Legalify shield logoLegalify
Free CheckerGDPR GuideBlogFeaturesHow it worksPricing
Log inSign up
← All articles

8 June 2026 · 5 min read

Programmatic Advertising and GDPR in the EU

Programmatic advertising is one of the most GDPR-complex areas of EU marketing. The real-time bidding infrastructure that underlies most digital display advertising broadcasts personal data to hundreds of parties simultaneously, every time a user loads a web page. The consent chain that is supposed to govern this process has been found by EU regulators to be structurally inadequate.

This guide explains how GDPR applies to programmatic advertising, what the TCF ruling means for EU advertisers and publishers, and what a more defensible approach looks like.

What happens in a programmatic ad auction

When a user loads a web page that runs programmatic advertising:

  1. The publisher's ad server generates a bid request containing data about the impression (page URL, ad slot, user's IP, user agent, geographic data) and user signals (audience segments, interest categories, engagement data)
  2. The bid request is sent to an SSP (supply-side platform) which sends it to hundreds of DSPs (demand-side platforms)
  3. Each DSP evaluates the bid request, matches it against advertiser targeting criteria, and returns a bid
  4. The winning bid results in an ad being served
  5. The entire process takes approximately 100ms

The GDPR issue: each bid request broadcast involves sharing personal data with dozens to hundreds of organisations, each of which processes it with their own systems. The legal basis for that processing — typically consent — must be in place before the bid request is sent.

The TCF ruling and what it means

In February 2022, the Belgian DPA ruled that IAB Europe's Transparency and Consent Framework (TCF) violated GDPR in several fundamental ways:

  • IAB Europe acted as a joint data controller for TCF consent strings but had not accepted the GDPR obligations that status entails
  • The TCF's consent signals were insufficient to demonstrate freely given, specific, informed consent as required by GDPR Article 7
  • The TCF did not adequately prevent data processing by parties who had not received valid consent

IAB Europe appealed, and the Belgian Market Court partially overturned the ruling in 2024 on the question of whether IAB Europe is a joint controller. However, the substantive compliance requirements remain — publishers and advertisers cannot rely on TCF signals as automatic GDPR compliance.

Practical implications for advertisers:

  • Using a CMP that generates TCF signals does not automatically make your programmatic campaigns compliant
  • You need to audit whether the consent collected via your publisher's CMP actually meets GDPR standards
  • Contracts with DSPs and SSPs should include GDPR data processing terms

Your GDPR obligations as a programmatic advertiser

As a data controller, you are responsible for the lawful basis of the targeting data you bring to programmatic campaigns. If you upload first-party audiences (CRM lists, website visitor segments) to a DSP, the lawful basis for creating those audiences must exist before you upload them.

Consent for website visitor audiences: If you use a cookie-based pixel to build website visitor audiences for programmatic retargeting, that pixel must have loaded only for users who gave valid cookie consent. Audiences built from non-consented pixel data carry the taint of the invalid original processing. See our guide to retargeting ads and GDPR compliance for how pixel consent and audience-building interact.

Legitimate interest limitations: Most EU DPAs have taken the position that legitimate interest does not support the scale and scope of data processing in RTB. The UK ICO reached the same conclusion in its RTB industry investigation. Consent is the expected lawful basis for programmatic targeting.

Processor relationships: Your DSP processes data on your behalf. You need a data processing agreement covering:

  • Description of processing activities
  • Security measures
  • Sub-processor chain (DSPs have extensive sub-processor networks)
  • Data transfer safeguards for non-EEA processors
  • Data deletion timelines

Third-country data transfers in programmatic

A significant portion of the global ad tech stack is US-based. EU-US data transfers require either SCCs (Standard Contractual Clauses) or binding corporate rules. After Schrems II (2020) invalidated the EU-US Privacy Shield, all EU-US ad tech data transfers required individual SCCs with transfer impact assessments.

The EU-US Data Privacy Framework (2023) created a new transfer mechanism, and most major US ad tech companies have self-certified under it. However, the DPF is considered legally fragile by EU privacy advocates and is expected to face challenges. Relying solely on DPF membership without supplementary safeguards in your contracts is a risk some advertisers are still managing.

Contextual advertising as a GDPR-safe alternative

Contextual advertising matches ad content to the content of the page rather than to the individual user's profile. It does not require:

  • Cookie consent
  • User-level data processing
  • TCF signals
  • DPAs with ad tech intermediaries

Publishers and advertisers who have shifted toward contextual targeting report that performance, while generally lower than consented behavioural targeting, is often comparable to or better than behavioural targeting with incomplete consent — because the contextual-only inventory doesn't carry the measurement gaps from rejected consent.

For EU campaigns where consent rates are low (often 40–60% on direct consent requests), contextual targeting is increasingly the pragmatic choice for reaching the non-consented portion of the audience.

What a more defensible programmatic setup looks like

  1. Use a CMP that meets GDPR consent standards — equal prominence for accept/reject, no dark patterns, per-purpose consent
  2. Segment your programmatic audiences — separate consented-only segments from broad segments; only bid consented data into the RTB auction
  3. Implement Consent Mode v2 for Google programmatic; understand SSP-specific consent passthrough for non-Google supply
  4. Review DSP contracts for GDPR DPA terms, sub-processor lists, and data deletion commitments
  5. Build first-party data infrastructure that is consent-aware from collection, so you know exactly which records have valid advertising consent
  6. Consider contextual targeting for non-consented inventory rather than running behavioural targeting on a degraded consent signal

Scan your programmatic ad copy before launch

The free GDPR Ad Copy Checker scans ad copy, lead forms, and landing pages for these exact GDPR and advertising-claim signals in seconds — flagging bundled consent, special-category inference, undisclosed third parties, and missing opt-outs, with safer rewrites for each. No login required.

This article is general information, not legal advice. Use it as a risk signal alongside human compliance review.

Frequently asked questions

Is programmatic advertising legal under GDPR?

Yes, but the legal basis for most programmatic advertising targeting is consent — and that consent must be collected before any data is processed for ad targeting purposes. The Belgian DPA ruling against IAB Europe's TCF framework (2022, upheld on appeal) confirmed that the consent management infrastructure underlying much of European programmatic advertising has systemic problems that publishers and advertisers must address.

What is real-time bidding (RTB) and why does it raise GDPR issues?

Real-time bidding is the auction process by which ad impressions are sold in milliseconds as users load web pages. RTB involves broadcasting a bid request containing user data (IP address, user agent, browsing history signals, location, audience segment IDs) to potentially hundreds of DSPs simultaneously. Each recipient of that bid request processes personal data. GDPR requires lawful basis for every step of that chain.

What is the TCF and is it GDPR compliant?

The Transparency and Consent Framework (TCF) is IAB Europe's industry standard for collecting and transmitting consent signals across the programmatic supply chain. The Belgian DPA ruled in 2022 that the TCF as implemented violated GDPR because IAB Europe acted as a joint controller without adequate lawful basis and because the consent signals were not sufficient to demonstrate freely given, specific, informed consent. IAB Europe has made changes but the framework remains contested.

Do I need a DPA with my DSP and SSP?

Yes, if they process personal data on your behalf. In many programmatic relationships, the DSP acts as a data processor or joint controller for campaign execution. You need either a data processing agreement (if processor) or a joint controller arrangement (if joint controller), with clear allocation of GDPR obligations between parties. Check your DSP/SSP contracts — most have updated their DPA terms since 2022.

Can I use contextual advertising instead of behavioural targeting to avoid GDPR issues?

Contextual advertising — matching ads to page content rather than user profiles — does not involve user-level personal data processing and largely sidesteps GDPR concerns. It is increasingly used as a GDPR-compliant alternative. The tradeoff is lower targeting precision, though some contextual platforms report performance comparable to cookie-based behavioural targeting in consent-limited environments.

Free resource

Get the GDPR Ad Copy Checklist

12 checks every EU marketer should run before publishing. Free, instant, no spam.

No spam. Unsubscribe any time.

Check your ad copy for free

Paste your EU ad copy into the free GDPR Ad Copy Checker and get instant risk analysis — no login required.

Open the free GDPR checker
LLegalify

AI-powered GDPR and ad risk scanning for EU marketing agencies. Catch compliance issues before campaigns go live.

Designed for GDPR risk reviewSubprocessors listed in privacy policyDPA available on request

Product

  • Free GDPR Checker
  • Meta Ad Rejected?
  • GDPR Ad Compliance Guide
  • Legalify vs AuditSocials
  • How it works
  • Features
  • Pricing

Company

  • Blog
  • GDPR Guides
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • DPA
  • Security
© 2026 Legalify · Y-tunnus: 3610308-7 · Not a substitute for legal advice.
PrivacyTermsCookiesSecurity