Programmatic advertising is one of the most GDPR-complex areas of EU marketing. The real-time bidding infrastructure that underlies most digital display advertising broadcasts personal data to hundreds of parties simultaneously, every time a user loads a web page. The consent chain that is supposed to govern this process has been found by EU regulators to be structurally inadequate.
This guide explains how GDPR applies to programmatic advertising, what the TCF ruling means for EU advertisers and publishers, and what a more defensible approach looks like.
What happens in a programmatic ad auction
When a user loads a web page that runs programmatic advertising:
- The publisher's ad server generates a bid request containing data about the impression (page URL, ad slot, user's IP, user agent, geographic data) and user signals (audience segments, interest categories, engagement data)
- The bid request is sent to an SSP (supply-side platform) which sends it to hundreds of DSPs (demand-side platforms)
- Each DSP evaluates the bid request, matches it against advertiser targeting criteria, and returns a bid
- The winning bid results in an ad being served
- The entire process takes approximately 100ms
The GDPR issue: each bid request broadcast involves sharing personal data with dozens to hundreds of organisations, each of which processes it with their own systems. The legal basis for that processing — typically consent — must be in place before the bid request is sent.
The TCF ruling and what it means
In February 2022, the Belgian DPA ruled that IAB Europe's Transparency and Consent Framework (TCF) violated GDPR in several fundamental ways:
- IAB Europe acted as a joint data controller for TCF consent strings but had not accepted the GDPR obligations that status entails
- The TCF's consent signals were insufficient to demonstrate freely given, specific, informed consent as required by GDPR Article 7
- The TCF did not adequately prevent data processing by parties who had not received valid consent
IAB Europe appealed, and the Belgian Market Court partially overturned the ruling in 2024 on the question of whether IAB Europe is a joint controller. However, the substantive compliance requirements remain — publishers and advertisers cannot rely on TCF signals as automatic GDPR compliance.
Practical implications for advertisers:
- Using a CMP that generates TCF signals does not automatically make your programmatic campaigns compliant
- You need to audit whether the consent collected via your publisher's CMP actually meets GDPR standards
- Contracts with DSPs and SSPs should include GDPR data processing terms
Your GDPR obligations as a programmatic advertiser
As a data controller, you are responsible for the lawful basis of the targeting data you bring to programmatic campaigns. If you upload first-party audiences (CRM lists, website visitor segments) to a DSP, the lawful basis for creating those audiences must exist before you upload them.
Consent for website visitor audiences: If you use a cookie-based pixel to build website visitor audiences for programmatic retargeting, that pixel must have loaded only for users who gave valid cookie consent. Audiences built from non-consented pixel data carry the taint of the invalid original processing. See our guide to retargeting ads and GDPR compliance for how pixel consent and audience-building interact.
Legitimate interest limitations: Most EU DPAs have taken the position that legitimate interest does not support the scale and scope of data processing in RTB. The UK ICO reached the same conclusion in its RTB industry investigation. Consent is the expected lawful basis for programmatic targeting.
Processor relationships: Your DSP processes data on your behalf. You need a data processing agreement covering:
- Description of processing activities
- Security measures
- Sub-processor chain (DSPs have extensive sub-processor networks)
- Data transfer safeguards for non-EEA processors
- Data deletion timelines
Third-country data transfers in programmatic
A significant portion of the global ad tech stack is US-based. EU-US data transfers require either SCCs (Standard Contractual Clauses) or binding corporate rules. After Schrems II (2020) invalidated the EU-US Privacy Shield, all EU-US ad tech data transfers required individual SCCs with transfer impact assessments.
The EU-US Data Privacy Framework (2023) created a new transfer mechanism, and most major US ad tech companies have self-certified under it. However, the DPF is considered legally fragile by EU privacy advocates and is expected to face challenges. Relying solely on DPF membership without supplementary safeguards in your contracts is a risk some advertisers are still managing.
Contextual advertising as a GDPR-safe alternative
Contextual advertising matches ad content to the content of the page rather than to the individual user's profile. It does not require:
- Cookie consent
- User-level data processing
- TCF signals
- DPAs with ad tech intermediaries
Publishers and advertisers who have shifted toward contextual targeting report that performance, while generally lower than consented behavioural targeting, is often comparable to or better than behavioural targeting with incomplete consent — because the contextual-only inventory doesn't carry the measurement gaps from rejected consent.
For EU campaigns where consent rates are low (often 40–60% on direct consent requests), contextual targeting is increasingly the pragmatic choice for reaching the non-consented portion of the audience.
What a more defensible programmatic setup looks like
- Use a CMP that meets GDPR consent standards — equal prominence for accept/reject, no dark patterns, per-purpose consent
- Segment your programmatic audiences — separate consented-only segments from broad segments; only bid consented data into the RTB auction
- Implement Consent Mode v2 for Google programmatic; understand SSP-specific consent passthrough for non-Google supply
- Review DSP contracts for GDPR DPA terms, sub-processor lists, and data deletion commitments
- Build first-party data infrastructure that is consent-aware from collection, so you know exactly which records have valid advertising consent
- Consider contextual targeting for non-consented inventory rather than running behavioural targeting on a degraded consent signal
Scan your programmatic ad copy before launch
The free GDPR Ad Copy Checker scans ad copy, lead forms, and landing pages for these exact GDPR and advertising-claim signals in seconds — flagging bundled consent, special-category inference, undisclosed third parties, and missing opt-outs, with safer rewrites for each. No login required.
This article is general information, not legal advice. Use it as a risk signal alongside human compliance review.