Brief for World Federation of Advertisers Digital Executive Group, December 2018
If it is useful to receive updates, sign up to my list for analysts, researchers, and regulators here https://brave.us18.list-manage.com/subscribe?u=e38d85b519352e2b40c9b899e&id=4384bd4cba
Brief for World Federation of Advertisers Digital Executive Group, December 2018
1. johnny@brave.com
@johnnyryan
If it is useful to receive updates, sign up to my list for
analysts, researchers, and regulators here
https://brave.us18.list-manage.com/subscribe?
u=e38d85b519352e2b40c9b899e&id=4384bd4cba
12. serve page
request page
request segment
deliver segment
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange
13. serve page
request page
request segment
deliver segment
ad request
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange
14. serve page
request page
request segment
cookie to SSP
deliver segment
ad request
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange
15. serve page
request page
request segment
request bid
cookie to SSP
deliver segment
ad request
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange
16. serve page
request page
request bid
request segment
request bid
cookie to SSP
deliver segment
ad request
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange
17. serve page
request page
request bid
request segment
request bid
cookie to SSP
deliver ad
deliver segment
ad request
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange
18. serve page
request page
request bid
request segment
request bid
cookie to SSP
deliver ad
deliver segment
sync
ad request
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange
19. serve page
request page
request bid
request segment
request bid
cookie to SSP
deliver ad
sync
deliver segment
sync
ad request
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange
20. Buyer SellerDistribution
Marketer
$ DMP DSP Ad Exchange SSP
Site
Unique audience
commodified and
arbitraged. This
enables clickbait.
Extracts 70-55% of
buyer’s media budget.
70% figure from the Guardian and Rubicon
case in 2017. 55% figure from “The
Programmatic Supply Chain: Deconstructing
the Anatomy of a Programmatic CPM”, IAB,
March 2016.
Plenty of bot fraud.
27. French regulator caught it with
68 million illegal RTB records.
Example
Vectaury: a small DSP/DMP/
trading desk in France. €3.5M
annual turnover in 2017 (though
subsequently won a €20M
investment).
DSP
28.
29.
30. Is 68 million
just 30%?
Then this small company
was sent personal data
¼ BILLION times via RTB
(in just one year)
31. website.com
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
32. Ad server
website.com
Ad server
javascript
Step 1.
User requests
webpage
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
33. Ad server SSP
Step 2.
Ad server
selects an SSP
website.com
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
34. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
website.com
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
Ad exchange
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
35. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
36. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Winningbid
DSP
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
37. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Winningbid
DSP
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
38. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Winningbid
DSP
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Step 6.
Exchange serves
winning bid
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
39. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
MARKETERS
website.com
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Winningbid
DSP
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Agency
ad server
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
40. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
Step 8.
Assets load
from CDN
MARKETERS
website.com
AD
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Winningbid
DSP
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Agency
ad server
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
CDN
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
41. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
Step 8.
Assets load
from CDN
Step 9.
Agency ad server
loads verification
vendor
MARKETERS
website.com
AD
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Winningbid
DSP
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Verification
javascript
Agency
ad server
Verification
vendor
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Channel of data leakage
Legend
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
CDN
Money
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
42. Personal data in bid requests
• The publisher.
• What you are reading or watching.
• Your exact location.
• Granular description of your device (exact system and browser versions,
exact screen resolution, and other technical details).
• Unique tracking IDs or a “cookie match” to allow advertising technology
companies to identify you the next time you are seen, so that a long-term profile
can be built of your browsing history, and perhaps be consolidated with offline
data about you.
• Your IP address (depending on the version of “real time bidding” system).
• Data broker segment ID, if available, that denote things like your income
bracket, age and gender, habits, etc. (depending on the version of bidding
system).
43.
44.
45. (f) processed in a manner that ensures appropriate
security of the personal data, including protection
against unauthorised or unlawful processing and
against accidental loss, destruction or damage,
using appropriate technical or organisational
measures (‘integrity and confidentiality’).
46.
47. THE FOCUS OF OUR
COMPLAINT IS ADTECH.
NOT MARKETERS OR
PUBLISHERS.
50. 1. RTB broadcasts personal data widely
in bid requests.
2. There is no control over what happens
to these data.
3. This infringes an essential principle of
the GDPR, as our submission
demonstrates.
Recap
53. ‘controller’ means the natural or legal person,
public authority, agency or other body which, alone
or jointly with others, determines the purposes and
means of the processing of personal data; where the
purposes and means of such processing are
determined by Union or Member State law, the
controller or the specific criteria for its nomination
may be provided for by Union or Member State law;
-GDPR, Article 4 (7)
56. Any controller involved in processing shall be liable
for the damage caused by processing which
infringes this Regulation. A processor shall be liable
for the damage caused by processing only where it
has not complied with obligations of this Regulation
specifically directed to processors or where it has
acted outside or contrary to lawful instructions of
the controller.
-GDPR, Article 82 (2)
57.
58.
59. Data protection-free zone*
PublishersSSPsDSPDMPMarketer Ad Exchanges
A
Agency
Personal data are widely broadcast
in “RTB” bid requests
Shared liability under GDPR Article 82
Legend
Money Channel of data leakage
$
MARKETER RISK
FROM PROGRAMMATIC
ADVERTISING
*and takes 70-55% of the media budget!
62. Personal data in bid requests
• The publisher
• What you are reading or watching
• Your exact location
• Granular description of your device
• Unique tracking IDs / cookie match
• Your IP address*
• Data broker segment ID* when available
*Depending on the version of “real time bidding” system
63. Personal data in bid requests
• The publisher
• What you are reading or watching
• Your exact location
• Granular description of your device
• Unique tracking IDs / cookie match
• Your IP address*
• Data broker segment ID* when available
*Depending on the version of “real time bidding” system
64. • The publisher
• What you are reading or watching
• Your approximate location
• General description of your device
• Your approximate IP address
Non-Personal data in bid requests
Person is in Shoreditch in London, UK.
Reading an article about electric vehicles
on TechCrunch. Using Safari on a Mac.
66. Powerful but private
profiles.
Brave’s opt-in profile learns from
everything you read, watch, and do.
And because your device makes the
targeting decisions, no profile data
ever leave your device.
67. Campaign
• Order via self-serve ad platform (SSP)
• Daily ad catalog update is pushed to all devices
• Each device selects ads for its individual user, based
on intimate profile data secured on the device
Reporting
• Blind certificates are generated & anonymously tallied
• Performance tracked on the BAT dashboard
• Data verifiable on the blockchain
70. Fossil Fuel Renewable Energy
N20
C02
Regulatory incentive
CLEAN INDUSTRY
Regulatory disincentive
DIRTY INDUSTRY
71. Ads (Ethical Data)Ads (Conventional Data)
Regulatory incentive
CLEAN INDUSTRY
Regulatory disincentive
DIRTY INDUSTRY
Personal data Non-personal data
Fossil Fuel Renewable Energy
N20
C02
72. Ads (Ethical Data)Ads (Conventional Data)
Ads (Ethical Data)
Personal data
(protected & lawful)
//
+
Classic Cars
+
Regulatory incentive
CLEAN INDUSTRY
Regulatory disincentive
DIRTY INDUSTRY
Fossil Fuel Renewable Energy
N20
C02
Personal data Non-personal data
73. Buyer Seller
Extracts 70-55% of
buyer’s media budget.
Distribution
Marketer
$ DMP DSP Ad Exchange SSP
Site
Unique audience
commodified and
arbitraged. This also
creates clickbait sites.
70% figure from the Guardian and Rubicon
case in 2017. 55% figure from “The
Programmatic Supply Chain: Deconstructing
the Anatomy of a Programmatic CPM”, IAB,
March 2016.
Plenty of bot fraud.
Regulatory disincentive
DIRTY INDUSTRY
74. Buyer Seller
Extracts much lower%
of buyer’s media budget
(currently 70-55%).
Distribution
Marketer
$ DMP DSP Ad Exchange SSP
Site
Unique audience
become immune to
commodification and
arbitrage. No
opportunity for
clickbait.
Bot fraud opportunity
reduced.
Regulatory incentive
CLEAN INDUSTRY
75. The submission to regulators
1. RTB broadcasts personal data widely in bid requests.
2. There is no control over what happens to these data.
3. This infringes an essential principle of the GDPR.
Additional observations
1. Bad news: marketers at risk from adtech.
2. Good news: regulators will push for clean tech.
3. Clean tech: model 1 is RTB with non personal data,
model 2 is intimate profiling on the device (Brave).
Summary
76. johnny@brave.com
@johnnyryan
If it is useful to receive updates, sign up to my list for
analysts, researchers, and regulators here
https://brave.us18.list-manage.com/subscribe?
u=e38d85b519352e2b40c9b899e&id=4384bd4cba