UCL Faculty of Laws


Adtech and Real-Time Bidding under European Data Protection Law

By Dr Michael Veale (Associate Professor at UCL Laws) and Professor Frederik Zuiderveen Borgesius (Professor at Radboud University)

A person using their phone to connect to wifi

23 March 2022

Publication details

Veale, Michael and Zuiderveen Borgesius, Frederik (2022) 'Adtech and Real-Time Bidding under European Data Protection Law', German Law Journal, 23(2), 226-256. 10.1017/glj.2022.18.


This article discusses the troubled relationship between contemporary advertising technology (adtech) systems, in particular systems of real-time bidding (RTB, also known as programmatic advertising) underpinning much behavioral targeting on the web and through mobile applications. This article analyses the extent to which practices of RTB are compatible with the requirements regarding a legal basis for processing, transparency, and security in European data protection law. We first introduce the technologies at play through explaining and analysing the systems deployed online today. Following that, we turn to the law. Rather than analyze RTB against every provision of the General Data Protection Regulation (GDPR), we consider RTB in the context of the GDPR’s requirement of a legal basis for processing and the GDPR’s transparency and security requirements. We show, first, that the GDPR requires prior consent of the internet user for RTB, as other legal bases are not appropriate. Second, we show that it is difficult—and perhaps impossible—for website publishers and RTB companies to meet the GDPR’s transparency requirements. Third, RTB incentivises insecure data processing. We conclude that, in concept and in practice, RTB is structurally difficult to reconcile with European data protection law. Therefore, intervention by regulators is necessary. 

Image credit: © UCL Digital Media