Critical data protection problems in the IAB’s new OpenRTB 3.0 Spec

This note outlines how “OpenRTB 3.0”, the new programmatic / behavioural ad tech specification, causes a personal data breach that exposes marketers to severe legal risk. OpenRTB 3.0 will continue to leak personal data about what virtually every Internet user reads or watches online to a large number of companies, every single time a person loads a page.

Today, Brave writes to the IAB (an ad tech trade body) in response to IAB TechLab’s request for feedback on the beta version of OpenRTB 3.0. As we show in our letter below, OpenRTB 3.0 will leak personal data about what virtually every Internet user reads or watches online to a large number of companies, every single time a person loads a page.

OpenRTB 3.0 appears to severely infringe Article 5 of the General Data Protection Regulation, and all that flows from Article 5’s principles. As a result, it will expose marketers, vendors, and publishers to acute legal hazard.

We therefore urge the IAB to reconsider the OpenRTB 3.0 specification. Brave’s letter is below.

Interactive Advertising Bureau & Tech Lab
116 East 27th Street, 7th Floor
New York, New York 10016

4 September 2018

Dear colleague,

Re: feedback on the beta OpenRTB 3.0 specification 

The IAB has requested input on the beta OpenRTB 3.0 specification. This response sets out an acute concern about the lack of data protection in this specification.

The protection of personal data has been absent from previous OpenRTB specifications. It is a matter of concern to Internet users, and is also now of utmost commercial concern to marketers. This commercial concern arises from two facts.

First, as you will no doubt know, a recent ruling at the European Court of Justice, on 5 June (C‑210/16), indicates that marketersare directly exposed as “controllers” to legal risk from data protection infringements in data processing that they commission, or cause to be commissioned. The Court ruled that this applies even if the marketer never directly handles the personal data.

Second, under Article 82 (4) of the General Data Protection Regulation, a marketer may be exposed to the “entire damage” created by ad tech vendors that process personal data in the OpenRTB system, which infringes the Regulation. In other words, marketers are now liable for the misuse of personal data in the RTB system.

OpenRTB 3.0, and previous iterations of OpenRTB, causes an acute data protection problem. Every time a person loads a page on a website that uses OpenRTB 3.0 advertising, personal data about them are broadcast to tens – or hundreds -of companies in the OpenRTB bid request. These personal data include:[1]

  • Your IP address
  • What you are reading or watching
  • Your location
  • Description of your device, and ad tech companies’ unique IDs for you. (This will allow ad tech companies to try to reidentify you the next time you are seen, so that a long-term profile can be built or consolidated with offline data about you.)
  • Data broker segment ID, if available. (This could denote things like your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.)[2]

These data are very likely to include “special categories”[3]of personal data, since they show what the person is watching and reading, and since the OpenRTB 3.0 specification enables the inclusion of data brokers’ segment IDs.[4]

A more complete summary of the personal data in bid requests is provided for your convenience in Appendix 1. Relevant excerpts from the OpenRTB AdCOM specification are provided in Appendix 2.

The broadcast of these personal data under OpenRTB is referred to as an “RTB bid request”. As with previous iterations of OpenRTB, this will be generally broadcast widely, since the objective is to solicit bids from companies that might want to show an ad to the person who has just loaded the webpage. An RTB bid request is broadcast on behalf of websites by companies known as “supply side platforms” (SSPs) and by “ad exchanges”.

Personal data are broadcast in bid requests to multiple Demand Side Partners (DSPs), which then decide whether to place bids for the opportunity to show an ad to the person in question. The DSP acts on behalf of a marketer, and decides when to bid based on the profile of person that the marketer has instructed it to target. Sometimes, Data Management Platforms (DMPs), of which Cambridge Analytica is a notorious example, can perform a sync that contributes to their existing profiles of the person. It is worth noting that this sync would not be possible without the initial bid request.

RTB as presented in the OpenRTB 3.0 specification is a data protection free zone.

The overriding commercial incentive for many ad tech companies is to share as many data with as many partners as possible, and to share it with partner or parent companies that run data brokerages. Clearly, releasing personal data into such an environment has high risk.

Despite this high risk, the OpenRTB 3.0 specification establishes no control over what happens to these personal data once an SSP or ad exchange broadcasts a “bid request”. Even if bid request traffic is secure, there are no technical measures that prevent the recipient of a bid request from, for example, combining them with other data to create a profile, or from selling the data on. In other words, there is no data protection.

I note that IAB Europe’s own documentation on how such a broadcast of personal data could conform with European data protection law reveals the industry view: A company “may choose not to pass bid requests containing personal data to other vendors who do not have consent”.[5]In other words, once DSPs receive personal data they can freely trade these personal data with business partners however they wish. The distribution of a bid request creates this data protection-free zone.

In fact, this is very likely to be a data breach. The RTB bid request, including the data specified in the OpenRTB 3.0 specification, fits within the General Data Protection Regulation’s definition of “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.[6]

This is particularly egregious since the data concerned are very likely to be “special categories” of personal data, and since I believe that the industry concerned is aware of the shortcomings of this approach, and has continued to pursue it regardless.

In summary, the OpenRTB 3.0 specification will continue to leak details about what every person is reading or watching in a constant broadcast to a large number of companies. These personal data are not protected. This breach is continuous, happening on virtually every website, every single time a person loads a page.

Unless OpenRTB 3.0 is very radically altered, so that no personal data are contained in the bid request, it appears that it will be a severe infringement of Article 5 of the General Data Protection Regulation, and on all that flows from Article 5’s principles. This will put at risk the fundamental rights of virtually every person that uses the Internet in Europe. These rights are enshrined in and protected by the Charter of Fundamental Rights of the European Union. As a result, marketers, vendors, and publishers will be exposed to acute legal hazard.

We must therefore urge that you reconsider the OpenRTB 3.0 specification. So long as the bid request is permitted to contain personal data, and so long as these personal data are widely shared, OpenRTB will be a liability. The RTB system must not be allowed to continue as a data protection “wild west”.

Yours faithfully,

Dr Johnny Ryan FRHistS
Chief Policy & Industry Relations Officer


Appendix 1. What personal data are shared in RTB bid requests?

This summary list is incomplete. Other fields that can contain personal data.[7]


  • The specific URL that a visitor is loading, which shows what they are reading or watching.


  • Operating system and version.
  • Browser software and version.
  • IP address.
  • Device manufacturer, model, and version.
  • Height of the screen.
  • Width of the screen.
  • Screen ratio.
  • Whether JavaScript is supported.
  • The version of Flash supported by the browser.
  • Language settings.
  • Carrier / ISP.
  • Type of connection, if mobile.
  • Network connection type.
  • Hardware device ID (hashed).
  • MAC address of the device (hashed).


  • An Ad Exchange’s unique personal identifier for the visitor to the website. (This may rotate, but the specification says that it “must be stable long enough to serve reasonably as the basis for frequency capping and retargeting.”[11])
  • Advertiser’s “buyeruid”, a unique personal identifier for the data subject.
  • The website visitor’s year of birth, if known.
  • The website visitor’s gender, if known.
  • The website visitor’s interests.
  • Additional data about the website visitor, if available from a data broker.[12](These may include the “segment”[13]category previously decided by the data broker, based on the broker’s previous profiling of this particular person.)


  • Location latitude and longitude.
  • Zip/postal code. 


Appendix 2. Selected data tables from IAB specification documents

The following tables are copied from AdCOM specification v1, which is part of the OpenRTB 3.0 specification.[15]Only selected tables relevant to website bid requests are included here. URLs of the specific part of the specification from where the tables are taken are presented above each table.–user-–site-–segment-–publisher-–geo-–device-–data-

Links on this page were updated February 2022. The AdCOM Specification has been updated.


[1]AdCOM Specification v1.0, Final”, IAB TechLab, 20 August 2021.
[2]  See “Object: data” and “Object: segment” in ibid.
[3]“…revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation…”, in the General Data Protection Regulation, Article 9 (1).
[4]“Object: data” and “Object: segment” in “AdCOM Specification v1.0, Beta Draft”, IAB TechLab, 24 July 2018.
[5]“Transparency & Consent Framework, FAQ”, IAB Europe, 16 April 2018, p. 11.
[6]GDPR, Article 4, paragraph 12.
[7]For example, thirty eight of the data fields in the specification contain the phrase “optional vendor specific extensions”.
[8]“Object: site” in “AdCOM Specification v1.0, Beta Draft”, IAB TechLab, 24 July 2018.
[9]“Object: device” in ibid.
[10]“Object: device” in ibid.
[12]“Object: data” in ibid.
[13]“Object: segment” in ibid.
[14]“Object: device” in ibid.

Related articles

Why Brave Disables FLoC

Brave opposes FLoC, a recent Google proposal that would have your browser share your browsing behavior and interests by default with every site and advertiser with which you interact.

Read this article →

Ready for a better Internet?

Brave’s easy-to-use browser blocks ads by default, making the Web cleaner, faster, and safer for people all over the world.


Almost there…

You’re just 60 seconds away from the best privacy online

If your download didn’t start automatically, .

  1. Download Brave

    Click “Save” in the window that pops up, and wait for the download to complete.

    Wait for the download to complete (you may need to click “Save” in a window that pops up).

  2. Run the installer

    Click the downloaded file at the top right of your screen, and follow the instructions to install Brave.

    Click the downloaded file, and follow the instructions to install Brave.

  3. Import settings

    During setup, import bookmarks, extensions, & passwords from your old browser.

Need help?

Get better privacy. Everywhere!

Download Brave mobile for privacy on the go.

Download QR code
Click this file to install Brave Brave logo
Click this file to install Brave Brave logo
Click this file to install Brave Brave logo