This paper discusses the troubled relationship between contemporary advertising technology (adtech) systems, in particular systems of real-time bidding (RTB, also known as programmatic advertising) underpinning much behavioural targeting on the web and through mobile applications. This paper analyses the extent to which practices of RTB are compatible with the requirements regarding (i) a legal basis for processing, transparency, and security in European data protection law. 

We first introduce the technologies at play through explaining and analysing the systems deployed online today. Following that, we turn to the law. Rather than analyse RTB against every provision of the General Data Protection Regulation (GDPR), we consider RTB in the context of the GDPR’s requirement of a legal basis for processing and the GDPR’s transparency and security requirements. We show, first, that the GDPR requires prior consent of the internet user for RTB, as other legal bases are not appropriate. Second, we show that it is difficult – and perhaps impossible – for website publishers and RTB companies to meet the GDPR’s transparency requirements. Third, RTB incentivises insecure data processing. 

We conclude that, in concept and in practice, RTB is structurally difficult to reconcile with European data protection law. Therefore, intervention by regulators is necessary.