Adtech and Real-Time Bidding under European Data Protection Law

This article discusses the troubled relationship between contemporary advertising technology (adtech) systems, in particular systems of real-time bidding (RTB, also known as programmatic advertising) underpinning much behavioral targeting on the web and through mobile applications. This article anal...

Full description

Saved in:
Bibliographic Details
Published in:German law journal Vol. 23; no. 2; pp. 226 - 256
Main Authors: Veale, Michael, Zuiderveen Borgesius, Frederik
Format: Journal Article
Language:English
Published: Toronto Cambridge University Press 01.03.2022
Subjects:
Advertisements
Advertising
Behavior
Data integrity
Data processing
General Data Protection Regulation
Infrastructure
Internet
Internet access
Intervention
Law
Online advertising
Privacy
Protection
Security
Servers
Software
Technology
Third party
Transparency
URLs
Web analytics
Websites
ISSN:2071-8322, 2071-8322
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:This article discusses the troubled relationship between contemporary advertising technology (adtech) systems, in particular systems of real-time bidding (RTB, also known as programmatic advertising) underpinning much behavioral targeting on the web and through mobile applications. This article analyzes the extent to which practices of RTB are compatible with the requirements regarding a legal basis for processing, transparency, and security in European data protection law. We first introduce the technologies at play through explaining and analyzing the systems deployed online today. Following that, we turn to the law. Rather than analyze RTB against every provision of the General Data Protection Regulation (GDPR), we consider RTB in the context of the GDPR’s requirement of a legal basis for processing and the GDPR’s transparency and security requirements. We show, first, that the GDPR requires prior consent of the internet user for RTB, as other legal bases are not appropriate. Second, we show that it is difficult—and perhaps impossible—for website publishers and RTB companies to meet the GDPR’s transparency requirements. Third, RTB incentivizes insecure data processing. We conclude that, in concept and in practice, RTB is structurally difficult to reconcile with European data protection law. Therefore, intervention by regulators is necessary.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:2071-8322
2071-8322
DOI:10.1017/glj.2022.18