RTB and GDPR: A Deep Dive into Privacy Risks

Real-time bidding (RTB) is the core engine behind programmatic advertising. Every time a user opens a webpage or app, a bid request containing user, device, and context data is sent to many potential buyers. The auction is completed within milliseconds, and the winning ad is delivered to the user.

While RTB offers efficiency and automation for both advertisers and publishers, data protection authorities question RTB mechanisms in terms of consent, transparency, and security. Additionally, regulations like GDPR, CCPA, and others keep raising the bar for data sharing, “selling”, and profiling. Users are also getting more and more concerned. According to Statista’s survey conducted in November 2024, 41% of respondents stated that they decided not to accept data collection when visiting a website or an online service since they did not want the provider to use their personal data (the survey covered 12 European countries). 

This guide takes a practical look at the privacy risks in real-time bidding and explores realistic compliance strategies that businesses can implement (e.g., header bidding in GDPR regions compliance tips). Read on to learn more. 

Why RTB and GDPR are on a collision course

Covering a wide range of sectors (commerce, media, education, healthcare, etc.), GDPR introduces a variety of violation types:

Source: GDPR Enforcement Tracker

The total amount of fines has already exceeded €6 billion, with the largest single fine of €1,2 billion.

The infographics provided above serve as a brief explanation of why GDPR has so many concerns regarding RTB. Now, let’s dive deeper into the details.

How RTB handles personal data

An RTB auction involves numerous participants. When a user enters a website page or opens a mobile application, a bid request is generated and sent to an ad exchange (or several exchanges). Then, the exchange distributes this request to demand-side platforms and advertisers who may want to bid on it. 

Typically, bid requests contain IP addresses, geolocation data, device characteristics, browser details, language settings, audience segments, behavioral signals, etc. Even when direct identifiers (like names or email addresses) are not included, regulations often consider much of this information personal as it can be linked to a specific device or individual. The scale of data sharing is another issue – a single impression may expose the data to dozens or even hundreds of auction participants.  

These do not really correlate with the core GDPR principles. RTB depends on consent as the lawful basis for processing personal data. However, obtaining valid consent can be challenging. Besides, RTB workflows raise concerns around data minimization and purpose limitation. Security and accountability requirements add even more complexity. For instance, when bid requests enter a broad programmatic ecosystem, it becomes difficult (or even impossible) for media owners to control how the data is stored, processed, or shared. 

Key regulatory concerns and rulings

If we summarize the key concerns, they would be as follows:

• Lack of meaningful, specific, informed consent for the breadth of data sharing. Many consent mechanisms fail to provide sufficient explanations about how data is shared, which vendors receive it, how it can be used, etc. Thus, in 2022, the Belgian DPA found that the TCF (Transparency and Consent Framework) developed by IAB Europe failed to comply with some of the GDPR provisions. For example, the information provided through the CMP interfaces was too generic – this made it difficult for users to keep their data under control. 

• Difficulty enforcing purpose limitation and storage limits once data is broadcast. For example, even when a publisher defines proper data usage policies, the data distributed through requests may be retained, enriched, reused, and so on. Therefore, regulators question whether companies can really maintain control over data after it leaves their specific ecosystems and gets into the programmatic environment. 

• Cross‑border transfers and unknown recipients. GDPR outlines restrictions on the transfer of personal data outside the European Economic Area. Businesses must ensure that they meet these requirements, but many RTB players do not have direct contractual relationships with all the participants of the auction chain. The GDPR penalty for serious infringements (which include illegal international transfers) is up to €20 million or 4% of global annual turnover.

4 main RTB privacy risks you need to understand

Using RTB while not being compliant with GDPR and other regulations can result in many negative consequences. Apart from penalties (which can be huge), businesses may face operational disruption, reputational damage, loss of trust, and supply chain complications. Let’s review the main risk areas. 

Consent and legal basis risk

One of the most significant GDPR challenges for RTB is establishing a valid legal basis for processing personal information. Personalized advertising activities should rely on user consent. However, in practice, consent mechanisms used across the industry are often criticized. Common issues are as follows:

• Vague or bundled consent requests that combine multiple processing purposes into a single acceptance flow.

• Pre-ticked boxes that do not reflect real user choice.

• So-called “pay or okay” models that pressure users to give consent in order to access content.

Consent must be freely given, specific, and informed, but many businesses fail to meet these requirements. Another problem is how RTB systems actually handle consent signals. For instance, sometimes bid requests may be transmitted before consent is fully collected or validated.

If consent practices are not compliant, organizations may face regulatory investigations, financial penalties, and reputational damage.

Data minimization and excessive sharing

To be compliant with GDPR, you need to collect and share only the data that is strictly necessary for a clearly defined purpose. However, RTB systems often struggle with this since bid requests often contain more information than is needed to serve a contextual or basic targeted ad. Obviously, advertisers value additional info like, for instance, device identifiers. However, regulators increasingly question such broad data distribution. 

Another problem is that in the open auction model, bid requests are broadcast to multiple demand partners. Even marketers who do not win may still receive user-related information during the auction process. As a result, personal data can spread widely across the ecosystem with limited visibility into how it is stored, reused, etc.

Violating GDPR’s data minimization and purpose limitation principles can lead to classic problems like penalties and loss of trust. However, ensuring RTB GDPR compliance can be a complicated task. For instance, publishers may lack practical mechanisms to audit downstream data usage or enforce restrictions once data leaves their control. In addition, RTB players may find it challenging to demonstrate that all shared data is necessary for the stated advertising purpose.

Security and accountability

RTB ecosystems involve DSPs, SSPs, ad exchanges, data providers, etc. Each additional participant increases the complexity of maintaining strong data protection standards across the entire supply chain. 

From our experience, not all entities maintain the same level of technical and organizational security measures. For instance, some vendors may have weaker internal controls. However, since RTB operates at a massive scale and high speed, even small gaps can create significant privacy and security risks. In addition, complex chains can make it challenging to clearly define responsibilities, monitor data flows, or prove that proper security measures exist across every participant receiving bid requests.

Apart from potential data breaches, companies may face questions around joint controllership, shared liability, and incident notification obligations if regulators decide that multiple parties influence the way personal data is processed. Without strong governance frameworks, businesses may struggle to demonstrate compliance.

Cross-border data transfers and CCPA overlaps

RTB transactions often involve international data flows. For instance, bid requests coming from users in the European Union may be processed by vendors, servers, or advertisers located in the United States. Under GDPR, such transfers require additional safeguards:

• Standard Contractual Clauses (SCCs)

• Transfer impact assessments (TIAs)

• Ongoing evaluations of whether recipient countries provide adequate data protection

Besides, the Schrems II ruling significantly increased control over EU-US data transfers by emphasizing that organizations must assess whether foreign surveillance laws could undermine GDPR protections. For RTB ecosystems, this creates additional complexity because data may move across multiple vendors and jurisdictions within milliseconds during the auction process.

At the same time, privacy obligations extend beyond Europe. For example, under CCPA and CPRA, certain RTB-related data sharing practices may qualify as “selling” or “sharing” personal information. This means companies may need to provide “Do not sell or share my personal information” mechanisms, contractual restrictions, and opt-out workflows.

The combination of different regulations creates compliance pressure for the participants of the AdTech industry. Organizations that fail to meet the requirements may face enforcement actions, operational disruption, and increased legal exposure across multiple jurisdictions. Besides, according to Statista’s survey conducted in 2024, 60% of respondents stated that, in their opinion, EU privacy laws like GDPR “had a negative impact on the conditions for starting and/or scaling a technology company in Europe”.

Header bidding, mediation, and CTV under GDPR/CCPA

Basically, users prefer relevant and personalized ads. However, this personalization introduces compliance challenges. Let’s explore practical tips on how to mitigate risks. 

Source: Statista

Header bidding in GDPR regions – compliance tips

The header bidding technology enables multiple demand sources to bid on an impression simultaneously. This creates more equal conditions for advertisers and helps publishers drive revenue. At the same time, header bidding increases the complexity of privacy compliance because user-related data is distributed to many demand partners at once. 

Therefore, publishers must ensure that no bid requests containing personal data are transmitted before valid consent has been collected. Regional compliance controls are also important. Media owners operating globally should avoid treating all traffic the same way. GDPR, CCPA/CPRA, and other regional regulations require different handling of user data, consent logic, and vendor participation.

Here are the key practices to follow:

• Load the CMP so that consent status is available before auctions start.

• Correctly propagate TCF, USP, and other consent or opt-out signals across all participating vendors.

• Block or restrict vendors that do not have an appropriate legal basis or contractual compliance structure.

• Reduce the number of participating bidders where possible to limit unnecessary data distribution.

• Minimize the amount of information included in bid requests by avoiding unnecessary IDs, granular location data, or sensitive audience segments.

Privacy compliance in ad mediation (apps, SDKs)

In terms of privacy concerns, mobile app mediation and SDK-based bidding environments imply almost the same issues as web RTB. However, there is often even less transparency involved. In-app advertising commonly relies on SDKs that collect and share mobile advertising IDs, device data, IP addresses, app usage information, and sometimes location signals across multiple ad networks and bidders.

Since there are many SDK integrations operating simultaneously, app publishers often lack visibility into how data flows across the ecosystem. Some SDKs may keep transmitting identifiers or behavioral data even when consent has not been properly obtained or updated.

The key challenge here is that consent and opt-out logic should operate throughout the entire mediation stack, not only at the visible app UI. If privacy preferences are not consistently propagated to downstream SDKs and demand partners, the app may still expose personal data and violate privacy regulations.

Here are the steps that you may want to take:

• Implement a robust consent management system that passes user preferences through all mediation layers and SDK integrations.

• Limit the number of SDK networks integrated into the app.

• Consider using server-side mediation (when possible) to improve control over data flows. 

• Apply strict data minimization standards to device IDs, location sharing, and audience segmentation.

Privacy-compliant CTV targeting (GDPR/CCPA)

Instead of relying on cookies, CTV ecosystems depend on household-level targeting, device identifiers, IP addresses, platform data, and viewing behavior signals. Since CTV devices are usually shared between several individuals within a household, ensuring compliance becomes even more challenging than in, for instance, single-user mobile environments. Besides, device and household identifiers may still be classified as personal data. Thus, CTV targeting requires thorough governance – otherwise, compliance risks can be significant. 

Here are a few recommendations to keep in mind:

• Consider using contextual targeting (by content categories, channels, genres, etc.) to reduce reliance on personal data while still ensuring ad relevance.

• Invest in first-party and zero-party data strategies (e.g., subscriber accounts and loyalty programs).

• Consider privacy-first collaboration methods like clean rooms.

• Avoid heavy identity graph reliance (especially when legal risks are unclear) and evaluate CTV vendors carefully.

Global solutions for GDPR and CCPA compliant ads

GDPR, CCPA, and other privacy regulations evolve continuously, which turns compliance into an ongoing task. Here are some recommendations that will help you enhance your strategy.

Move from “broadcast everything” to “minimize and segment”

AdTech is moving toward selective and more controlled data usage. Instead of transmitting every available identifier or signal into the RTB environment, the industry participants are increasingly evaluating which data points are actually necessary to achieve campaign objectives.

In practice, this means defining the amount of information required for targeting, optimization, and other tasks, and removing unnecessary fields from bid requests. Many campaigns can still deliver effective performance without exposing, for instance, precise location data.

Many businesses also start relying more on contextual categories, aggregated audience categories, and interest-based segments instead of raw behavioral data. This helps ensure campaign relevance without violating the data minimization and purpose limitation principles.

Strengthen consent and preference management

Consent management for RTB plays a crucial role in privacy compliance. Regulators expect businesses to provide clear, transparent, and user-friendly mechanisms for preference management.

Therefore, you should use a robust CMP that implements TCF properly and avoids dark patterns. The consent interface should clearly explain what data is collected, how it is used, and what vendors may receive it.

In case you operate internationally, applying a single global consent model for all users is not the way to go. Instead, you should implement regional approaches and follow GDPR requirements in the EEA, CCPA/CPRA obligations in California, etc. Emerging privacy laws in other jurisdictions often require different legal bases, disclosures, and opt-out mechanisms.

Note that privacy controls should remain easy to access and understand. Features such as “Reject all,” “Manage choices,” and “Do not sell or share my personal information” should be presented clearly rather than hidden behind multiple layers of navigation.

Contextual, on-device, and clean room architectures

As privacy expectations and regulations evolve, companies are switching to architectures that reduce reliance on direct user-level tracking. Contextual advertising is one of the most obvious examples here. Advertisers reach users based on page topics, app categories, video genres, etc. Contextual targeting allows for reducing privacy risks as it focuses on the environment, not individuals. 

On-device processing is another growing trend. Some systems process targeting or optimization logic directly on the user’s device and share only aggregated or limited signals externally. This approach helps reduce unnecessary exposure of user-level data.

Privacy-enhancing technologies and clean room environments are also becoming more and more common. These models can help you ensure measurable outcomes without depending on unrestricted identity sharing across the open ecosystem.

Choosing infrastructure that supports privacy-by-design

Using third-party privacy-safe ad serving tools ( for instance, privacy-ready ad server platforms) may be enough for certain purposes, but if you search for greater control over your privacy compliance efforts and other processes, consider launching a white-label platform.

For instance, a white-label monetization solution from Attekmi is compliant with GDPR, CCPA, COPPA, and TCF 2.0, and supports ads.txt and sellers.json files. In combination with advanced filtering and optimization capabilities, it can help you bring your strategy to the next level and maximize efficiency while maintaining compliance.

Practical implementation checklist for RTB under GDPR/CCPA

Legal and product alignment:

• Clearly define the lawful basis used for each type of data processing activity.

• Align legal, privacy, product, and engineering teams on what data is collected, why it is needed, and which vendors receive it.

• Review whether all targeting, profiling, and measurement activities are properly disclosed in privacy notices and consent interfaces.

• Document regional privacy requirements separately.

Tech setup:

• Implement a robust CMP.

• Ensure the CMP loads before header bidding, mediation, or ad-serving logic where consent is required.

• Properly integrate TCF and other consent or opt-out signals across different vendors.

• Verify that bid requests do not fire before valid consent is collected in regulated regions.

• Test fallback behavior when consent is denied, withdrawn, or unavailable.

Data controls:

• Minimize the amount of data included in RTB bid requests.

• Limit the use of persistent identifiers, precise geolocation data, and sensitive audience segments where possible.

• Configure region-specific data handling rules.

• Use aggregated segments and contextual targeting signals.

• Define retention limits and deletion rules for logs, bid-stream data, and audience information.

Vendor management:

• Maintain a vetted and regularly reviewed list of bidders, SDKs, SSPs, DSPs, etc.

• Conduct due diligence on vendor privacy practices, security controls, and international transfer mechanisms.

• Remove inactive, redundant, or high-risk vendors from the supply chain.

• Ensure vendors can support consent propagation, opt-out enforcement, and audit requests.

• Update contracts with appropriate DPAs, SCCs, confidentiality obligations, and “service provider” clauses where needed.

Monitoring & DPIAs:

• Conduct data protection impact assessments (DPIAs) for RTB, CTV, and high-risk profiling activities.

• Regularly review consent rates, vendor activity, and bid-stream logs for compliance gaps.

• Audit whether consent signals are correctly propagated across all participating systems.

• Monitor evolving regulatory guidance, enforcement actions, etc.

• Adjust the stack regularly as regulations and case law evolve.

Conclusion

Privacy regulations do not ban RTB. The problem is that many implementations struggle to meet modern privacy expectations around consent, data minimization, security, transparency, and accountability.

Reducing RTB privacy risks requires a combination of stronger consent and preference management, stricter control over bid-stream data, greater reliance on contextual and first-party strategies, careful vendor and cross-border transfer governance, and infrastructure designed around privacy-by-design principles.

AdTech companies that adapt their RTB and monetization stacks to these evolving standards will not only reduce legal and operational risk but also strengthen trust with users, advertisers, and regulators as the next phase of programmatic advertising continues to evolve.

Are you in search of a trusted white-label AdTech provider? Contact Attekmi. 

FAQ