Most of us will be familiar with the experience of being followed around the internet by adverts for an item we’ve searched for, or absent-mindedly lingered over, online. What’s behind this? The answer is adtech, specifically “real-time bidding” and “programmatic advertising”. Although not familiar terms to the average internet user, these systems shape our online experience, with wide-reaching implications for the security of our personal data.

Adtech is the collective term for a set of digital tools used to deliver targeted advertising to consumers. Unlike traditional advertising media such as billboards or television adverts, which offer limited scope to direct content towards a particular audience, adtech gathers data from online activity to build a detailed profile of the target customer. This profile is then shared, via real-time auctions or exchange platforms, with bidders seeking to buy digital advertising space. Programmatic advertising eliminates human intervention, instead using software to place automated bids.

Commercially powerful and extremely complex, adtech is continuing to revolutionise the advertising industry. Adtech providers argue that there is merit in freeing the consumer from intrusive, irrelevant adverts. Research carried out on behalf of the Information Commissioner’s Office (ICO) shows that the majority of internet users accept seeing some advertising in exchange for access to free-to-use websites.

However, adtech is fundamentally data-driven and therefore brings with it data protection responsibilities for advertisers, publishers and intermediary platforms. It involves the gathering, sharing and use of significant amounts of personal data – from browsing history and location, to purchasing habits and interests – among multiple participants and through multiple layers. It relies on sophisticated technology that is not easily explained to consumers to enable them to give their informed consent to the processing of their data.

Since the GDPR came into force last May, European data regulators have shown a keen interest in adtech. In late 2018, the French data protection authority (CNIL) issued a compliance notice to mobile adtech provider Vectaury on the basis that it had not sought proper consent to gather and process consumers’ geolocation data for targeted advertising purposes. Earlier this year, the ICO hosted an Adtech Fact-Finding Forum, inviting industry stakeholders to discuss three key data protection themes in the adtech context: transparency, security and the lawful basis for processing personal data.

This trend of increasing regulatory vigilance is likely to endure, but there will no doubt be further legal and regulatory challenges to address as adtech continues to evolve.