Wiki · Concept · Last reviewed June 19, 2026

Real-Time Bidding

Real-time bidding is the programmatic advertising process that auctions a single ad impression while a page, app, video, or connected-TV placement is loading. The governance issue is not only which ad wins. It is the bidstream: context, device, identifier, location, consent, and audience signals that can be sent to advertising intermediaries, data brokers, and bidders before any person sees the resulting ad.

Definition

Real-time bidding, or RTB, is a form of programmatic advertising in which an ad opportunity is offered to multiple bidders through an automated auction, usually during the milliseconds between a user requesting content and the ad slot being filled. A publisher, app, or platform creates an ad opportunity. A supply-side platform or ad exchange packages a bid request. Demand-side platforms, advertisers, data providers, and verification services evaluate the request and decide whether and how much to bid. The winning ad is returned to the page or app.

The privacy issue is that the bid request can itself be a data disclosure. The ad seen by the user may come from one winning bidder, but the request can travel to many losing bidders and intermediaries. Depending on implementation, it may include page or app context, device information, coarse or precise location, user or household identifiers, advertising IDs, IP-derived signals, publisher IDs, content categories, consent strings, audience segments, and other data used for targeting, pricing, fraud detection, frequency capping, measurement, and attribution.

RTB should not be treated as a synonym for all online advertising. Some ads are contextual, direct-sold, private-marketplace, clean-room-mediated, or served inside a first-party platform. RTB is the auction-and-bidstream pattern where the decision about one impression is made by distributed software at request time.

Snapshot

How It Works

A typical RTB transaction begins when a user opens a page, app, video stream, or other ad-supported surface. The publisher's ad server or supply-side platform identifies an available placement, creates a bid request, and sends it to an exchange or bidders. The bid request describes the impression, the ad slot, the content or app environment, the device, regulatory flags, and any user or audience information the seller makes available.

Demand-side systems then apply budget rules, targeting rules, machine-learning models, brand-safety filters, fraud scores, frequency caps, and expected-value estimates. They may return bids and creatives, pass without bidding, or participate through a private marketplace or deal ID. The exchange selects a winner under the auction rules and returns the winning ad or markup. After the impression, additional notices, pixels, logs, and attribution events may flow through the same supply chain.

IAB Tech Lab's OpenRTB specification is one widely used technical standard for these exchanges. It defines bid request objects for impressions, sites, apps, devices, users, regulations, content, segments, and extensions. The existence of a standard does not mean that every deployment uses the same fields, that every data flow is lawful, or that all recipients are equally visible to the person whose attention is being auctioned.

Bidstream Data

"Bidstream data" is the operational exhaust of RTB: the data included in bid requests, bid responses, win and loss notices, auction logs, measurement events, and related ad-tech telemetry. It can be useful for ordinary ad delivery, fraud control, measurement, and billing. It can also become a shadow data source for location intelligence, identity graphs, audience enrichment, model training, and profiling outside the immediate ad transaction.

In OpenRTB-style requests, a site object may include domain, page URL, content categories, referrer, publisher, and content information. An app object may include app name, bundle, store URL, publisher, and category. A device object can include user agent, operating system, model, connection type, language, advertising identifier, and location-related fields. A user object or data object can include exchange IDs, buyer IDs, segments, and data-provider attributes. Some fields are optional, some are exchange-specific, and some are represented through extensions.

The legal and safety significance depends on linkability and context. A page URL about a medical condition, a location trace near a clinic or place of worship, a political-news segment, an app bundle, or a persistent mobile advertising ID can be sensitive even when no real name is present. A consent string or pseudonymous identifier can still be personal data if it can be linked to an identifiable person or profile.

Current Context

As of June 19, 2026, RTB sits under overlapping privacy, consumer-protection, competition, and platform-governance regimes rather than one dedicated "RTB law." The UK Information Commissioner's 2019 adtech update remains a key regulator source because it identified recurring RTB concerns around transparency, consent, special-category data, lawful basis, security, and data-protection impact assessments.

European law has sharpened the consent-infrastructure question. In March 2024, the Court of Justice of the European Union held in Case C-604/22 that an IAB Europe Transparency and Consent String can constitute personal data when associated with an identifier and that IAB Europe may be a joint controller for the processing of users' consent preferences within the Transparency and Consent Framework, subject to the national court's verification. Belgian DPA materials later described the Market Court as confirming the personal-data and joint-controller findings for TCF user-preference processing while rejecting a broader conclusion that IAB Europe controls processing entirely within the OpenRTB protocol.

The EU Digital Services Act adds platform-level advertising duties. Online platforms must label ads and provide meaningful information about why a recipient sees an ad. Very large online platforms and search engines must maintain ad repositories. The DSA also restricts targeted advertising based on sensitive categories and bans profiling-based targeted advertising to minors where the provider knows with reasonable certainty that the recipient is a minor.

In the United States, RTB appears more often through consumer-protection and data-broker enforcement than through a comprehensive privacy statute. In January 2025, the Federal Trade Commission finalized an order against Mobilewalla that, among other restrictions, bans collecting consumer data from online RTB advertising exchanges for purposes other than participating in those auctions. FTC surveillance-pricing work also treats ad-tech and data-broker infrastructures as possible inputs to individualized prices, discounts, and offers.

Identifier practices continue to shift through browser controls, mobile advertising ID policies, first-party data strategies, clean rooms, contextual advertising, private marketplaces, and seller-defined audience systems. Those shifts can reduce some third-party tracking, but they do not remove the governance question. A smaller bidstream can still be sensitive, and a first-party or clean-room system can still enable cross-context profiling if purpose boundaries, consent, and deletion do not hold.

AI Relevance

AI makes RTB more powerful because models can turn weak signals into audience predictions, bid valuations, creative variants, fraud scores, propensity scores, and inferred vulnerabilities. A system does not need a declared trait if it can infer a likely trait from page context, app use, location, device behavior, prior ad responses, and brokered data.

RTB data can enter AI systems as training data, retrieval context, evaluation data, feature-store input, targeting data, attribution data, or reinforcement signal for bidding strategies. Generative AI also changes the creative side: a campaign can generate many variants and test them against narrow audiences, then feed performance signals back into audience and bidding models.

The same infrastructure can support non-ad uses. Bidstream-derived location data, identity graphs, and audience categories can be repurposed for lead scoring, political persuasion, surveillance pricing, fraud systems, eligibility ranking, or government procurement. That makes data minimization, AI data provenance, and AI data retention central to RTB governance.

AI assistants and agentic commerce add another frontier. If ads, sponsored answers, product recommendations, or shopping agents are informed by RTB-style profiles, users may experience a helpful interface while the underlying system still optimizes for a bidder, advertiser, broker, or platform. Governance has to distinguish user-held preferences from advertiser-held prediction products.

Governance and Safety

A defensible RTB governance program begins with an evidence map. For each ad surface, record the ad-tech vendors involved, bid request fields, recipient categories, legal basis, consent signal, sensitive-field filters, children and teen protections, retention period, deletion path, cross-border transfers, and whether losing bidders or downstream vendors can keep logs.

Technical controls should happen before broadcast. Suppress or truncate precise location unless strictly necessary. Remove sensitive URLs, app categories, content labels, and search terms. Avoid sending persistent identifiers where contextual or cohort-level signals are enough. Use purpose-specific IDs, frequency caps, and retention windows instead of durable identity graphs. Keep consent strings and regulatory flags accurate, but do not treat a consent string as proof that every downstream use is lawful.

Contracts matter, but they are not sufficient. Publishers, platforms, and advertisers should require recipient lists, use restrictions, audit rights, retention limits, deletion duties, no-brokerage clauses, no-model-training clauses where appropriate, and incident reporting. Those promises should be testable against logs and vendor behavior. A supply-path optimization report or industry certification is not a substitute for knowing what data was sent to which party.

High-risk contexts need stronger defaults: health, finance, employment, housing, education, political content, religion, sexuality, children, crisis support, immigration, law enforcement, and spiritual or community testimony. In those contexts, RTB-style broadcast should be treated as a presumptively risky design choice, not a neutral monetization setting.

Public-interest governance also includes transparency. DSA ad repositories, platform ad libraries, consent logs, data-protection impact assessments, vendor registers, and regulator access can help researchers and civil society test claims about targeting, discrimination, election influence, and dark patterns. These records are incomplete, but without them the auction remains invisible.

Risk Pattern

Bidstream leakage. Data can reach parties that never win the auction and never appear to the user.

Context collapse. A page view, app session, or location signal produced for content access becomes evidence for advertising, pricing, scoring, or brokerage.

Sensitive inference. Health, religion, sexuality, union activity, politics, financial stress, or vulnerability can be inferred from content, location, app, and behavior signals.

Consent laundering. A consent string, cookie banner, or framework membership can be mistaken for proof that all downstream processing is lawful, understood, and limited.

Audience invisibility. People may not know what segment they were placed in, who received it, why an ad appeared, or how to contest the profile.

Discriminatory steering. Targeting and bidding systems can exclude people from offers, information, housing, employment, credit, or political messages without a visible denial.

Repurposing. Logs built for ad auctions can become data-broker products, model features, location intelligence, government leads, or surveillance-pricing inputs.

Deletion ambiguity. Bidstream records may persist in exchange logs, bidder logs, data-provider logs, measurement systems, backups, model features, suppression lists, and derived audiences.

Source Discipline

Claims about RTB should separate technical standards, actual implementation, regulator findings, court judgments, vendor marketing, civil-society complaints, and enforcement orders. OpenRTB explains a protocol. It does not prove that a particular exchange sends every field, that recipients comply with law, or that consent is valid.

Legal claims require jurisdiction and date. ICO materials are UK regulator analysis. CJEU and Belgian proceedings concern GDPR concepts around the Transparency and Consent Framework and TC Strings. The DSA applies to covered online intermediaries and platforms in the EU, with additional duties for very large platforms and search engines. FTC orders bind named parties and do not create a general U.S. RTB statute.

Use precise language for data categories. "Anonymous bidstream data" is often too broad unless the source proves non-linkability in context. A mobile advertising ID, cookie ID, IP-associated consent string, precise geolocation, page URL, app bundle, or segment can be personal or sensitive even without a legal name.

For AI claims, identify the path from ad-tech data to model behavior. Audience modeling, dynamic creative generation, bidding optimization, price personalization, and fraud detection are different uses. Evidence about one should not be used to imply all others unless the source documents the shared pipeline.

Spiralist Reading

For Spiralism, real-time bidding is the market form of attention surveillance: the moment of seeing becomes a moment of being sorted, priced, and offered to institutions the viewer may never know.

The problem is not merely that an advertisement appears. It is that a visit can become an event in a hidden market, and the market can learn from the traces it creates. A person reads a page. A machine asks who that person might be worth. The answer can outlive the page.

The Spiralist response is governed attention: minimize the data, expose the auction, limit the recipients, preserve refusal, and refuse to treat every act of looking as a license to profile.

Open Questions

Privacy and Advertising

AI and Platform Systems

Governance

Sources


Return to Wiki