Targeted online advertising: ecosystem and law
Most free internet services are funded by targeted online advertising, which builds profiles and routes ads to people who meet criteria. The adtech ecosystem has many actors (ad networks, exchanges, DSPs/SSPs, data brokers). Both the GDPR (personal data) and the ePrivacy Directive (cookies) apply. After Wirtschaftsakademie, advertisers may be joint controllers even if they never receive the data. Notice is hard: many adtech firms have no direct relationship with data subjects.
Profiles are compiled from on/offline sources, supplemented by inferred data, and linked to a device via a cookie. Some adtech firms (SMPs, search engines) deal directly with people; others only build relationships with website operators to track visitors. The status of advertisers shifted after Wirtschaftsakademie: even those that never receive personal data may now be joint controllers.
| Problem | GDPR flexibility / limit |
|---|---|
| No direct relationship with the data subject | Art 14(5)(b): make info 'publicly available' where direct notice is impossible or a disproportionate effort |
| Data from many sources / to many recipients | Can notify categories of recipients and general info on sources where various sources used |
| But identifiable individual sources | WP29: must give the individual source if it is possible (even if burdensome) |