and "Brand Disruption 2020", IAB https://web.archive.org/save/https://s3.amazonaws.com/media.mediapost.com/uploads/IABBrandDisruption2020.pdf, p. 66. Estimate of value based on € to $ exchange rate of mid 2019 (€1=$1.1292). It tracks and shares what people view online and their real-world location 178 Trillion times every year in U.S. & Europe.3For detail on the scale of RTB see our report "The Biggest Data Breach ICCL report on the scale of Real-Time Bidding data broadcasts in the U.S. and Europe", ICCL, May 2022 https://www.iccl.ie/digital-data/iccl-report-on-the-scale-of-real-time-bidding-data-broadcasts-in-the-u-s-and-europe/ RTB is the biggest data breach ever recorded.
Almost every time you load a page on a commercial website or use an app an RTB auction occurs behind the scenes to determine what ad will appear in front of you. RTB auctions broadcast private information about what you are doing online, and where you physically are, to many other companies in order to solicit their bids for the opportunity to show you their ad. According to IAB Europe’s documentation, “thousands” of companies may receive data from a single RTB broadcast about a single person for a single ad.4"Pubvendors.json" (see documents section) uses the word "thousands". RTB companies documentation is indicative. For example, Microsoft (Xandr) allows 1,647 companies to receive RTB data about people. See "Third party providers which may receive Platform Data and other information", Microsoft Xandr, 2021, in the documents section, below. Google is no better.See "Ad technology providers" including "commonly used list" of companies that receive Google RTB data by default, Google, August 2022. As a result, your private data is broadcast to firms across the globe, including Russia and China, without any means of controlling what is then done with the data.5Industry documents confirm that there are no technical measures to limit what companies can do with this information, nor who they pass it on to. For example, see "pubvendors.json", IAB TechLab, in the documents section, below. This document attests that there are "no technical measures" to control the data.
The data broadcast about you includes things like what you are reading or watching or listening to, inferences about your sexual preferences, religious faith, ethnicity, health conditions, your political views, and where you physically are - sometimes right up to your GPS coordinates.6See for example the sample RTB bid requests from IAB and Google documentation, in the documents section, below. It also includes ID codes about you that help tie together many pieces of RTB data over time, so that very intimate profiles can be maintained about you and where you go and what you do.

On average, a person in the U.S. has their online activity and location exposed 747 times every day by the RTB industry. In Europe, RTB exposes people’s data 376 times a day on average.7For detail on the scale of RTB see our report "The Biggest Data Breach ICCL report on the scale of Real-Time Bidding data broadcasts in the U.S. and Europe", ICCL, May 2022 https://www.iccl.ie/digital-data/iccl-report-on-the-scale-of-real-time-bidding-data-broadcasts-in-the-u-s-and-europe/
This massive data breach repeats every day.
Consent Spam
In 2018 the tracking industry trade body IAB Europe worked with major RTB companies8AppNexus Inc.; Conversant, LLC; DMG Media Limited; Index Exchange, Inc.; MediaMath, Inc.; Oath, Inc.; Quantcast Corp.; and, Sizmek, Inc. are named in the copyright notice of the TCF. See IAB Europe, “Transparency & Consent Framework, Cookie and Vendor List Format, Draft for Public Comment, v1.a”, IAB Europe, 7 March 2018 (URL: https://github.com/Vindico-LR/GDPR-Transparency-and-Consent-Framework/blob/master/Draft_for_Public_Comment_Transparency%20%26%20Consent%20Framework%20-%20cookie%20and%20vendor%20list%20format%20specification%20v1.0a.pdf), p. 3. to develop consent popups that, they hoped, would prevent the GDPR from disrupting the RTB industry. This compliance charade did nothing to address the underlying illegality of RTB.
IAB Europe calls this system the "Transparency & Consent Framework" (TCF), and claims it gives people “control and transparency over their personal data”.9IAB Europe, “What is the Transparency & Consent Framework?”, IAB Europe (URL: https://iabeurope.eu/transparency-consent-framework/).
However, the lack of protection of personal data broadcast by the RTB system means that the TCF’s claim of transparency and control is illusory. IAB Europe established no technical or organisational means to actually protect the enormous volumes of personal data about Internet users that is broadcast by RTB. It's own documentation acknowledges that “there is no technical way to limit the way data is used after the data is received”.10IAB Europe, json v1.0: Transparency & Consent Framework, 25 April 2018 (URL: https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/pubvendors.json%20v1.0%20Draft%20for%20Public%20Comment.md#liability The TCF is merely an honour system in which over a thousand companies are assumed to respect data protection law and to abide by terms & conditions. In other words, the 1,058 companies that participated in the TCF received personal data through it, could do with that data whatever they wish, and share it with whoever they wish. It does not matter what people click on these messages.
IAB says that TCF consent pop-ups are active on 80% of the European internet.11See "IAB & IAB Tech Lab Respond with Support for OpenRTB and IAB Europe’s Transparency & Consent Framework", October 19 2020 https://www.iab.com/news/iab-iab-tech-lab-respond-with-support-for-openrtb-and-iab-europe-transparency-consent-framework/ This consent spam has plagued Europeans countless times a day for years.
A year before unleashing this wave of consent popup spam across Europe, IAB Europe's CEO acknowledged in writing to the European Commission that RTB was "incompatible" with consent under the GDPR.12"As it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario, programmatic trading, the area of fastest growth in digital advertising spend, would seem, at least prima facie, to be incompatible with consent under GDPR". See e-mail and page 3 of attached lobbying paper from IAB Europe CEO Townsend Feehan to European Commission, 26 June 2017.
Explainer


ICCL reports & testimony
Reports & submissions
- "America's hidden security crisis", November 2023.
- "Europe's hidden security crisis", November 2023.
- "Unfair & deceitful commercial surveillance", Submission to the U.S. Federal Trade Commission from ICCL, Open Markets Institute, and the Trans Atlantic Consumer Dialogue, November 2022.
- "The Biggest Data Breach ICCL report on the scale of Real-Time Bidding data broadcasts in the U.S. and Europe", May 2022.
- "Sustainable without surveillance", October 2021.
- "The Ryan Report: Behavioural advertising and personal data", September 2018
- [pre-ICCL] "Surveillance on UK council websites Brave’s report on surveillance of UK citizens by private companies embedded on council websites", Brave, February 2020.
Selected testimony & presentations
- European Commission expert group (EU Observatory on the Online Platform Economy), 27 January 2022, https://vimeo.com/670735163
- European Parliament IMCO Committee, 19 November 2021, https://vimeo.com/647758367
- European Parliament launch of Tracking-free Ads Coalition, 2 February 2021 https://www.iccl.ie/news/iccls-dr-johnny-ryan-keynotes-european-parliament-launch-of-tracking-free-ads-coalition-2/
- [pre-ICCL] Remarks at International Grand Committee on Disinformation and Fake News, 7 November 2019 https://vimeo.com/371652420
- [pre-ICCL] Testimony at the U.S. Senate Judiciary Committee, 21 May 2019 https://vimeo.com/337983273
- [pre-ICCL] European Data Protection Supervisor, 11 February 2019, https://vimeo.com/317245633
Selected file documents
Below is a (small) sample of evidence and legal submissions in this file so far.
The "Open RTB Protocol" and Google "Authorized Buyers Protocol"
- "AdCOM Specification v1.0", March 2022, IAB TechLab.
- "OpenRTB API Specification Version 2.5", December 2016, IAB TechLab.
- "OpenRTB API Specification Version 2.0", January 2012, IAB TechLab.
- Collected bid request examples from Google and IAB documentation.
"Content Taxonomy" sexuality, politics, ethnicity, etc. (“special category personal data”) in RTB bid request content and interest categories
- email from Benjamin Dick to Johnny Ryan, 27 August 2020, attesting inclusion of special category data (referred to here as "SCD") in the IAB taxonomy.
- "IAB TechLab Content Taxonomy v2", IAB TechLab, November 2017.
- "IAB TechLab Content Taxonomy v1", IAB TechLab.
- "publisher verticals", Google, marked up version.
IAB "Audience Taxonomy" --- the rule book for secret dossiers about everybody on the internet
- "IAB TechLab Audience Taxonomy v1.1", April 2020, IAB TechLab.
- "IAB TechLab Audience Taxonomy v1", May 2018, IAB TechLab.
Documents attesting to the absence of security in RTB
- “pubvendors.json v1.0”, May 2018, IAB TechLab, attesting that “there are no technical measures” to control data once broadcast.
- e-mail and attached lobbying paper from IAB Europe CEO Townsend Feehan to European Commission, 26 June 2017, attesting that RTB will be incompatible with consent under EU data protection law.
- [pre-ICCL] Google’s GDPR workaround Push Page mechanism
- "Third party providers which may receive Platform Data and other information", Microsoft Xandr, 2021
- "Ad technology providers" including "commonly used list" of companies that receive Google RTB data by default, Google, September 2020.
Selected legal papers
- Class action against Oracle
- Lawsuit in Germany v IAB TechLab, Microsoft Xandr, and others
- Lawsuit against Irish Data Protection Commission
- Affidavit, 9 March 2022.
- Complaint against Google and IAB
- "Decision of Brussels Markets Court on 2022/AR/292" (machine translation), 7 September 2022.
- "Decision on the merits 21/2022" (machine translation), 2 February 2022.
- "Two years of DPC inaction on the ongoing RTB data breach: Irish people with AIDS profiled, and Polish elections influenced", 21 September 2020.
- Complaint to Irish Data Protection Commission, 12 September 2018.
- Complaint against IAB Europe
-
Complaint to Irish Data Protection Commission, 3 April 2019.
-
Chronology
2017
Dr Johnny Ryan blows the whistle to the DPC and ICO while working for adtech company PageFair
2018 September
Dr Ryan files formal complaint while working at Brave Software. Duplicate complaint filed by allies in the UK
2018-2021
Duplicate complaints by 25 NGOs and individuals across the EU13NGO and individual complainants: Open Rights Group Dr Michael Veale Pakoptykon Foundation Eticas Foundation Bits of Freedom Dr Jef Ausloos Dr Pierre Dewitte Jose Belo Society for Civil Rights* Digitale courage* Digitale Gesellschaft* Netzwerk Datenschutzexpertise* Deutsche Vereinigung für Datenschutz* Italian Coalition for Civil Rights and Freedoms* La Ligue des Droits de l’Homme* Bulgarian Helsinki Committee* Association for the Defense of Human Rights in Romania* Italian Coalition for Civil Rights and Freedoms* Estonian Human Rights Centre* Peace Institute* Asociatia pentru Tehnologie si Internet* Defesa dos Direitos Digitais* GONG* Global Human Dignity Foundation* Homo Digitalis* Institute of Information Cyprus* (* denotes NGOs coordinated by Civil Liberties Union for Europe.) Dr Ryan submits several rounds of additional evidence.
2019 May
Irish Data Protection Commission (DPC) launches inquiry into Google's RTB system
2019 June
UK Information Commissioner's Office (ICO) publishes a report that confirms the complaint evidence, but takes no action
August 2020
ICCL opens an RTB action file when Dr Ryan joins the organisation
2021 June
We launch lawsuit at Landgericht Hamburg against IAB TechLab and Microsoft RTB company Xandr
Read more ›
2022 February 👍
Landmark decision from 28 EU data protection authorities on complaint led by ICCL confirms RTB's "TCF" consent system is illegal
Read more ›
2022 March
We launch case at Irish High Court against the Irish Data Protection Commission for not investigating RTB
Read more ›
2022 June
We are at the Brussels Markets Court against IAB Europe's appeal of the TCF decision
2022 September
Brussels Markets Court refers our questions to the European Court of Justice
Read more ›
2022 February
We lead complainants in legal action at the Brussels Markets Court against the Brussels Data Protection Authority's failure to allow complainants to view and comment on IAB Europe's "action plan"
2022 November
The United States Federal Trade Commission (FTC) is considering new privacy riles to protect internet users against tracking. The ICCL/Open Markets/TACD submission reveals the impact of tracking-based online advertising, to enable the FTC to act
Read more ›
2023 May
Brussels Markets Court hears complainants led by ICCL v Belgian Data Protection Authority on failure to disclose and hear views on IAB Europe consent action plan
2023 July
Irish High Court hears our appeal against the Data Protection Commission's failure to investigate Google's RTB security issues
Read more ›
2023 August
Irish High Court dismisses our appeal against the Data Protection Commission failure to investigate Google's RTB security issues
2023 September
Brussels Markets Court rejects IAB Europe’s immediate request to suspend enforcement. The Court will rule on the merits after the CJEU rules
Read more ›
2023 November
We publish evidence of national security threat to Europe and the United States from RTB data leakage
Read more ›
2023 November
We brief U.S. Assistant Attorney General Kanter on Google's RTB business (In November 2024 the U.S. DOJ requests a breakup of Google)
2024 February
The Hamburg Landgericht Court dismisses our case on procedural grounds.
2024 March 👍
The European Court of Justice agrees with our argument that data processed in the TCF is personal data and that IAB Europe is responsible
Read more ›
2024 June
Irish Court of Appeal dismisses our appeal against Data Protection Commission's failure to investigate Google's RTB security issues
2024 October
We publish evidence of the national security threat to Australia from RTB data leakage
Read more ›
2024 December
U.S. FTC acts against RTB firm Mobilewalla, following ICCL 2022 submission
Read more ›
2025 January
Brussels Markets Court to hold final hearing, following European Court of Justice Decision in March 2024
How to support
ICCL's work
Contact
Irish Council for Civil Liberties,
Unit 11, First Floor, 34, Usher's Quay,
Dublin 8
Phone: +353-1-9121640
Email: info@iccl.ie