Real-time bidding (RTB) is a flashpoint in the debate over the future of programmatic advertising.

But whether the practice of using personal data in a real-time ad auction is lurching toward its deathbed in Europe, thanks to the General Data Protection Regulation (GDPR), or whether companies will just need to update how they collect consent for data processing, industry representatives agree that RTB is facing an existential crisis.

“There is a latent question in the air,” said Townsend Feehan, CEO of IAB Europe. “Is it possible to do programmatic in a way that complies with the GDPR?”

Battle lines

Feehan believes it is possible, as long as the industry figures out how to execute in a way that respects consumer consent, hence all the work being placed into the IAB’s Transparency and Consent Framework (TCF).

Yet, privacy advocates have been lodging simultaneous complaints with data protection authorities up and down the EU over the legality of RTB and the viability of the TCF.

The problem with the IAB’s framework, said Michael Veale, a tech policy researcher at University College London, is that it’s “about legitimizing something that is quite deeply flawed.”

Even if it were possible for someone to provide truly informed consent for the sort of data processing that takes place alongside every bid request in a real-time auction, that doesn’t account for data protection, a core tenet of GDPR, said Veale.

Veale is responsible for many of the complaints on file with European regulators right now, along with co-complainants Johnny Ryan, Brave’s chief policy officer, and Jim Killock, director of the Open Rights Group.

“The framework completely ignores the principle notion of data protection,” Veale said. “Data needs to be kept secure, minimized and it can’t be disseminated among numerous parties – and that’s regardless of any transparency.”

Building steam

Over the last year, European regulators have played their cards close to vest, with only limited cookie-related enforcement actions.

Expect that to change, said Alex van der Wolk, global co-chair of the privacy and data security group at Morrison & Foerster.

The investigations are starting to pile up. In late May, Ireland’s Data Protection Commission opened a formal investigation into whether the processing of data through Google’s DoubleClick ad exchange violates the law.

And data protection authorities, including those in France and the United Kingdom, are updating their outmoded cookie guidelines to be more in line with GDPR.

Implied consent, for example, will no longer be enough to place nonessential tracking cookies, and anyone using third-party cookies will have to clearly and specifically name the third parties involved and what they’re doing with whatever data is collected.

“RTB often makes use of cookies, or similar regulated technologies, and EU regulators are tightening the screws on the use of cookies,” van der Wolk said.

ICO re: RTB

EU regulators have become more definitive with their language. The Information Commissioner’s Office, the United Kingdom’s data protection watchdog, issued a report in June on RTB and the ad tech industry that called the former “intrusive and unfair” and the latter “immature in its understanding of data protection requirements.”

The ICO report also dings the current version of the IAB’s Transparency and Consent Framework for suggesting that legitimate interest is a workable legal basis for dropping tracking cookies. (It ain’t, according to the ICO.)

For now, the UK regulator isn’t planning to nail anyone to the wall. It’s taking a “measured and iterative approach” and looking to undertake another industry review at some point toward the end of the year or in early 2020.

The ICO’s actions however underscore how regulators are unafraid to get into the guts of the ad tech ecosystem, and that should leave an uncomfortable feeling in the bowels of any business that relies too heavily on third-party data, regardless of where its customers are based.

It’s more than possible that US regulators could take a cue from Europe when the California Consumer Protection Act takes effect in January 2020.

“As far as I can tell, though, in this industry, not a lot of people care about how bad they look,” said Brave’s Ryan. “Ad tech benefits from the status quo.”

Business can’t be as usual

But the status quo isn’t sustainable, and anyone that isn’t prepared to change hasn’t been paying attention, said Alessandro De Zanche, an independent audience strategy consultant based in London.

“If you claim there is still confusion because of a lack of clarity, you’re doing so in bad faith,” De Zanche said. “The ICO’s report reiterates, yet again, what is and isn’t lawful, and we are progressively moving toward a moment in time when regulators will start issuing fines.”

Is there a compromise, though?

Just take personal data out of the equation, Ryan suggested, and problem solved. There’s nothing dubious about real-time bidding if it doesn’t touch personal data. Aka, do contextual.

Retargeting wouldn’t work and frequency capping would have to change, but without personal data, RTB doesn’t even fall under the scope of GDPR anymore. “It’s a way that the majority of RTB can still happen,” Ryan said.

But RTB without targeting, why bother? said Brian O’Kelley, founder and former CEO of AppNexus.

“I’m calling BS – you can’t stop targeting and keep doing RTB,” O’Kelley said. “Making RTB untargetable kills it, and it’s not the right conversation to be having, it’s not an honest conversation.”

The more important issue isn’t what’s going to happen with RTB, he said, it’s finally figuring out how to gauge consumer choice and actually deliver on it.

“That has been the fight for 20 years now: Can you target me without my consent and, if so, how much?” O’Kelley said. “That is the real conversation and the mechanisms are secondary to that conversation.”

OK, but is RTB, one of those mechanisms, incompatible with GDPR?

“Yes,” said O’Kelley, who helped originate RTB when he was CTO at Right Media in the early 2000s. “I think it probably is.”