GDPR & ePrivacy Information for AdTech & MarTech Companies

What is the GDPR?

The General Data Protection Regulation (GDPR), or Regulation (EU) 2016/679 as it’s known in official contexts, is a regulation spearheaded by the three legislative European Union institutions: the European Parliament, European Commission, and Council of the European Union.

It replaced the Data Protection Directive (Directive 95/46/EC) when it came into force on May 25, 2018.

The goal of the GDPR is to return control to data subjects in the union over their data and make the regulatory environment simpler for international business.

What is ePrivacy?

The ePrivacy directive is a piece of EU legislation that also aims to protect the data and privacy of EU citizens and residents, but with a focus on respecting the private lives of EU citizens and residents when using electronic communications.

Within the online advertising and marketing industries, the current ePrivacy directive is often conversationally referred to as the cookie law because it regulates the usage of cookies, among other identifiers. However, it relates to the protection of privacy in the electronic-communications sector as a whole, not just the usage of cookies for online advertising and marketing.

It is not known when the ePrivacy regulation will come into force, as the proposal is set to be negotiated between the three EU legislative institutions (see below). The latest news suggests that it will likely be enforced in either 2019 or 2020.

Given that it is still in progress, the final version of the ePrivacy regulation may still affect how AdTech and MarTech platforms interact with online identifiers based on the GDPR itself and the current state of ePrivacy.

The current state of ePrivacy

On October 19, 2017, the European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs (aka LIBE Committee) voted to approve an amended version of the ePrivacy regulation. This amended version was then approved by members of the European Parliament during a plenary session (a meeting of the whole Parliament).

The next stage involves an informal meeting between representatives of the European Parliament, the Council of the European Union, and the European Commission. Once the proposal is finalized and approved by way of voting, it will be adopted and enforced.

The recent advancement towards adoption spelled a huge blow for advertising and marketing lobbyists, such as the Interactive Advertising Bureau Europe (IAB Europe) and Digital Europe. Their last chance at any sort of victory lies with the Council of the European Union and EU member states, which is where their focus will surely be.

Get our whitepaper!

GDPR & ePrivacy:
The Effect on AdTech & MarTech From a Technical Perspective

Download for free!

What does the GDPR and ePrivacy mean for AdTech and MarTech from a technical perspective?

Although the GDPR and ePrivacy regulation are legislations that will require AdTech and MarTech vendors to make a number of changes to their policies and contracts with partners, they will also require vendors to make many technological changes to their platforms to ensure they match their policies and comply with these two regulations.

Some of the main technological changes AdTech and MarTech vendors will have make to their platforms include:

• Implement mechanism for collecting user consent for activities where the user’s data is passed on to third-parties, such as for tracking and behavioral targeting.
• Identify users and their consent decisions, and then take the appropriate actions based on them — e.g. fire tags to pass data to certain platforms and tools, or refrain from firing tags.
• Provide users with a current status of the activities they’ve consented to in commonly used and machine-readable format within one month from the time of request.
• Pass the user’s consent decision to all parties involved in the consent request — e.g. if a publisher asks a user if they, their AdTech partner, and the AdTech partner’s client can use their data for advertising, then the user’s decision will need to be sent to all those parties. This is particularly challenging in online advertising as for any given ad request, a user’s information could be accessed by dozens of third-parties.
• Pseudonymize, anonymize, and encrypt data to provide added levels of data protection.
• Enable platforms to carry out a process known as data minimization, which involves only processing the amount of data absolutely needed to complete the given activity — something that will be hard for advertisers to define given how many different pieces of data they collect about online users.