Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Real-time bidding has revolutionized digital advertising. It drives efficiency, personalization and scale across the open internet. Yet the very features that have made real-time bidding powerful have also brought it under regulatory scrutiny.
Real-time bidding is an advertising auction system that operates in the milliseconds it takes for a website or app to load. However, unlike a typical auction, where a winning bidder walks away with a product, real-time bidding leaves every participant holding something: your data.
This includes IP addresses, device type, geolocation — down to a few meters — unique advertising ID, browsing behavior, and often inferred sensitive characteristics like political interests, health conditions or sexual orientation. These data points — known collectively as bidstream data — are shared with dozens, sometimes hundreds, of companies in a single transaction. Each time an ad loads, this entire process repeats. It happens billions of times per day.
Real-time bidding was built for performance. However, as new regulations and enforcement actions emerge, the industry is being asked to examine both how it operates and the responsibilities that come with it.
Real-time bidding 101: How it works and why it's ubiquitous
Real-time bidding is a programmatic advertising process where advertisers bid in real time for the opportunity to display an ad to a user. In the milliseconds after a user visits a website or opens an app, the platform — a publisher — signals to an advertising exchange that it has an available ad impression, which triggers a bid request containing a rich dataset known as bidstream data.
This data includes device identifiers like mobile ad IDs, IP address, browser type, location data — often precise GPS-level — and browsing behavior. The bidstream data is sent to dozens, sometimes hundreds, of demand side platforms, each representing an advertiser.
Demand side platforms assess the value of targeting that user and submit bids. The highest bidder wins, and their ad is shown.
It has been documented that even demand side platforms that don't win the auction may retain access to the bidstream data. The broadcast happens in milliseconds, and this process repeats across the open web continuously.
In January 2024, the U.S. Federal Trade Commission filed enforcement actions against two data brokers — Mobilewalla and Gravy Analytics — for unfairly collecting, selling and using consumers' precise location data without obtaining verifiable consent. What made this case different was what the data revealed. These companies weren't just tracking where people went. They were inferring why.
Using location signals, they categorized individuals based on sensitive activities: attending reproductive health clinics, protests, religious services or political events. This data was then packaged into commercial products or sold to third parties — without the individuals' knowledge.
The FTC called this a violation of consumer trust and privacy expectations and ordered the companies to build a sensitive location data program that prevents this type of profiling in the future. What unfolded was a glimpse into how real-time bidding data, when aggregated and enriched, can unintentionally support surveillance use cases.
When location data becomes a threat
To understand the national security dimension, consider this real-world example.
A member of the clergy in a Western country was unknowingly tracked through mobile location data. Over time, a profile of his movements revealed repeated visits to religious sites — and to locations associated with LGBTQ+ communities. This information, derived through ad tech data streams, was ultimately obtained by foreign actors and used to attempt to discredit him within his religious institution.
It worked. The priest was forced to resign. The campaign wasn't orchestrated by law enforcement or even domestic surveillance agencies. It came through commercial data flows enabled by real-time bidding.
If this can happen to one individual, the same underlying data practices could potentially be used to monitor government employees, journalists, political candidates or civil society leaders.
Foreign adversaries are listening
Real-time bidding doesn't discriminate between advertisers. Any company that meets the exchange's requirements can participate, including foreign intelligence contractors or data resellers tied to adversarial governments.
Once bidstream data is broadcast, it becomes nearly impossible to track or control downstream. Persistent identifiers like advertising IDs, IP addresses, and device metadata can be linked across time, especially when layered with third-party datasets. Even so-called anonymized or pseudonymized data becomes reidentifiable through technical means.
This exposure prompted the U.S. Department of Justice to act.
The DOJ rule: Turning point for real-time bidding
In early 2025, the DOJ finalized a rule restricting the cross-border flow of bulk sensitive personal data to entities connected to six designated countries of concern: China, Cuba, Iran, North Korea, Russia and Venezuela. The rule applies to data in any form, including "anonymized, pseudonymized, de-identified, or encrypted," due to the risk that data can be reidentified through technical means and data linkage.
It specifically addresses data commonly collected through commercial technologies, including ad tech, and establishes thresholds that define "bulk" datasets, such as: 100,000 or more unique persistent identifiers, such as advertising IDs or IP addresses; 1,000 or more instances of precise geolocation data; or any combination of identifiers that could reasonably be used to identify individuals.
It also introduces compliance expectations: contractual safeguards, due diligence on business partners, audit requirements and penalties for violations. The definition of "sensitive" is expansive — covering genomic data, health information, financial records, ad IDs and IP addresses.
These developments shouldn't be viewed as an indictment of programmatic advertising itself, but rather as a signal that the real-time bidding infrastructure must evolve alongside the realities of national security, privacy expectations and cross-border data risk.
The same system, reexamined
For years, real-time bidding was seen as the cost of keeping the internet "free." Users tolerated data collection in exchange for access to content. But the scale and granularity of data flowing through programmatic systems have made the ecosystem increasingly complex to govern — especially when downstream data use isn't visible or auditable.
The DOJ's rule reframes real-time bidding not only as a privacy issue but as a national security concern. It's not about any one priest, protestor or patient — it's about the risk that the system itself can be used in ways that were never anticipated by its original design.
What happens next
The DOJ rule goes into effect 8 April, with audit and programmatic compliance requirements kicking in by October.
For ad tech companies, publishers and data brokers, this means revisiting assumptions about how data is shared, stored and sold. For privacy professionals, it's an opportunity to reassess where real-time bidding fits into their broader risk landscape.
For the ad tech industry, this is also an opportunity to lead — by strengthening transparency, improving data governance, and helping shape the next chapter of responsible data use.
Mandy Lit, CIPP/C, CIPM, FIP, is a senior data privacy and compliance consultant.
This article is for information purposes only and does not contain legal advice.
