GDPR & ePrivacy Information for AdTech & MarTech Companies

Stay up to date with the latest news regarding the European Union’s General Data Protection Regulation (GDPR) and the proposed ePrivacy regulation and find out what they mean for AdTech and MarTech

On April 27, 2016, the European Union’s General Data Protection Regulation (GDPR) was adopted and triggered the start of a two-year countdown towards its enforcement date on May 25, 2018.

During those two years, all companies that collect data about European citizens and residents had to make a number of changes to their policies and agreements with their partners to ensure they comply with the rules outlined in the GDPR.

In addition to the GDPR, there’s also the ePrivacy regulation, which is designed to specify certain areas of the GDPR, such as the use of personal identifiers, such as cookies and IP addresses, and clarify rules around obtaining user consent — all of which will directly impact the online advertising and marketing industries.

Numbers worth knowing

May 25, 2018

The date when the GDPR came into full force

€20M

Companies can be fined either 20M Euro or 4% of the previous year’s turnover for serious infringements

€10M

Companies can be fined either 10M Euro or 2% of the previous year’s turnover for less-serious infringements

72 Hours

Companies will need to inform their clients and users about a data breach within 72 hours

GDPR will replace the current Data Protection Directive (Directive 95/46/EC) when it comes into force on May 25, 2018.

What is the GDPR?

The General Data Protection Regulation (GDPR), or Regulation (EU) 2016/679 as it’s known in official contexts, is a regulation spearheaded by the three legislative European Union institutions: the European Parliament, European Commission, and Council of the European Union.

It replaced the Data Protection Directive (Directive 95/46/EC) when it came into force on May 25, 2018.

The goal of the GDPR is to return control to data subjects in the union over their data and make the regulatory environment simpler for international business.

Currently, ePrivacy is a directive, but is in the process of being transformed into a regulation, which will also repeal the current directive.

What is ePrivacy?

The ePrivacy directive is a piece of EU legislation that also aims to protect the data and privacy of EU citizens and residents, but with a focus on respecting the private lives of EU citizens and residents when using electronic communications.

Within the online advertising and marketing industries, the current ePrivacy directive is often conversationally referred to as the cookie law because it regulates the usage of cookies, among other identifiers. However, it relates to the protection of privacy in the electronic-communications sector as a whole, not just the usage of cookies for online advertising and marketing.

How Prepared Are AdTech & MarTech Vendors for the GDPR?

In the months leading up to May 25, we asked AdTech & MarTech companies about their GDPR preparations. One week before the GDPR's enforcement date, we released the results...

View the results of the survey

It is not known when the ePrivacy regulation will come into force, as the proposal is set to be negotiated between the three EU legislative institutions (see below). The latest news suggests that it will likely be enforced in either 2019 or 2020.

Given that it is still in progress, the final version of the ePrivacy regulation may still affect how AdTech and MarTech platforms interact with online identifiers based on the GDPR itself and the current state of ePrivacy.

The current state of ePrivacy

On October 19, 2017, the European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs (aka LIBE Committee) voted to approve an amended version of the ePrivacy regulation. This amended version was then approved by members of the European Parliament during a plenary session (a meeting of the whole Parliament).

The next stage involves an informal meeting between representatives of the European Parliament, the Council of the European Union, and the European Commission. Once the proposal is finalized and approved by way of voting, it will be adopted and enforced.

The recent advancement towards adoption spelled a huge blow for advertising and marketing lobbyists, such as the Interactive Advertising Bureau Europe (IAB Europe) and Digital Europe. Their last chance at any sort of victory lies with the Council of the European Union and EU member states, which is where their focus will surely be.

Get our whitepaper!

GDPR & ePrivacy:
The Effect on AdTech & MarTech From a Technical Perspective

Download for free!

What does the GDPR and ePrivacy mean for AdTech and MarTech from a technical perspective?

Although the GDPR and ePrivacy regulation are legislations that will require AdTech and MarTech vendors to make a number of changes to their policies and contracts with partners, they will also require vendors to make many technological changes to their platforms to ensure they match their policies and comply with these two regulations.

Some of the main technological changes AdTech and MarTech vendors will have make to their platforms include:

  • Implement mechanism for collecting user consent for activities where the user’s data is passed on to third-parties, such as for tracking and behavioral targeting.
  • Identify users and their consent decisions, and then take the appropriate actions based on them — e.g. fire tags to pass data to certain platforms and tools, or refrain from firing tags.
  • Provide users with a current status of the activities they’ve consented to in commonly used and machine-readable format within one month from the time of request.
  • Pass the user’s consent decision to all parties involved in the consent request — e.g. if a publisher asks a user if they, their AdTech partner, and the AdTech partner’s client can use their data for advertising, then the user’s decision will need to be sent to all those parties. This is particularly challenging in online advertising as for any given ad request, a user’s information could be accessed by dozens of third-parties.
  • Pseudonymize, anonymize, and encrypt data to provide added levels of data protection.
  • Enable platforms to carry out a process known as data minimization, which involves only processing the amount of data absolutely needed to complete the given activity — something that will be hard for advertisers to define given how many different pieces of data they collect about online users.

Some resources about the GDPR and ePrivacy

Clearcode blog

In a Post-GDPR World, Who Will Be the Emissions Cheaters of AdTech?

by Maciej Zawadziński

You may remember hearing about the Volkswagen emissions scandal that made headlines worldwide in 2015. For those unfamiliar with the story, the German automaker intentionally programmed its turbocharged-direct-injection (TDI) engines to comply with the United States’ emissions and pollution standards by activating the engines’ emission controls only during laboratory tests.

Read more

Clearcode blog

GDPR and ePrivacy FAQ from AdTech vendors

by Maciej Zawadziński

Despite the fact that the European Union’s General Data-Protection Regulation (GDPR) has come into force, and the ongoing coverage in the media, there still seems to be a lot of misinformation and confusion as to what the GDPR and the proposed ePrivacy regulation mean for AdTech companies.

Read more

Clearcode blog

Don’t Fret – the GDPR Is a Good Thing for AdTech

by Maciej Zawadziński

In the early days of online advertising, the amount and type of data companies could collect about users was limited to the header information passed along with a HTTP call from the user’s browser, such as the language set on the user’s computer, URL of the page that the ad is being loaded onto, and the browser type and version.

Read more

Clearcode blog

The GDPR Will Drain the AdTech Cookie Pool

by Maciej Zawadziński

While the EU’s General Data Protection Regulation (GDPR) and its “baby sister” the ePrivacy Regulation may be full of ambiguous statements and legal jargon, one thing is clear; if you collect data from EU citizens, then your world is going to look a whole lot different come May 25, 2018.

Read more

Clearcode blog

Not Complying with GDPR Will Cost AdTech Companies More than 4% of Revenue

by Michael Sweeney

With all the attention that the EU’s General Data Protection Regulation (GDPR) has received over the past year, one could assume that this is a completely new initiative; however, the GDPR will just be superseding an existing data-privacy initiative—the EU’s Data Protection Directive.

Read more

Clearcode blog

The Effect the GDPR and ePrivacy Will Have on AdTech and MarTech Vendors [infographic]

by Michael Sweeney

While the true impact of the GDPR and ePrivacy regulation won't be felt until after they come into force, we can already get a sense of the effect they'll have on the online advertising and marketing industries.

Read more

Clearcode blog

What Does Privacy by Design Mean for AdTech and MarTech Companies?

by Maciej Zawadziński

The European Union’s General Data-Protection Regulation (GDPR) is about to introduce a number of new responsibilities for AdTech and MarTech companies (known as controllers and processors of data within the regulation). “Data protection by design and default” is a proposed new approach which promotes the implementation of privacy and data-protection compliance at the design phase of software production.

Read more

Custom AdTech & MarTech development to help you comply with the GDPR

Our privacy-focused AdTech & MarTech development teams can help you prepare your platforms and tools for the GDPR and ePrivacy

Learn more about our GDPR development services