On September 12, 2018, complaints were submitted to regulatory authorities in the UK and Ireland, alleging that OpenRTB is a “mass data broadcast mechanism” that violates the GDPR. More broadly, the complaints state that the “ad tech” industry has not taken any meaningful effort to comply with the GDPR, including with respect to notice and choice or other technical controls, and that any reliance on a “legitimate interest” when engaging in real-time bidding is invalid. As a result, the complaints demand an EU-wide investigation into the industry and regulatory audits of participating organizations.
The below article provides strong counter-arguments to the complaints’ specious claims by explaining that:
- The GDPR regulates an organization’s use of technologies, such as OpenRTB, and not the technologies in and of themselves
- Among other technical measures, the digital advertising ecosystem has put in place several impression-level controls to address data protection;
- IAB Europe’s Transparency and Consent Framework is consistent with GDPR requirements for notice, choice, and security against unlawful processing; and
- “Legitimate Interests” can be an appropriate legal basis for processing activities related to real-time bidding.