GDPR & ePrivacy Information for AdTech & MarTech Companies

Stay up to date with the latest news regarding the European Union’s General Data Protection Regulation (GDPR) and the proposed ePrivacy regulation and find out what they mean for AdTech and MarTech

On April 27, 2016, the European Union’s General Data Protection Regulation (GDPR) was adopted and triggered the start of a two-year countdown towards its enforcement date on May 25, 2018.

During these two years, all companies that collect data about European citizens and residents have to make a number of changes to their current policies and agreements with their partners to ensure they comply with the rules outlined in the GDPR.

In addition to the GDPR, there’s also the ePrivacy regulation, which is designed to specify certain areas of the GDPR, such as the use of personal identifiers, such as cookies and IP addresses, and clarify rules around obtaining user consent — all of which will directly impact the online advertising and marketing industries.

Numbers worth knowing

May 25, 2018

The date when the GDPR will come into full force

€20M

Companies can be fined either 20M Euro or 4% of the previous year’s turnover for serious infringements

€10M

Companies can be fined either 10M Euro or 2% of the previous year’s turnover for less-serious infringements

72 Hours

Companies will need to inform their clients and users about a data breach within 72 hours

GDPR will replace the current Data Protection Directive (Directive 95/46/EC) when it comes into force on May 25, 2018.

What is the GDPR?

The General Data Protection Regulation (GDPR), or Regulation (EU) 2016/679 as it’s known in official contexts, is a regulation spearheaded by the three legislative European Union institutions: the European Parliament, European Commission, and Council of the European Union.

It will replace the current Data Protection Directive (Directive 95/46/EC) when it comes into force on May 25, 2018.

The goal of the GDPR is to return control to data subjects in the union over their data and make the regulatory environment simpler for international business.

Currently, ePrivacy is a directive, but is in the process of being transformed into a regulation, which will also repeal the current directive.

What is ePrivacy?

The ePrivacy directive is a piece of EU legislation that also aims to protect the data and privacy of EU citizens and residents, but with a focus on respecting the private lives of EU citizens and residents when using electronic communications.

Within the online advertising and marketing industries, the current ePrivacy directive is often conversationally referred to as the cookie law because it regulates the usage of cookies, among other identifiers. However, it relates to the protection of privacy in the electronic-communications sector as a whole, not just the usage of cookies for online advertising and marketing.

Calling All AdTech and MarTech Companies!

Take part in our 2-minute anonymous survey and help us find out how AdTech and MarTech companies are preparing their technology for the GDPR...

Learn more about the survey and participate

Currently, ePrivacy is a directive, but is in the process of being transformed into a regulation, which will also repeal the current directive.

It is not known when the ePrivacy regulation will come into force, as the proposal is being negotiated between the three EU legislative institutions (see below). Some within the industry say that it will likely be enforced around the same time as the GDPR—May 25, 2018—while others see a late-2018 commencement date.

Given that it is still in progress, the final version of the ePrivacy regulation may still affect how AdTech and MarTech platforms interact with online identifiers based on the GDPR itself and the current state of ePrivacy.

The current state of ePrivacy

On October 19, 2017, the European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs (aka LIBE Committee) voted to approve an amended version of the ePrivacy regulation. This amended version was then approved by members of the European Parliament during a plenary session (a meeting of the whole Parliament).

The next stage involves an informal meeting between representatives of the European Parliament, the Council of the European Union, and the European Commission. Once the proposal is finalized and approved by way of voting, it will be adopted and enforced.

The recent advancement towards adoption spelled a huge blow for advertising and marketing lobbyists, such as the Interactive Advertising Bureau Europe (IAB Europe) and Digital Europe. Their last chance at any sort of victory lies with the Council of the European Union and EU member states, which is where their focus will surely be.

Get our whitepaper!

GDPR & ePrivacy:
The Effect on AdTech & MarTech From a Technical Perspective

Download for free!

What does the GDPR and ePrivacy mean for AdTech and MarTech from a technical perspective?

Although the GDPR and ePrivacy regulation are legislations that will require AdTech and MarTech vendors to make a number of changes to their policies and contracts with partners, they will also require vendors to make many technological changes to their platforms to ensure they match their policies and comply with these two regulations.

Some of the main technological changes AdTech and MarTech vendors will have make to their platforms include:

  • Implement mechanism for collecting user consent for activities where the user’s data is passed on to third-parties, such as for tracking and behavioral targeting.
  • Identify users and their consent decisions, and then take the appropriate actions based on them — e.g. fire tags to pass data to certain platforms and tools, or refrain from firing tags.
  • Provide users with a current status of the activities they’ve consented to in commonly used and machine-readable format within one month from the time of request.
  • Pass the user’s consent decision to all parties involved in the consent request — e.g. if a publisher asks a user if they, their AdTech partner, and the AdTech partner’s client can use their data for advertising, then the user’s decision will need to be sent to all those parties. This is particularly challenging in online advertising as for any given ad request, a user’s information could be accessed by dozens of third-parties.
  • Pseudonymize, anonymize, and encrypt data to provide added levels of data protection.
  • Enable platforms to carry out a process known as data minimization, which involves only processing the amount of data absolutely needed to complete the given activity — something that will be hard for advertisers to define given how many different pieces of data they collect about online users.

Some resources about the GDPR and ePrivacy

Clearcode blog

How Prepared Are Your AdTech/MarTech Platforms for the GDPR? [Survey]

by Michael Sweeney

The European Union’s General Data Protection Regulation (GDPR) will come into force on May 25, 2018. The goal of the regulation is to give EU citizens and residents back control of their privacy and data.

Read more

Clearcode blog

Clearcode Teams up with PageFair to Help AdTech Vendors Comply with the GDPR

by Michael Sweeney

As part of our commitment to helping AdTech companies become GDPR compliant and run efficient media campaigns without relying on personal data, we’ve partnered with PageFair and have become an approved Perimeter Trusted Partner.

Read more

Clearcode blog

Don’t Fret – the GDPR Is a Good Thing for AdTech

by Maciej Zawadziński

In the early days of online advertising, the amount and type of data companies could collect about users was limited to the header information passed along with a HTTP call from the user’s browser, such as the language set on the user’s computer, URL of the page that the ad is being loaded onto, and the browser type and version.

Read more

Clearcode blog

The GDPR Will Drain the AdTech Cookie Pool

by Maciej Zawadziński

While the EU’s General Data Protection Regulation (GDPR) and its “baby sister” the ePrivacy Regulation may be full of ambiguous statements and legal jargon, one thing is clear; if you collect data from EU citizens, then your world is going to look a whole lot different come May 25, 2018.

Read more

Clearcode blog

Not Complying with GDPR Will Cost AdTech Companies More than 4% of Revenue

by Michael Sweeney

With all the attention that the EU’s General Data Protection Regulation (GDPR) has received over the past year, one could assume that this is a completely new initiative; however, the GDPR will just be superseding an existing data-privacy initiative—the EU’s Data Protection Directive.

Read more

Custom AdTech & MarTech development to help you comply with the GDPR

Our privacy-focused AdTech & MarTech development teams can help you prepare your platforms and tools for the GDPR and ePrivacy

Learn more about our GDPR development services