BidRequest Data [0] and Request Time is already enough to fingerprint the user.

"Google prohibits multiple buyers from joining their match tables." part is not technical, it is contract based.

[0] Sample Data from Bid Request

  ip: "F\303\006"
  user_agent: "Mozilla/5.0 (Linux; Android 7.1.1; Pixel XL Build/NOF26V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Mobile Safari/537.36"
  url: "http://www.myfitnesspal.com/food/calories/popeyes-buttermilk-biscuit-29980768"
  cookie_version: 1
  google_user_id: "CAESEIMlaNwMN-rtiDFzjwNIX6Y"
  timezone_offset: -360
  detected_content_label: 39
  mobile { is_app: false 3: "android" 8: 1 12: "google" 13: "pixel xl" 14 { 1: 7 2: 1 3: 1 } 15: 412 16: 732 18: 70092 19: 3500 }
  cookie_age_seconds: 12960000
  geo_criteria_id: 9023221
  device { device_type: HIGHEND_PHONE platform: "android" brand: "google" model: "pixel xl" os_version { major: 7 minor: 1 micro: 1 } carrier_id: 70092 screen_width: 412 screen_height: 732 screen_pixel_ratio_millis: 3500 }

It being technical impossible or infeasible does not give them license to not follow the law.

Either they comply with the law or they don't. I'm not a lawyer, but it certainly doesn't look like they're following the law here.

Well there's absolutely a way: single-source JS and no CORS.

“there is no way for google to operate under the GDPR and provide targeted advertising” ?

i’m inclined to agree :/

Couldn't each buyer get their own "auction ID" as well as their own "user ID"? Am I completely misunderstanding things?