GDPR and ePrivacy FAQ from AdTech vendors

Despite the fact that the European Union’s General Data-Protection Regulation (GDPR) has come into force, and the ongoing coverage in the media, there still seems to be a lot of misinformation and confusion as to what the GDPR and the proposed ePrivacy regulation mean for AdTech companies.

To help publishers, brands, agencies, and AdTech vendors get a clear understanding of these new regulations, we’ve answered some of the most common and tricky questions.

What’s the Difference Between the GDPR and ePrivacy?

While both the GDPR and ePrivacy are designed to protect user data, there are some differences between the two.

GDPR

The GDPR—or Regulation (EU) 2016/679 as it’s known in official contexts—is based on Article 8 of the EU Charter of Fundamental Rights. This document contains the rights and freedoms protected in the EU and aims to safeguard personal data, return control of personal data back to subjects in the union, and make the regulatory environment simpler for international business.

ePrivacy

ePrivacy, officially known as the Privacy and Electronic-Communications Directive (2002/58/EC), is based on Article 7 of the EU Charter of Fundamental Rights and focuses on respect for private life specifically when using electronic communications.

Also, ePrivacy is intended to cover special cases that don’t fall under the GDPR. For this reason, ePrivacy is lex specialis of the GDPR, meaning that when the two regulations cover the same situation or when a case isn’t specified in the GDPR, ePrivacy will override it.

An easy and simple way to remember the difference is to think of the GDPR in the context of data protection and ePrivacy in the context of user privacy.

If My Company Is in the USA, Do I Still Need to Comply with the GDPR and ePrivacy?

There is a common misconception that because the GDPR and ePrivacy are European Union regulations, then they will only impact companies within the EU and the European Economic Area (EEA). For this reason, many companies within the US view the GDPR and ePrivacy as a European problem.

The truth is that if your company collects information about data subjects (either directly or on behalf of your clients) within the EU and EEA, then yes, your company will need to comply with the GDPR and ePrivacy.

Can I Ignore the GDPR if My Company is Incorporated Outside of the EU?

As mentioned above, if your company is located outside of the EU/EEA, you may still be bound by the GDPR and ePrivacy regulations if you collect data about citizens and residents from the EU/EEA.

If your company doesn’t collect any data from citizens and residents of the EU/EEA, then you won’t have to comply with the GDPR or ePrivacy. Bear in mind that a single web visit from an EU citizen could mean that you will have to comply with the two regulations.

Is My Company a Data Controller or Data Processor?

The distinction between data controller and data processor takes place only if you use software supplied by a vendor, which you don’t maintain yourself. However, in the case of on-premises software, your company must be considered both the controller and processor.

A controller collects, controls, reviews, compares, and aggregates data about EU citizens and residents. It can be a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Examples: Publishers, ecommerce stores, individual bloggers, brands, and companies that collect data about users either directly or indirectly via another company.

A processor is any person or company that provides services or technology and collects data on behalf of data controllers. A processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller, or delivers the tools used to collect the data.

Examples: AdTech and MarTech vendors.

The distinction between the two is nicely illustrated in an infographic created by the Piwik PRO team.

What is Personal Data?

The GDPR defines personal data as any piece of information that can be used to identify a data subject.

Identity in this sense doesn’t just refer to knowing a person’s name. If a user visits your website or sees one of your ads, they are considered identifiable if you can later recognize them (via their cookie ID or other identifier) if they return to your website or see another one of your ads.

The GDPR has also added device and advertising IDs, cookies, IP addresses, and location data to the list of personal-data examples, meaning that every AdTech company would currently be collecting personal data.

What is Pseudonymous Data?

Pseudonymous data refers to information that’s been changed into a non-identifiable format, rendering it unable to identify a person without the use of additional data, such as the hashing function or encryption keys.

It’s important to note that while pseudonymous data is designed to help companies protect data, it is still an example of personal data, as it’s possible to revert the pseudonymized data back into its original format.

This means that if AdTech companies pseudonymize data, which is recommended, they’ll still be bound by the rules within the GDPR and ePrivacy.

On a more positive note, the GDPR states that companies aren’t required to inform data subjects about a breach if the appropriate technical and organizational protection measures, such as one-way pseudonymization or encryption without the keys, have been put in place and applied to the data.

What is Anonymous Data?

Anonymous data means that it can’t be used to identify a person, therefore, it is not subject to the rules of the GDPR. This means that if a company collects anonymous data, they don’t have to obtain user consent.

For this reason, anonymous data has little value, if any, for AdTech companies, as it means they can’t run targeted campaigns based on personal data.

Some AdTech vendors claim that they only collect anonymous data, which might be true, but it would mean they can’t run behavioral advertising campaigns or target users based on any type of parameters.

Can AdTech Companies (e.g. DSPs, SSPs, Ad Servers, Ad Networks, etc.) Still Collect Cookies, IP Addresses, and Device and Advertising IDs Under the GDPR?

While the definition of personal data has been extended to include cookies, IP addresses, and device and advertising IDs, AdTech companies can still use personal data to run behavioral advertising campaigns—however, they’ll need to obtain consent from the user to do so (see the section above about user consent).

Do AdTech Companies Need to Obtain Consent to Use Cookies and Collect Data About Them?

Yes. As mentioned above, the GDPR has added cookies, IDs stored in cookies, device and advertising IDs, and device fingerprints to its list of personal data, so if a company wishes to drop a cookie on a user and collect their data, they have to get clear consent from the user to do so.

For AdTech vendors and advertisers wanting to run targeted campaigns (e.g. online behavioral advertising and retargeting campaigns) based on personal data, obtaining user consent is paramount, because without it, no advertising or marketing company will be able to lawfully collect, use, or store user data.

Does Cookieless Tracking Fall Under the GDPR?

In short, yes. If it involves “tracking”, then it’s likely to fall under the GDPR. The only type of data excluded from the GDPR is anonymous data, which is useless in the sense of user tracking.

Also, as most cookieless tracking methods involve creating device fingerprints, this will mean that it falls under the GDPR, as they are classed as personal data.

Under Which Circumstances Can I Collect and Use Personal Data Without Obtaining Consent?

With regard to online advertising and marketing, there are few circumstances that would allow companies to collect and use personal data without obtaining consent. The two main instances are fraud prevention and billing, both of which are useless from an advertising perspective.

Most advertising and marketing activities that take place today, such as targeting and personalization, will require users to provide their consent.

What Does Obtaining User Consent Look Like?

While there is no universally accepted method or industry standard for obtaining user consent, the most obvious way is to ask the user via a popup or some other message.

In order to comply with the rules for obtaining consent, the message would have to include the following:

• The reason why the user’s personal data is being collected (e.g. for behavioral advertising, analytics, and personalization).
• The names of the companies with whom the user’s data will be shared.
• The length of time the user’s data will be stored (e.g. six months).

For more information about what the process would look like from a slightly more technical perspective, view our infographic.

To help publishers, advertisers, and AdTech companies obtain user consent, a number of companies have already released consent managers, which can be used to manage the technical implementation of obtaining, storing, and managing user-consent decision and user rights.

The Interactive Advertising Bureau (IAB) has also released a user-consent framework to help publishers, advertisers, and AdTech companies navigate through this obstacle; however, it has been met with some strong criticism.

Can AdTech Companies Claim ‘Legitimate Interest’ for Processing Personal Data?

As it stands currently, AdTech companies will not be able to claim legitimate interest for collecting and processing personal data for advertising purposes.

However, many AdTech companies are under the impression that they will be able to collect and use personal data for profiling and targeting because of the concept of legitimate interest, which is explained in the GDPR as the following:

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

GDPR Article 6, 1(f)

It is very likely that publishers, advertisers, and AdTech companies won’t be able to process user data based on legitimate interest, as such processing and profiling will be overridden by the user’s fundamental rights and freedoms.

What Do Companies Need to Do With the Data They Collected Before May 25, 2018?

Apart from obtaining proper consent after May 25, 2018, data controllers also need to analyze whether the user data stored in their databases (e.g. CRM systems, DMPs, and DSPs) before the GDPR kicked in was collected according to the rules set out in the GDPR. It is not necessary for the data subject to give his or her consent again if the manner in which the consent was given is in line with the Regulation.

For marketers, this means obtaining permission again from data subjects in their existing databases if they haven’t done so via the GDPR’s rules regarding consent, which is highly unlikely. For the most part, this involves sending out, most likely via email, a GDPR-compliant consent request asking data subjects to re-consent to usage of their historic data.

For advertisers, on the other hand, this process of re-consenting is much tougher due to the indirect relationship they have with users who are exposed to their ads—just think about all the cookies advertisers collect via processes such as cookie-syncing. The solutions to this conundrum are quite extreme, ranging from mass deletion of user data to doing nothing at all, with the latter being the least attractive option and subject to severe financial consequences.

Currently, publishers are the ones tasked with collecting consent on behalf of advertisers and AdTech companies.

What Rights Do Users Have Under the GDPR?

The GDPR has given users a number of rights relating to their data and states that companies will need to allow users to exercise these rights without delay (within one month).

Specifically, users will have the following rights under the GDPR:

The right to be informed about the existence of profiling, the consequences of such profiling, the processing operation, and its purposes.

The right to access confirmation from the controller as to whether or not personal data concerning them is being processed. This right was already part of the Data-Protection Directive.

The right to rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

The right to erasure (“right to be forgotten”) of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.

The right to restrict processing if the accuracy of the personal data is contested by the data subject, the processing is unlawful, and the controller no longer needs the personal data for the purposes of the processing.

The right to data portability, meaning they have the right to receive personal data that’s been collected about them by a controller. The data must be in a structured, commonly used, and machine-readable format.

The right to object at any time to processing of personal data concerning them.

What Will AdTech Companies Need to Do to Comply With the GDPR?

There are a number of things AdTech companies need to do from a technical perspective to comply with the GDPR, including:

• Ensuring proper consent has been obtained.
• Abstaining from firing tags until user consent has been provided.
• Managing user-consent decisions and user rights.
• Adding additional data-protection measures (e.g. pseudonymization and encryption) to ensure user data is protected and secure.
• Applying a “data protection by design and default” approach to building new platforms, tools, and features.

To learn more, download our free guide: GDPR & ePrivacy: The Effect on AdTech & MarTech From a Technical Perspective

What Does ‘Data Protection by Design and Default’ Mean?

Companies should put data protection and user privacy at the forefront of all their activities, from collecting user data to designing and building new software.

The concept of data protection by design and default is based on Ann Cavoukian’s 7 Privacy by Design Principles. Its introduction to the GDPR elevates the notions of privacy and data protection from afterthoughts to central components of the design and development process. This concerns new software applications, such as AdTech platforms, and policies and agreements.

In short, data protection by design and default means building software with privacy features giving users a choice regarding how their data is collected and used, and making sure the software’s default settings and configuration is data-protection friendly.

Learn more about Data Protection and Privacy by Design and Default by reading our post

Who is a DPO and What is Their Role?

The role of a Data-Protection Officers (DPO) is to educate the company and its employees on important compliance requirements, provide support for staff involved in data processing, and conduct regular security audits.

The role will become mandatory with the introduction of the GDPR for companies collecting or processing personal data of EU citizens. Also, DPOs are intended to serve as intermediaries between the company and any supervisory authorities.

The European Data Protection Supervisor states that DPOs must:

• Ensure that controllers and data subjects are informed about their data-protection rights, obligations, and responsibilities and raise awareness about them.
• Give advice and recommendations to the institution about the interpretation or application of the data-protection rules.
• Create a register of processing operations within the institution and notify the EDPS of those that present specific risks (so-called prior checks).
• Ensure data-protection compliance within their institution and help the latter be accountable in this respect.
• Handle queries or complaints on request by the institution, the controller, other person(s), or on their own initiative.
• Cooperate with the EDPS (responding to requests about investigations, complaint handling, inspections conducted by the EDPS, etc.).
• Draw the institution’s attention to any failure to comply with the applicable data-protection rules.

What is a DPIA? When and How Should I Conduct It?

A Data-Protection Impact Assessment (DPIA) is a process that some companies will need to carry out as part of their path towards GDPR compliance.

If data processing carried out by a company is likely to put an individuals rights and freedoms at high risk, then they’ll need to complete a DPIA.

The Article 29 Data-Protection Working Party (WP29), which will become the European Data-Protection Board (EDPB) with the enforcement of the GDPR, provides some guidelines on whether a DPIA is necessary. Such guidelines include processing data on a large scale and matching or combining datasets.

As most AdTech companies do one or both, it is quite likely that they have to conduct a DPIA.

What Are the Fines for Non-Compliance?

The GDPR has two tiers of fines depending on the severity of the infringements:

Tier 1
Administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for violations and infringements related to:

• Obtaining consent from a child to use their data (Article 8).
• Processing which does not require identification (Article 11).
• Designating a data-protection officer and their tasks (Article 39).
• Obligations of certification bodies and obligations of monitoring bodies (Article 41, 42, and 43).
• Data protection by design and default (Article 25).

Tier 2

Administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for violations and infringements related to:

• Processing personal data and the lawfulness of that processing (Articles 5 and 6).
• Conditions for consent (Article 7).
• Processing of special categories of personal data (Article 9).
• User rights (Articles 12–22).
• Transferring user data to recipients in a third country (Articles 44–49).

For a list of frequently asked questions about what the GDPR means for AdTech and analytics vendors, read this post from Piwik PRO.