How to keep your data under lock and key

ICO report reveals real time buying puts your data at risk

Katherine Barnett
© Shutterstock / MchlSkhrv

A recent report revealed that real time buying in the advertising industry does not comply with the set GDPR requirements. With so much concern about privacy, how can you protect your data? In this article, Katherine Barnett examines some of the ways you can keep your data safe and keep sensitive information out of advertisers’ hands.

A recent report by the ICO has revealed that real time buying (RTB) in the programmatic advertising industry does not abide by GDPR requirements. This raises serious concerns regarding user privacy and security, especially considering most users do not know what RTB is, let alone that it involves their data.

What is RTB?

RTB stands for real time buying and refers to the process of purchasing a website’s advertising space. The process is automated and takes the form of an auction, where participants can raise bids in an effort to win ad space. It all takes place within a matter of seconds.

Programmatic platforms promise clients their ads will only be shown to users genuinely interested in their product. They do this by creating highly detailed profiles made up of data collected during and after the bidding process as users browse the web. These profiles can then be targeted with ads best suited to them.

This data includes, and is not limited to, IP address, location, age, and gender. Even when ad space isn’t won in RTB, participants still gain access to data, meaning they can continue building detailed user profiles to target in the future.

The ICO report identified multiple issues with RTB in regards to GDPR and PECR (Privacy and Electronic Communications Regulations). The main issues they discovered are regarding consent, transparency, and the complexity of the bidding process and ad ecosystem.


Within RTB, users are not provided with clear, comprehensive information about where their data is going and what it will be used for, a requirement under GDPR and PECR. If companies fail to provide this information, users cannot give legitimate consent for their data to be used.

SEE ALSO: Keep your ML data on the down low with TensorFlow Privacy

Consent is especially important when it comes to the processing of special category data, which can include an individual’s political preferences, religious beliefs, and health concerns. GDPR states that the processing of this data is prohibited unless explicit consent is obtained, but the vast majority of consent requests do not state they are collecting this data.

Users must be made aware of how their data is being handled and where it will end up so that they can give legitimate consent for its use. As it stands, RTB participants themselves often don’t have this information, making it hard to provide to users.

Complexity of RTB and the ad ecosystem

The complexity of the data supply chain makes it almost impossible to know where data will end up. Because of this, RTB participants cannot guarantee that data will be treated appropriately and in accordance with GDPR further down the chain.

The opacity of the supply chain is at the crux of why transparency and legitimate consent cannot be achieved. If those participating in RTB don’t have complete visibility on the process, how can they pass adequate information on to consumers?

Does highly personalised advertising even work?

Programmatic is marketed as a way to ensure ads are only seen by the right audience. Delivering ads to a smaller, more specific audience is said to reap better results as users are more likely to be legitimately interested.

However, it’s no secret amongst those in the industry that most clicks are still obtained through pop-ups or obtrusive ads. Users inevitably click these by mistake, making the ads seem more popular than they are.

Given that programmatic promises to get legitimately interested consumers clicking on ads, the continued overuse of pop-ups makes a mockery of the whole industry.

It also begs the question, would there really be much difference in the success of ad campaigns if personalisation was scaled back? If the ads that do the best are clicked on by mistake, it would seem the answer is no.

Whilst less-personalised targeting would mean that some will see ads that aren’t in-line with their interests, this would likely be a preferable trade-off for those who would rather their data was not collected at all.

How to protect your data and disrupt ad tracking

Online advertising is what funds most of the sites we use on a daily basis, so whilst it may be irritating at times, it’s necessary if we are to continue using them for free.

Thankfully, there are things we can do to grant our data some protection, as well as tools that prevent advertisers from tracking us from site to site.

SEE ALSO: Developers need to remain diligent at one-year mark of GDPR

Privacy Badger prevents advertisers from seeing what web pages users view and tracking their online journey. This web extension also blocks content from advertisers who are tracking users, and makes it appear as if the user has ‘suddenly disappeared.’

DuckDuckGo is also a popular choice amongst the privacy-conscious. Their app and browser extension prevents individuals from being tracked around the internet. Meanwhile, Mozilla recently brought out Track THIS. This tool confuses advertisers by disguising you as one of four personas, including Filthy Rich and Doomsdayer.

Other measures you can take to protect your data more broadly include investing in a reliable Virtual Private Network (VPN). A VPN encrypts your data, hiding it from your ISP and anyone who may be spying on your network. It also diverts your connection via a remote server, concealing your location and preventing advertisers from targeting you via your ISP.


Consumers have a right to know where their data is going and how it is being handled, and it is the responsibility of RTB participants and advertisers to make this information readily available and comprehensible. Ultimately, this must be done for RTB and the programmatic industry to stand a hope of becoming GDPR compliant.


Katherine Barnett

Katherine Barnett (@thekatbarnett) is a researcher at leading VPN review site Her writing focuses predominantly on global censorship, digital rights and cybersecurity.

Inline Feedbacks
View all comments