Online behavioural advertising (OBA)
OBA targets ads at people based on their behaviour observed over time. First-party OBA is run by the publisher itself; the trickier case is third-party ad networks that track users across many unaffiliated sites using with unique identifiers and behavioural profiling. OBA data normally counts as personal data (online identifiers let users be 'singled out'), so the GDPR applies, and publishers, advertisers and networks may be joint controllers each needing their own lawful basis.
A third-party ad network drops a cookie with a unique identifier, records browsing behaviour against that ID, builds a profile (e.g. 'ABC12345: new mother'), and serves targeted ads when the user returns or visits another partner site. Because online identifiers let users be singled out even without their real name, this is generally personal data and the GDPR applies.
A business that uses an agency, SMP or ad network cannot sit back and assume they handled GDPR. Often the parties are joint controllers, so each needs its own lawful basis and consistent compliance documentation - confirmed by the ECJ in Wirtschaftsakademie (2018) and Fashion ID (2019).
| Basis for targeting | Who are controllers? | Lawful basis |
|---|---|---|
| Provided data (user gave it to the SMP) | SMP + targeter, jointly | Each needs its own; 'performance of contract' is unsuitable |
| Observed data | SMP + targeter, jointly | Each needs its own legal basis |
| Inferred data (created by the controller) | SMP + targeter, jointly | Each needs its own legal basis |