Real-Time Bidding Is a Shadow Market for Your Data

On May 4, 2026, the Federal Trade Commission announced a proposed settlement with Idaho-based data broker Kochava Inc. that would permanently ban the company from selling sensitive location data without explicit consent. The settlement, reported by JD Supra, ended years of litigation in which the FTC alleged that Kochava tracked hundreds of millions of mobile devices and sold geolocation data capable of revealing visits to reproductive health clinics, places of worship, and domestic violence shelters. Under the proposed order, Kochava must delete the contested location data and implement a consent framework that requires an affirmative opt-in for any collection tied to sensitive locations.

The Kochava settlement is the most significant FTC action against a location-data broker in years, but it addresses only one node in a much larger system. The data that Kochava sold did not originate from its own collection apparatus alone. It was fed by a sprawling supply chain: mobile apps with embedded software development kits that harvest location coordinates, advertising exchanges that broadcast those coordinates in real-time auction requests, and aggregators that stitch device identifiers into persistent profiles. Understanding why a single broker could track millions of phones requires understanding the auction layer, the real-time bidding infrastructure that turns every ad impression into a data-extraction event.

Real-time bidding, or RTB, has powered programmatic advertising for more than a decade. When a user opens an app or loads a webpage, a bid request is sent to an ad exchange containing device information, IP address, location coordinates, and behavioral segments inferred from browsing and purchase history. In the milliseconds before the page renders, dozens of advertisers and data brokers participate in an automated auction for the right to show that user an ad. The winning bidder serves the creative; every losing bidder retains the bid request data. As a Forbes Tech Council analysis noted in April, billions of these auctions run every day, and the infrastructure underneath keeps growing more complex even as its foundational privacy questions remain unanswered.

The privacy problem is structural, not incidental. In a traditional data-broker transaction, Company A sells a spreadsheet to Company B, and regulators can examine the contract. In the RTB ecosystem, the data exposure is continuous and multilateral. A single bid request may pass through a supply-side platform, an exchange, multiple demand-side platforms, and a dozen bidders, each logging the request before deciding whether to bid. The data has no single buyer, no single seller, and no audit trail that a regulator or a consumer can follow. This architecture makes the auction layer a uniquely difficult target for privacy enforcement, even as it processes personal data at a scale that dwarfs the databases of individual brokers like Kochava.

The consequences extend well beyond targeted advertising. In March 2026, NPR reported that government agencies, including Immigration and Customs Enforcement, were purchasing location and identity data from commercial data brokers without warrants. The same month, FedScoop detailed how privacy advocates were raising alarms about what they called the "data broker loophole," a gap in Fourth Amendment jurisprudence that allows law enforcement and intelligence agencies to buy data that they would need a warrant to collect directly. The auction layer does not distinguish between a brand manager and a federal agent; the data is sold to whoever bids.

The data that flows through these auctions comes from everywhere. Enterprise resource planning systems, which manage core business transactions for thousands of corporations, represent one underappreciated source. A Forbes analysis published in March described how ERP data connects core business transactions with analytics environments and emerging AI platforms. When ERP data lakes are integrated with third-party identity graphs and onboarding services, the boundary between enterprise operational data and the consumer data marketplace dissolves. A purchase record becomes a behavioral signal, which becomes a bid-request segment, which becomes a targeting parameter in an auction.

The data-broker ecosystem is not a static marketplace of buy-and-sell transactions; it is an auction-driven machine that prices human attention and personal history in real time. The logic is the same one that governs financial markets, where assets are priced continuously through competitive bidding. In fact, the auction dynamic has expanded well beyond advertising into adjacent markets. Reporting from TheStreet via Yahoo Finance noted that prediction markets like Polymarket and Kalshi reached valuations of $9 billion and $11 billion respectively by the end of 2025, fueled by the same insight that auction-based price discovery can be applied to almost any information asset. The line between an ad-tech auction for attention, a data-broker auction for location trails, and a prediction-market auction for event probabilities is an artifact of branding, not architecture.

The auction layer is now entering a new phase of automation. In April 2026, the IAB Tech Lab released its Agentic RTB Framework for public comment, a set of protocols designed to allow AI agents to negotiate ad inventory autonomously across the supply chain. Writing for Forbes, technology executive Vasu Raj Jain described a shift from static auctions where the highest bid wins to intelligent agents that negotiate in real time based on sophisticated value assessments. Amazon Ads donated a Dynamic Traffic Engine to IAB Tech Lab the same month, according to Morningstar, in a move designed to reduce query-per-second waste and enable smarter demand signaling across the bidstream.

From a privacy standpoint, agentic RTB amplifies every existing concern. In the current system, a bid request contains the data that human-configured algorithms need to price an impression. In an agentic system, AI agents may request additional data points dynamically, probing the available information graph before committing to a bid. A system designed to negotiate value more efficiently is also a system designed to extract more data more aggressively. The IAB Tech Lab's framework includes no enforceable privacy constraints; it is a technical specification for interoperability, not a governance document for data stewardship. Jain's Forbes piece does not mention privacy, consent, or data subject rights even once, which is itself a statement about where civil liberties sit in the priority stack of ad-tech standards bodies.

The question of consent in the auction layer is almost entirely performative. Under the GDPR, the personal data processed in a bid request requires a lawful basis, and the standard the industry claims is consent. But the consent mechanism is typically a pop-up on a publisher's website, buried in a consent management platform that lists hundreds of vendors, each with its own data-processing purposes and retention periods. A 2024 study by the Irish Council for Civil Liberties, which the organization has updated through 2026, found that the average RTB transaction exposes user data to thousands of companies per day, and that a single user's data might be processed by more than a hundred thousand bid-request recipients over the course of a year. No human being is reading those consent strings; no human being is exercising meaningful control over what happens to their data once the auction begins.

European regulators have begun to engage with the auction layer directly, though enforcement remains uneven. The Belgian Data Protection Authority's 2022 ruling against IAB Europe's Transparency and Consent Framework declared that the framework itself violated the GDPR, a decision that sent tremors through the ad-tech industry but has been mired in procedural delays and appeals. The Irish Data Protection Commission, which supervises many of the largest ad-tech platforms, has been slow to issue final decisions on RTB-related complaints. NOYB, the privacy advocacy group founded by activist Max Schrems, has filed complaints in multiple EU member states alleging that RTB constitutes a systematic violation of the GDPR's data-minimization and purpose-limitation principles. As of mid-2026, those complaints remain unresolved.

The United States lacks even this patchwork of regulatory pressure. The FTC's Kochava settlement is significant precisely because it is exceptional. There is no federal privacy law governing data brokers, and the FTC's authority derives from its general consumer-protection mandate, which requires it to prove that a data broker's practices are unfair or deceptive on a case-by-case basis. The fourth time a data broker sells location data to a stalker, the FTC can bring an action. The first time a data broker sells location data to an ad exchange that exposes it to two hundred bidders, nothing happens at all. The American Data Privacy and Protection Act, which would have created a national framework for data broker regulation, stalled in Congress in 2024 and has not been revived.

The Architecture Problem

The deeper challenge is that privacy law, where it exists, is built around the idea of a data controller, an identifiable entity that determines the purposes and means of processing. The auction layer dissolves this model. In a real-time bidding transaction, the data flows through a supply-side platform, an exchange, a demand-side platform, and multiple bidders, each of which may claim a different legal basis for processing under a different regulator's jurisdiction. By the time a complaint reaches an authority, the bid request data has been logged, enriched, resold, and fed into a model whose weights no longer point back to any individual transaction. The architecture was designed, intentionally or not, to be unregulable at the transaction level.

Some industry participants have begun to acknowledge the opacity problem, if not the privacy problem. A Forbes Tech Council piece from May 2026 argued that programmatic advertising is entering a phase where opacity is no longer tolerated, at least from the buyer's perspective. Advertisers want to know what they are bidding on and whether their money is reaching real humans. But auction clarity for the buyer does not equal transparency for the data subject, and the industry's internal reforms have focused almost entirely on fraud reduction and supply-path optimization, not on the rights of the people whose data fuels every bid.

The ExchangeWire programmatic trends roundup from March 2026 captured the industry's mood: optimistic about curation, excited about agentic AI, wary of signal loss from cookie deprecation and platform privacy changes, and almost entirely silent on the regulatory liability accumulating underneath. The conversation in the trade press is about efficiency, addressability, and measurement. The conversation in the civil-liberties community is about whether the entire RTB apparatus is lawful at all. These two conversations do not touch.

What to Watch For

Several pressure points are converging. The FTC's Kochava settlement establishes a template for location-data enforcement that could be applied to other brokers, including those that participate directly in the RTB ecosystem. The European Data Protection Board has signaled that its 2026 work program includes an intensified focus on ad-tech data flows, and NOYB continues to press its RTB complaints through multiple national authorities. In Congress, the data-broker loophole has attracted bipartisan concern, though legislative action remains unlikely before 2027. And the IAB Tech Lab's agentic RTB standards are moving from draft to implementation without any corresponding privacy framework, meaning the industry is automating the data-extraction machinery before regulators have finished understanding the current version.

The Kochava settlement forces the company to delete data and obtain consent. But the auction layer does not need Kochava to function. It needs bid requests, and bid requests are generated by every ad-supported app, every ad-supported website, and every intermediary between them. As long as the RTB protocol treats personal data as a free input to the pricing function, a single enforcement action against a single broker will be, at best, a signal. Whether that signal is received by the industry, by regulators, or by the people whose data is being priced at auction is the question that will define the next phase of digital privacy. Readers who want to understand what data their own devices are broadcasting can start by inspecting the bidstream at openrtb.org, reviewing the consent strings stored in their browser's developer tools, or filing a subject-access request with any of the major exchanges listed on the IAB Europe's Transparency and Consent Framework participant list.