Most people picture online advertising as a billboard: a fixed image a company paid to place where you'll see it. The reality is closer to a stock exchange. The specific ad you see was chosen in a live auction that started the instant the page began loading and finished before the page rendered. The thing being auctioned is not the ad slot in the abstract — it is the opportunity to show an ad to you, specifically, right now. To let bidders decide how much that's worth, the auction tells them about you.
This system is called real-time bidding, or RTB, and it is the financial engine underneath most of the open web. Understanding how it works explains a lot about why the internet feels like it's watching you — because, mechanically, it is.
The 100-Millisecond Auction
Here is the sequence that fires when you open an ad-supported page:
- The page contains an ad slot wired to a supply-side platform (SSP) — the seller's broker.
- The SSP assembles a bid request describing the impression and sends it out to many demand-side platforms (DSPs), the buyers' brokers.
- Each DSP evaluates the request against its advertisers' targeting rules and returns a bid — a price and the ad to show.
- The highest bid wins, the winning ad is delivered, and the page finishes loading.
All of this completes in roughly 100 milliseconds. The standardized message format that carries the bid request is OpenRTB, a specification maintained by the IAB Tech Lab. It defines fields for exactly the kind of information a buyer would want.
What's in a Bid Request
A bid request is not anonymous. Depending on the configuration, it can carry:
- Your IP address — which reveals approximate location and your network
- Precise or coarse geolocation — sometimes GPS-derived latitude and longitude from a mobile app
- Device and browser details — model, OS, user-agent, screen size, language
- The page or app you're on — the exact URL and often content keywords or categories
- Advertising identifiers — a mobile ad ID, or IDs synced across the ad-tech ecosystem to recognize you over time
- Inferred audience segments — labels like "in-market for a car," "parent of young children," or sensitive categories about health, finances, or beliefs
The crucial detail: the bid request goes out to every participating bidder, not just the winner. A company that bids nothing — or that exists primarily to harvest data rather than buy ads — still receives a copy of everything in the request. Multiply that by every ad slot, every page load, every person, all day. The volume is staggering.
RTB doesn't leak your data despite the system working correctly. It broadcasts your data because the system is working correctly. Wide distribution of the bid request is the mechanism, not a bug.
Why Regulators Call It a Breach
Privacy advocates have argued for years that RTB is structurally incompatible with data-protection law. The Irish Council for Civil Liberties, through researcher Johnny Ryan, has repeatedly characterized RTB as one of the largest data flows ever assembled, precisely because there is no way to control where a broadcast bid request ends up once it's sent.
The legal pressure has produced concrete rulings. In February 2022, Belgium's data protection authority found that IAB Europe's Transparency and Consent Framework (TCF) — the consent-management system that powers many of those cookie pop-ups feeding RTB — violated the GDPR, and that the "TC String" recording your consent choices was itself personal data processed without a valid legal basis. The decision sent ripples through an industry that had treated the TCF as its compliance shield.
Once a bid request is broadcast to hundreds of companies, no one can guarantee what happens to it next. There is no recall, no deletion that reaches every recipient, no audit trail across the whole chain.
This is the tension at the heart of the system: consent frameworks promise control, but the architecture they sit on top of is built to distribute data as widely as possible. You cannot meaningfully consent to processing whose downstream extent no one can describe.
How RTB Connects to Everything Else
RTB doesn't operate alone. It's the live-auction layer on top of a larger tracking economy. Bid requests are enriched by data brokers who attach offline information to your online identity. Cross-site recognition depends on the same cross-device tracking techniques used to link your phone, laptop, and TV. And when cookies aren't available, the industry falls back on browser fingerprinting to keep identifying you.
The result is that a single page visit can feed your behavior into a market that remembers and resells it, far beyond the site you actually chose to visit.
What You Can Actually Do
You can't opt out of an auction you're never shown. But you can starve it of inputs and reduce how often your device participates:
| Defense | What It Stops |
|---|---|
| Content blocker (uBlock Origin) | Blocks the ad and tracker scripts that initiate bid requests in the first place — the single most effective step. |
| Network-level blocking (Pi-hole) | Stops requests to ad and tracking domains across every device on your network, including apps. |
| Reset / disable your mobile ad ID | Removes the stable identifier that lets bidders recognize you across apps over time. |
| Global Privacy Control | Signals an opt-out of sale/sharing that is legally binding under some laws (e.g. California's CCPA). |
| Privacy-respecting browser | Blocks third-party cookies and resists fingerprinting by default, shrinking the data attached to you. |
None of these are perfect, and the ad-tech industry adapts constantly. But blocking the scripts that fire the auction is genuinely effective: if the bid request never gets assembled on your device, there's nothing to broadcast.
The Bigger Lesson
RTB is a useful mental model for surveillance capitalism in general. The data isn't taken in one dramatic theft — it's emitted continuously, in tiny increments, as the unavoidable exhaust of using services that are "free" because you are the inventory being sold. The most reliable defense is structural: prefer tools and services whose business model isn't built on monetizing your attention and your data in the first place.
That's the principle behind how we think about free apps and the trade-offs they hide. A service you pay for with money has no auction running in the background that needs to know who you are.