New in CRi

Privacy Litigation Against Real-Time Bidding (Herbrich/Niekrenz, CRi 2021, 129)

Real-​time bidding is the world’s most widespread fully automated sales system for online ad space and, at the same time, a prime example of data-​driven online marketing. The first part of this article intends to explain how real-​time bidding functions at the technical level (section B.). The second part presents the frequently expressed concerns about the substantive legality of real-​time bidding (section C.) and explains hitherto fruitless attempts by authorities at law enforcement (section D.I.). The article concludes by highlighting the possibilities and limits of privacy litigation through civil action against real-​time bidding (section D.II.).

Data-​driven online marketing: Enforcing the GDPR by protecting the rights of individuals under civil law

Table of contents:

A. Introduction: Economic Significance and Political Developments

B. Real-Time Bidding: Functionality and Technical Standards

I. How Real-Time Bidding Works

II. Stakeholders

III. Real-Time Bidding Process

IV. Technical Standards

1. OpenRTB

2. Google Marketing Platform

C. Problem Areas in Real-Time Bidding

I. Security of Processing, Art. 5(1), Art. 32 GDPR

II. Legal Bases

III. Special Category Data under Art. 9 GDPR

IV. Information Obligations

D. Enforcement

I. Public Enforcement: The path via the Authorities

II. Privacy Litigation Against Real-Time Bidding

1. Diffusion of Responsibility

2. Preliminary Procedural Considerations

a) Burden of Proof

b) Subject Access Requests for the Purpose of Discovery

3. Class Actions: A Lifeline for Enforcement?

a) Overview of Pending Proceedings Involving Real-Time Bidding

b) Non-Profit Collective Actions

c) For-Profit Litigation

d) New Deal for Consumers

E. Conclusion




"A. Intro­duction: Economic Signi­fi­cance and Political Develop­ments


Real-time bidding, a complex system for the automated display of perso­na­lised ads, dominates the online adver­tising market outside of walled gardens.1 At the same time, real-time bidding enables the almost seamless tracking, across websites and apps, of internet users worldwide – and by a vast number of companies involved.


It is not easy to put an exact figure on the turnover generated through real-time bidding. According to IAB Europe, €69.4 billion was spent on online adver­tising in Europe in 2020,2 and 50.6 % of display adver­tising was program­matic.3 In the US, the share of program­matic ad space was much higher in 2020, at 85 % (of $108.9 billion).4 In 2019, €6.7 billion was spent via just one of two industry standards for real-time bidding: IAB TechLab’s OpenRTB protocol (cf. point. B.IV.1.).5


However, efforts are incre­asing on a number of fronts to regulate the business model more strongly and to enforce existing rules.


The future Digital Services Act, which is intended to regulate the legal status of online platforms, is currently being debated in the EU Parliament.6 A cross-party group of EU parlia­men­ta­rians have called for a far-reaching ban on tracking-based online adver­tising.7 In a statement on the EU Commission’s proposal for the Digital Services Act, the European Data Protection Super­visor has also called for “a phase-out leading to a prohi­bition of targeted adver­tising on the basis of pervasive tracking”8.


Most recently, attention has shifted to security concerns over data transfers in the auctioning of online ad space. In a letter issued in March 2021, a group of US senators – from both, the Democratic and Republican side of the aisle – addressed questions to the CEOs of several operators of adver­tising exchanges to request details of data transfers abroad.9 They fear that trans­ferred bid stream data could be used against the US by foreign intel­li­gence agencies.10


In the last 12 months, several class actions for damages have been filed, among others against Oracle and Sales­force in the United Kingdom and the Nether­lands as well as against Google in the US (cf. point D.II.3.a.).


The industry itself has also recently come up with initia­tives to suppo­sedly improve data protection, including a possible move away from third-party cookies as well as the intro­duction of the Privacy Sandbox by Google or Apple’s App Tracking Trans­pa­rency framework.11 The Google Chrome Browser’s “Incognito mode” or the “Private browsing” option on iOS, for example, partially prevent cookies from being stored in the browser, but do not stop tracking by other techno­logies such as browser finger­printing. A class action lawsuit is currently pending in the US because of user tracking despite “Incognito mode” in Google Chrome. A motion to dismiss the case was rejected in the spring of this year.12


B. Real-Time Bidding: Functio­nality and Technical Standards


I. How Real-Time Bidding Works


The basis for audience-specific targeting or for the ability to recognise a user’s device, especially the individual browsers on users’ devices, is the recording of usage behaviour by means of cookies13 or similar tracking techno­logies, e.g. browser finger­printing.14 Whereas cookies are small files stored in the user’s browser, browser finger­printing describes methods to identify a user’s browser by means of the graphical, system and other properties.15 In this context, access to or storage of device infor­mation can take place both on the (…)"

Continue reading in juris PartnerModul IT-Recht

Verlag Dr. Otto Schmidt vom 13.11.2021 15:35

zurück zur vorherigen Seite