The digital industry has been plagued for too long with bad players in the marketplace, misusing data and serving bad ads causing users to see Digital Advertising as a nuisance. When it comes to the misuse of data, many have not been held accountable for the data under their control and have felt enabled to take advantage of the lack of independent oversight.
This in turn leads to the continuation of data protection practices to be inconsistent within the industry, leaving individuals open to scams and abuses of their privacy. As a way to start putting more standard practices in play, on May 25th, 2018,the EU’s new General Data Protection Regulation (GDPR) goes into effect to help combat many of these issues; however, while this set of rules governing the privacy and security of personal data is being set by the European Commission, it has serious implications for many companies in the United States.
What is GDPR?
General Data Protection Regulation (GDPR) applies to the digital processing of personal data. GDPR proposed by the European Commission will strengthen and unify data protection for individuals within the European Union (EU), whilst addressing the export of personal data outside the EU. With this new regulation, accountability is important and a key measurement of GDPR.
How does GDPR impact my company?
This regulation applies to your company if you have an establishment in the EU, if you offer products and service, process personal data and monitor behavior of people in EU. Personal data can include social media posts, device IDs, IP Addresses,UDID, Cookie IDs and other online identifiers. How your company collects and what it does with the data is important to understand with GDPR.
What is the risk of Non-compliance?
Large fines of up to 4% of a global enterprise annual revenue can be applied. Audits can be conducted by the Data Protection authorities, where changes can be requested with additional reporting needed to continue auditing. Companies that are found in violation and prosecuted are also likely to be exposed in public, causing damage to their reputation, possibly restricting their ability to trade; and many will need to make substantial changes to processes and working practices.
How does this impact the Ad Tech Eco-system:
For anyone participating in the Ad Tech Eco-system, they are responsible for ensuring they are in compliance with processing personal data. It is a complex and fragmented process to understanding who is responsible of getting consent by the user and processing of data. Reliance of consent is imperative, as users need to be given the opportunity to give their consent to the use of their data. Compliance to GDPR is strictly around the consent of the users, what data is captured, how it will be used as well as the ability request that their data is deleted at any time.
Publishers should have conversations with their Third party vendors, such as DSPs, SSPs and Exchanges capturing data in EU to ensure the efforts of being compliant are in place. Changes in your legal contract may be needed to protect your organization, so reaching out to your vendors is a great idea to get the conversation going.
For Targeted Advertising campaigns, depending on the intrusiveness of the profiling process, how the ad is delivered and particular vulnerability of the individuals targeted may be a factor in whether your company is in violation of GDPR.
Additional resources related to GDPR:
- Learning to love GDPR – A downloaded e-book that provides best practices on how to prepare you and your company on GDPR.
- Ad Tech in a Post-GDPR World: Your Action Plan for What’s Next
- EU General Data Protection Regulation
