Brief for World Federation of Advertisers Digital Executive Group, December 2018 If it is useful to receive updates, sign up to my list for analysts, researchers, and regulators here https://brave.us18.list-manage.com/subscribe?u=e38d85b519352e2b40c9b899e&id=4384bd4cba

1. johnny@brave.com
@johnnyryan
If it is useful to receive updates, sign up to my list for
analysts, researchers, and regulators here
https://brave.us18.list-manage.com/subscribe?
u=e38d85b519352e2b40c9b899e&id=4384bd4cba

3. DATA PROTECTION
& THE RTB DATA
PROTECTION FREE
ZONE
Dr Johnny Ryan @johnnyryan

4. How RTB/
programatic works

5. “Behavioural” ad targeting &
“programmatic” trading.
(This jargon means: automatic auctions for the right
people’s attention)

6. ///
Visitor Site Marketer
$

7. ///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange

8. store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange

9. request segment
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange

10. request segment
deliver segment
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange

11. request page
request segment
deliver segment
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange

12. serve page
request page
request segment
deliver segment
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange

13. serve page
request page
request segment
deliver segment
ad request
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange

14. serve page
request page
request segment
cookie to SSP
deliver segment
ad request
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange

15. serve page
request page
request segment
request bid
cookie to SSP
deliver segment
ad request
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange

16. serve page
request page
request bid
request segment
request bid
cookie to SSP
deliver segment
ad request
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange

17. serve page
request page
request bid
request segment
request bid
cookie to SSP
deliver ad
deliver segment
ad request
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange

18. serve page
request page
request bid
request segment
request bid
cookie to SSP
deliver ad
deliver segment
sync
ad request
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange

19. serve page
request page
request bid
request segment
request bid
cookie to SSP
deliver ad
sync
deliver segment
sync
ad request
store data
///
Visitor Site SSP DSP DMP Marketer
$
“Demand side”“Supply side”
Ad Exchange

20. Buyer SellerDistribution
Marketer
$ DMP DSP Ad Exchange SSP
Site
Unique audience
commodified and
arbitraged. This
enables clickbait.
Extracts 70-55% of
buyer’s media budget.
70% figure from the Guardian and Rubicon
case in 2017. 55% figure from “The
Programmatic Supply Chain: Deconstructing
the Anatomy of a Programmatic CPM”, IAB,
March 2016.
Plenty of bot fraud.

21. The Daily Bugle

22. The Daily Bugle
ExchangeExchange
Exchange
Exchange

23. The Daily Bugle
ExchangeExchange
Exchange
Exchange
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSPDSP
DSP DSP
DSP

24. The Daily Bugle
ExchangeExchange
Exchange
Exchange
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSPDSP
DSP DSP
DSP
ADVERTISEMENT

25. ?
?
The Daily Bugle
ExchangeExchange
Exchange
Exchange
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSPDSP
DSP DSP
DSP
?
?
?
?
ADVERTISEMENT
?

26. ?
?
The Daily Bugle
ExchangeExchange
Exchange
Exchange
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSPDSP
DSP DSP
DSP
?
?
?
?
ADVERTISEMENT
?

27. French regulator caught it with
68 million illegal RTB records.
Example
Vectaury: a small DSP/DMP/
trading desk in France. €3.5M
annual turnover in 2017 (though
subsequently won a €20M
investment).
DSP

30. Is 68 million
just 30%?
Then this small company
was sent personal data
¼ BILLION times via RTB
(in just one year)

31. website.com
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money

32. Ad server
website.com
Ad server
javascript
Step 1.
User requests
webpage
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money

33. Ad server SSP
Step 2.
Ad server
selects an SSP
website.com
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money

34. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
website.com
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
Ad exchange
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money

35. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money

36. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Winningbid
DSP
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money

37. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Winningbid
DSP
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money

38. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Winningbid
DSP
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Step 6.
Exchange serves
winning bid
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money

39. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
MARKETERS
website.com
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Winningbid
DSP
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Agency
ad server
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money

40. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
Step 8.
Assets load
from CDN
MARKETERS
website.com
AD
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Winningbid
DSP
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Agency
ad server
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
CDN
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money

41. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
Step 8.
Assets load
from CDN
Step 9.
Agency ad server
loads verification
vendor
MARKETERS
website.com
AD
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Winningbid
DSP
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Verification
javascript
Agency
ad server
Verification
vendor
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Channel of data leakage
Legend
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
CDN
Money
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING

42. Personal data in bid requests
• The publisher.
• What you are reading or watching.
• Your exact location.
• Granular description of your device (exact system and browser versions,
exact screen resolution, and other technical details).
• Unique tracking IDs or a “cookie match” to allow advertising technology
companies to identify you the next time you are seen, so that a long-term profile
can be built of your browsing history, and perhaps be consolidated with offline
data about you.
• Your IP address (depending on the version of “real time bidding” system).
• Data broker segment ID, if available, that denote things like your income
bracket, age and gender, habits, etc. (depending on the version of bidding
system).

45. (f) processed in a manner that ensures appropriate
security of the personal data, including protection
against unauthorised or unlawful processing and
against accidental loss, destruction or damage,
using appropriate technical or organisational
measures (‘integrity and confidentiality’).

47. THE FOCUS OF OUR
COMPLAINT IS ADTECH.
NOT MARKETERS OR
PUBLISHERS.

48. Evidence example: Open RTB specification

50. 1. RTB broadcasts personal data widely
in bid requests.
2. There is no control over what happens
to these data.
3. This infringes an essential principle of
the GDPR, as our submission
demonstrates.
Recap

51. NEXT

52. Current Risks

53. ‘controller’ means the natural or legal person,
public authority, agency or other body which, alone
or jointly with others, determines the purposes and
means of the processing of personal data; where the
purposes and means of such processing are
determined by Union or Member State law, the
controller or the specific criteria for its nomination
may be provided for by Union or Member State law;
-GDPR, Article 4 (7)

54. European Court of Justice
5 JUNE 2018

56. Any controller involved in processing shall be liable
for the damage caused by processing which
infringes this Regulation. A processor shall be liable
for the damage caused by processing only where it
has not complied with obligations of this Regulation
specifically directed to processors or where it has
acted outside or contrary to lawful instructions of
the controller.
-GDPR, Article 82 (2)

59. Data protection-free zone*
PublishersSSPsDSPDMPMarketer Ad Exchanges
A
Agency
Personal data are widely broadcast
in “RTB” bid requests
Shared liability under GDPR Article 82
Legend
Money Channel of data leakage
$
MARKETER RISK
FROM PROGRAMMATIC
ADVERTISING
*and takes 70-55% of the media budget!

60. “CLEAN TECH”

61. Model 1

62. Personal data in bid requests
• The publisher
• What you are reading or watching
• Your exact location
• Granular description of your device
• Unique tracking IDs / cookie match
• Your IP address*
• Data broker segment ID* when available
*Depending on the version of “real time bidding” system

63. Personal data in bid requests
• The publisher
• What you are reading or watching
• Your exact location
• Granular description of your device
• Unique tracking IDs / cookie match
• Your IP address*
• Data broker segment ID* when available
*Depending on the version of “real time bidding” system

64. • The publisher
• What you are reading or watching
• Your approximate location
• General description of your device
• Your approximate IP address
Non-Personal data in bid requests
Person is in Shoreditch in London, UK.
Reading an article about electric vehicles
on TechCrunch. Using Safari on a Mac.

65. Model 2
*The Brave Model
*

66. Powerful but private
profiles.
Brave’s opt-in profile learns from
everything you read, watch, and do.
And because your device makes the
targeting decisions, no profile data
ever leave your device.

67. Campaign
• Order via self-serve ad platform (SSP)
• Daily ad catalog update is pushed to all devices
• Each device selects ads for its individual user, based
on intimate profile data secured on the device
Reporting
• Blind certificates are generated & anonymously tallied
• Performance tracked on the BAT dashboard
• Data verifiable on the blockchain

68. 1.7M
Jan ‘18
2.1M
Apr ‘18
3.8M
Jul ‘18
1M
Oct ‘17
4.8M
Oct ‘18
5M
Now
Brave Monthly Active Users
5x in the last
12 months

69. Future Market

70. Fossil Fuel Renewable Energy
N20
C02
Regulatory incentive
CLEAN INDUSTRY
Regulatory disincentive
DIRTY INDUSTRY

71. Ads (Ethical Data)Ads (Conventional Data)
Regulatory incentive
CLEAN INDUSTRY
Regulatory disincentive
DIRTY INDUSTRY
Personal data Non-personal data
Fossil Fuel Renewable Energy
N20
C02

72. Ads (Ethical Data)Ads (Conventional Data)
Ads (Ethical Data)
Personal data
(protected & lawful)
//
+
Classic Cars
+
Regulatory incentive
CLEAN INDUSTRY
Regulatory disincentive
DIRTY INDUSTRY
Fossil Fuel Renewable Energy
N20
C02
Personal data Non-personal data

73. Buyer Seller
Extracts 70-55% of
buyer’s media budget.
Distribution
Marketer
$ DMP DSP Ad Exchange SSP
Site
Unique audience
commodified and
arbitraged. This also
creates clickbait sites.
70% figure from the Guardian and Rubicon
case in 2017. 55% figure from “The
Programmatic Supply Chain: Deconstructing
the Anatomy of a Programmatic CPM”, IAB,
March 2016.
Plenty of bot fraud.
Regulatory disincentive
DIRTY INDUSTRY

74. Buyer Seller
Extracts much lower%
of buyer’s media budget
(currently 70-55%).
Distribution
Marketer
$ DMP DSP Ad Exchange SSP
Site
Unique audience
become immune to
commodification and
arbitrage. No
opportunity for
clickbait.
Bot fraud opportunity
reduced.
Regulatory incentive
CLEAN INDUSTRY

75. The submission to regulators
1. RTB broadcasts personal data widely in bid requests.
2. There is no control over what happens to these data.
3. This infringes an essential principle of the GDPR.
Additional observations
1. Bad news: marketers at risk from adtech.
2. Good news: regulators will push for clean tech.
3. Clean tech: model 1 is RTB with non personal data,
model 2 is intimate profiling on the device (Brave).
Summary

76. johnny@brave.com
@johnnyryan
If it is useful to receive updates, sign up to my list for
analysts, researchers, and regulators here
https://brave.us18.list-manage.com/subscribe?
u=e38d85b519352e2b40c9b899e&id=4384bd4cba

77. BONUS SLIDES

78. ENGAGE DIRECTLY WITH PUBLISHER
GROUPS (WITHOUT THE IAB/ADTECH
BEING INVOLVED!)
Advertisers
$Publishers ADTECH

79. ENGAGE DIRECTLY WITH PUBLISHER
GROUPS (WITHOUT THE IAB/ADTECH
BEING INVOLVED!)
Advertisers
$Publishers

80. Advertisers
$Publishers
TOGETHER, PUBLISHER AND
ADVERTISER GROUPS NEED TO
DECIDE WHAT THE INDUSTRY
APPROACH TO DATA IS GOING TO BE.

81. Advertisers
$Publishers Supervisory
Authorities
THEN INVOLVE REGULATORS TO
TEST THE APPROACH YOU
DEVELOPED WITH PUBLISHERS.

82. Advertisers
$Publishers Supervisory
Authorities
THESE THREE KEY PLAYERS MUST
BE THE ONES THAT DEFINE THE
INDUSTRY’S APPROACH TO DATA.

83. Supervisory
Authorities
Advertisers
$Publishers ADTECH
FINALLY, TELL ADTECH WHAT THE
INDUSTRY APPROACH IS.
(ADTECH IS YOUR TOOL)