Insights
December 1, 2025

Why click fraud protection only makes sense when it operates in full compliance with GDPR

Ads Defender Insights
The online advertising landscape reached a remarkable turning point in 2024: for the first time in a decade, automated traffic exceeded human-generated traffic, now accounting for 51 percent of all internet traffic.

The online advertising landscape reached a remarkable turning point in 2024: for the first time in a decade, automated traffic exceeded human-generated traffic, now accounting for 51 percent of all internet traffic. Even more alarming is the fact that 37 percent of all internet traffic consists of bad bots. This represents a significant increase from 32 percent the previous year and marks the sixth consecutive year of rising bad bot activity. These figures come from the current Bad Bot Report 2025, which documents the evolution of automated threats on the internet. For marketing decision-makers, this development presents a dual challenge: they must protect their advertising budgets from increasingly sophisticated bot attacks while simultaneously maintaining strict compliance with GDPR. European data protection authorities imposed fines totaling 1.22 billion euros in 2024, making it clear that compliance is not an optional extra. The central insight is clear: click fraud protection that does not operate in full GDPR compliance creates more legal risks than it solves problems.

The bot threat has reached a new dimension

The figures paint a clear picture: artificial intelligence and large language models have revolutionized bot development and drastically lowered the barrier to entry for attackers. Even individuals with limited technical knowledge can now launch attacks thanks to generative AI tools and bot-as-a-service platforms. The result is a massive increase in both simple and sophisticated bot attacks. Simple bot attacks rose from 40 percent in 2023 to 45 percent in 2024, while advanced and moderate bot attacks together account for 55 percent of all attacks. This development is accelerated by AI-powered bots that use machine learning to adapt to mitigation strategies and continuously refine their attack techniques.

Particularly concerning is the targeted focus on APIs: 44 percent of advanced bot attacks target API endpoints, compared to just 10 percent attacking web applications directly. This represents a deliberate strategic shift by attackers who have recognized that APIs process sensitive and high-value data while often being less well protected than traditional web applications. The attacks on APIs are not limited to simple overload attempts but specifically target the business logic that defines how APIs function. Attackers deploy specially designed bots to exploit vulnerabilities in API workflows and conduct automated payment fraud, account takeovers, and data exfiltration.

Research data from 2024 shows that over 13 trillion bad bot requests were blocked across thousands of domains and industries. The analysis shows that 31 percent of all recorded and mitigated attacks were automated threats as defined by OWASP. These are automated cyberattacks that leverage bots and scripts to exploit web application vulnerabilities at scale, bypass security controls, and disrupt businesses across various industries. Their widespread nature and the ease with which attackers exploit them make them a primary concern for any organization operating online advertising.

Attackers are also becoming increasingly sophisticated in their obfuscation tactics: 21 percent of all bot attacks use residential proxies provided by internet service providers. This technique enables malicious bot traffic to be disguised as legitimate user traffic by routing it through IP addresses from residential connections typically associated with home internet connections. This makes it significantly more difficult for security systems to detect the malicious activities, as residential IPs are usually classified as trustworthy.

Which industries are hit particularly hard

The impacts of bot attacks are not evenly distributed across all industries. The analysis identifies clear focal points, with the travel industry becoming the most affected sector, accounting for 27 percent of all bot attacks, a significant increase from 21 percent the previous year. Both the travel and retail industries struggle with a massive advanced bot problem, with bad bots accounting for 41 percent and 59 percent of their total traffic respectively. Notable is the shift in the travel industry: while 61 percent of attacks were advanced bot attacks in 2023, this proportion dropped to 41 percent in 2024, while simple bot attacks increased from 34 percent to 52 percent.

For account takeover attacks, which are particularly dangerous as they lead to digital identity theft and financial losses, the financial services industry stands at the forefront. It is the target of 22 percent of all ATO attacks, followed by telecommunications and internet service providers with 18 percent and computing and IT with 17 percent. The number of account takeover attacks has risen dramatically: by 40 percent compared to the previous year and even by 54 percent over the last three years. This development is driven by cybercriminals' use of AI and machine learning to continuously optimize their techniques.

Financial services, healthcare, and e-commerce are the sectors most affected by API-related bot attacks. These industries are particularly vulnerable because they rely on APIs for critical business operations and sensitive transactions, making them preferred targets for sophisticated bot attacks. The analysis of API attacks reveals a deliberate strategy by attackers to target API endpoints that process sensitive and high-value data. Data scraping accounts for 31 percent of all API attacks, followed by payment fraud with 26 percent and account takeover with 12 percent.

The legal reality intensifies parallel to the technical threat

While the technical threat from bots increases, the legal landscape also continues to evolve. The European Data Protection Board issued a groundbreaking opinion on so-called "consent or pay" models in April 2024, further clarifying the requirements for lawful consent. German courts have established that the mere violation of GDPR provisions without demonstrable damage creates a claim for damages of at least 100 euros, significantly increasing the potential liability burden for companies. Particularly relevant is the personal liability of managing directors and board members, which was concretized in the Clearview AI case and demonstrates that data protection violations affect not only the company but also individual decision-makers personally.

For 2025, European data protection authorities have announced coordinated enforcement actions that will focus on Article 17 GDPR, the right to be forgotten. These coordinated actions demonstrate a new level of maturity in GDPR enforcement, where no longer only individual, particularly serious cases are pursued, but systematic reviews in specific areas take place. For providers of click fraud protection solutions, this means that their systems must not only be technically effective but also fully comply with GDPR requirements.

GDPR requires a legal basis for every processing of personal data, with legitimate interest under Article 6 paragraph 1 letter f typically being considered for click fraud protection. However, this legitimate interest must always be weighed against the rights and freedoms of the data subject. The principle of data minimization requires that only the data necessary for the specific purpose may be collected. Storage limitations stipulate that personal data may only be retained for as long as necessary for the processing purpose. The requirements for technical and organizational measures for processing security are high and must correspond to the state of the art.

Why GDPR-compliant solutions are technically superior

The assumption that data protection compliance necessarily entails compromises in effectiveness proves false in practice. Modern GDPR-compliant click fraud protection solutions utilize privacy by design principles that anchor data protection as a core component of the system architecture from the outset. This does not lead to compromises but to more technically mature solutions. Instead of collecting and storing personal data, these systems rely on behavioral analyses without personal reference, IP reputation checks, and machine learning that recognizes patterns without identifying individual users.

Server-side analysis makes it possible to detect suspicious behavior before data even enters a system that processes personal information. This architecture is not only compliant with data protection regulations but also technically more robust, as it offers fewer attack points and cannot be circumvented by client-side manipulations. The fraud detection and prevention market is expected to reach 2.5 billion US dollars in 2025 and grow with an average annual growth rate of 15 percent until 2033. This growth trend shows that organizations are increasingly willing to invest in sophisticated protection solutions.

Implementation according to European data protection standards is increasingly becoming a decisive differentiator for providers. It becomes evident that technical and organizational processes designed for GDPR compliance from the outset provide a more solid foundation than retroactively adapted systems. The EU-U.S. Data Privacy Framework is continuously reviewed, and challenges with cross-border data transfers remain. Companies that rely on European solutions with infrastructure in the EU have a structural advantage here, as they avoid these complex legal issues from the outset and ensure that data processing takes place entirely within the scope of GDPR.

The integration of a GDPR-compliant click fraud protection solution requires careful planning but also provides an opportunity to review and optimize the entire data processing landscape. A data protection impact assessment helps to systematically identify and minimize risks. The record of processing activities must be updated to document the new processing. The legal basis for processing must be clearly documented, and data processing agreements must be concluded with all service providers who process personal data on behalf. These requirements may initially seem burdensome but create long-term transparency and legal certainty.

The future belongs to legally secure and technically mature solutions

With the AI Act and Data Act, additional regulatory requirements come into force that will increase the demands on technical systems. Machine learning models, as used in click fraud protection, must be explainable and transparent. This means that decisions must be documented in a comprehensible manner and data subjects must be able to understand why certain actions were taken. The increasing prevalence of deepfakes and the continuous advancement of bot technologies through AI require increasingly sophisticated detection methods. Solutions that are state-of-the-art today must already be further developed tomorrow to keep pace with attackers.

The current figures make it clear that companies face a clear decision: they can either invest in GDPR-compliant protection solutions that are both technically mature and legally secure, or they risk massive budget losses through bot traffic on one hand and significant fines through data protection violations on the other. With 37 percent of all internet traffic consisting of bad bots and another increase for the sixth consecutive year, inaction is no longer an option. The combination of AI-powered attacks that continuously become more sophisticated and an intensifying regulatory landscape makes it clear: the future belongs to solutions that combine technical excellence with complete legal compliance.

Companies that choose a fully GDPR-compliant solution are not only investing in the protection of their advertising budgets but also in the future security of their digital infrastructure. They build trust with customers who are becoming increasingly sensitive to data protection issues, and they avoid the risk of significant fines that can amount to up to four percent of global annual turnover. The question is not whether click fraud protection is necessary, but only which solution offers the right combination of technical performance and legal security. With 51 percent automated traffic, of which 37 percent is malicious, and account takeover attacks that have increased by 40 percent, the need for action is obvious. The solution lies in GDPR-compliant systems that understand privacy by design not as a constraint but as a technological advantage.

Continue reading
Insights
December 11, 2025
Rising Advertising Costs in E-Commerce: The Role of Click Fraud and How Retailers Can Defend Their Budget
Fraud-Free ads that scale.
With Ads Defender.
“After a short time, we achieved 24% more sales with only 5% more traffic by using Ads Defender.”
Tina Sigler
Senior Marketing Manager @ Luisa Cerano
Talk to an Expert
Talk to an Expert
Discover Ads Defender
OverviewTechnologyKnowledge CenterRequest Demo
Legal
ImprintPrivacy PolicyData Processing AgreementTerms & Conditions
Main logo link that leads to home page
© Ads Defender is built by hurra.com