OpenRTB and the Future of Privacy-First Advertising

The third-party cookie spent two decades as the quiet plumbing of digital advertising — the thing that let a bid request whisper who you were from one site to the next. That era is closing. Safari and Firefox already block third-party cookies by default, regulators keep tightening the rules, and the whole industry is rebuilding interest-based advertising around consent and data minimisation. OpenRTB — the language every programmatic auction speaks — is evolving right along with it. This isn’t the end of programmatic. It’s a re-architecture around privacy.

01 — EVOLUTIONOpenRTB after third-party cookies

The bidstream is losing the field it leaned on hardest: a stable, cross-site identifier. In its place, the request starts carrying a different set of signals — authenticated first-party IDs where the user has consented, seller-defined audiences, richer contextual signals, and privacy-preserving interest signals such as the Topics API.

The standards bodies have built the plumbing to make this safe. The IAB Tech Lab’s Global Privacy Platform (GPP) packs consent and regulatory state — GDPR, US state laws — into a single string that travels with the request, and OpenRTB extensions describe the new signals. The shape of a “good” bid request is shifting: from here is the user to here is the context, the consent, and a privacy-safe audience signal.

Programmatic isn’t ending with the cookie. It’s being rebuilt around consent.

02 — THE REQUESTWhat a privacy-safe bid request looks like

The guiding principle is data minimisation: send the least data needed to value the impression, plus the consent that authorises it. In practice that means:

Drop or coarsen identifiers. No raw cross-site IDs, truncated IP, coarse geo, and never any PII.
Carry consent explicitly. A GPP / consent string rides with every request so each party knows exactly what is permitted.
Replace the person with the group. Cohort and topic signals, plus seller-defined audiences, describe interest at the group level instead of tracking an individual.

03 — ON-DEVICEWhen the auction moves into the browser

The biggest architectural change is where the auction runs. Privacy Sandbox’s Protected Audience API (formerly FLEDGE) moves remarketing auctions on-device: interest groups live in the browser, and the bidding logic executes locally, so no single party ever sees a cross-site profile. The Topics API surfaces coarse interest categories without cross-site tracking, and reporting moves to aggregated and attribution APIs with k-anonymity thresholds.

For the ecosystem, that’s a genuine rewiring: some decisioning now happens where the user is, not only on ad-tech servers.

04 — THE STACKWhat SSPs and DSPs need to change

For SSPs

Pass consent (GPP) on every request, and stop relying on third-party identifiers.
Expose seller-defined audiences and strong contextual signals built from first-party, publisher data.
Integrate as a seller in on-device auctions (Protected Audience) and lean on server-side connections.

For DSPs

Build on-device bidding logic (interest-group bidding) alongside traditional server-side bidding.
Shift modelling toward contextual and cohort signals instead of one-to-one tracking.
Rework measurement for aggregated, privacy-preserving attribution, and treat consent as a first-class input.

05 — OUTCOMEPrivacy-preserving, not performance-destroying

The standards are converging — GPP, OpenRTB extensions, Privacy Sandbox APIs, seller-defined audiences — and they all point the same way: value impressions with less personal data and more explicit consent. The buyers and sellers who re-tool early keep their reach, stay ahead of regulation, and gain something the cookie never offered in the first place: the user’s trust.