Geared for publishers, advertisers, and ad tech vendors, this article aims to explain the EU General Data Protection Regulation (GDPR).
Please note, we are not a law firm. Please view this as informational, not legal advice.
What is the GDPR?
The GDPR, or the General Data Protection Regulation, is a European privacy law approved by the European Commission in April 2016. The GDPR regulates, amongst other things, how organizations may obtain, use, and store the personal data of EU residents (the EU is comprised of 27 countries and 445M people).
At its core, the GDPR follows two main principles:
1. Consumers own their data
The GDPR enables EU citizens, not online vendors, to have the final say on how their data will be used. Thus, consumer consent is required for PII collection, sharing, and usage. The GDPR also introduces the idea of "data rights", whereby individuals have the right to see, edit, and delete data a 3rd-party has on them.
2. Companies need to protect this data
The GDPR imposes tighter restrictions on how companies handle PII. This includes limiting what they collect, adding better security protocols, hiring Data Protection Officers, having data breach notification plans, and more.
The first point impacts the ad tech industry, as much of advertising relies on programmatic behavioral targeting using customer data (such as retargeting, cookie matching, mobile ID targeting, frequency capping, etc).
The GDPR affects all organizations with an EU presence or who process personal data of EU citizens. This covers nearly every brand and effectively all of ad tech. On May 25th, 2018, EU started officially enforcing the GDPR, and the fines can be as high as 20M Euros or 4% of your yearly revenue, whichever is higher.
It's important to note that if illegal data is used for ad targeting, then all parties could be liable: the publisher who shares the data, the exchange that accepts it, the DMP that sells it, and the advertiser that uses it.
If you're interested in seeing a running tally of GDPR fines and who's being fined, there's a GDPR fines tracker here.
What is the GDPR against?
The GDPR is primarily against:
- The building of profiles around personal data without the person's knowledge or consent
- Using this data in automated decision making
- Unsafe storage and leakage of PII
Advertising is not the sole activity GDPR wants to limit: it’s against any company that uses data without the user's consent to make personalized decisions. For instance, imagine an online bank ingesting your computer's IP address, comparing it to household incomes in your area, and denying you a credit increase based on that.
To the GDPR, such behind-the-scenes profiling could foster discrimination and infringe on legal rights, while potentially even prying on people’s vulnerabilities.
For example, if a data broker has a “rural and barely making it” segment (composed of IP addresses) and sells it to a gambling firm unbeknownst to the user, the gambling company could show those people ads and take advantage of their situation. The GDPR sees such practices as illegal and aims to quash them.
Even though most in the ad serving space aren’t doing anything nefarious, the GDPR regulations nonetheless impact EU ad serving (especially programmatic ads), hurting publishers, advertisers, and ad tech, no matter where one is headquartered.
What is considered 'personally identifiable information' (PII)?
If you have to ask, it's probably PII. It includes, but isn't limited to: name, SSN, IP address, lat/long coordinates, cookie IDs, user agents, RFID numbers, mobile identifiers (IDFA/GAID/etc), e-mail, physical address, and biometric/financial/behavioral/demographic data.
It’s also important to note that even “pseudonymised” data is PII if the pseudonym can be linked to an individual. So, it doesn't matter if you hash e-mail addresses if you can still use that ID to target the user.
For publishers, probably the biggest change is that it's now illegal to share IP addresses and do user matching (cookies/mobile IDs) with their ad partners for EU traffic. Even frequency capping and interest targeting for direct-sold campaigns could be impacted. And without user matching, the value of one's traffic drops significantly, hurting everyone in the ad tech chain.
Mind explaining the 'data rights'?
These rights are not theoretical; companies need to enable EU citizens to exercise them.
|Right to informed consent||Users must be clearly informed of what data is collected, why it's needed, and how it will be used|
|Right to be forgotten||User can request the data be deleted|
|Right to object||User can prohibit certain data uses (i.e., opt-out)|
|Right to rectification||User can request that any data be changed|
|Right to portability||User can request that the personal data be transferred|
|Right to access||User can access all collected data|
Honoring these rights is important to the GDPR, so even if you collect consent, you'd be violating the law if you then don't provide a way for users to see and change what data you have on them.
So, what is consent?
To clarify, the GDPR doesn't outlaw PII usage; it just requires companies to get explicit permission first to use it. Brands can by all means continue to do cookie matching, frequency targeting, programmatic ads, etc, as long as the user consents to it.
Getting this consent boils down into two parts:
(1) What you tell them
Users must be told how and why you are using the data, including:
|What||Explain what type of data will be collected/shared. It must be specific to distinct purposes (i.e., getting consent to track IP addresses doesn't mean you can later track e-mails too)|
|With whom||You have to detail the specific vendors with whom you're sharing data|
|Why||Purpose of why you're collecting and/or sharing the data|
|Retention period||How long this data will be saved for|
|Specificity||All of the above have to be explicit and clear; vague statements like “for marketing purposes” or “future research” aren’t likely to be specific enough|
|Changes||If you add in a new vendor or want to collect different data, you need new consent|
(2) How you ask it
Beyond the info you give, there are explicit rules on how you can legally ask for consent.
|Opt-in||Silence, pre-ticked boxes, or inactivity aren't enough. It has to be an opt-in checkbox/button the user clicks|
|Can't penalize users||You can't deny services/content to someone who refuses to give consent|
|Can't force a "yes"||Going along with above, you can't require a data-sharing "yes" to finish a registration process; it has to be optional without a penalty|
|Have to honor||If you'd still process the data regardless, asking for consent is misleading|
Additionally, as long as brands provide details on all the ways the data will be used, they can ask for consent with a single opt-in button (versus having different checkboxes for different ways of using the data).
How realistic is getting consent for advertising?
It's still unclear how draconian EU regulators will be toward the consent-asking process. For instance, if you'd like to get consent for direct-sold campaigns, it may be fine having a disclaimer like, "We will be collecting and storing your IP address, mobile identifier, and browsing behavior in our internal database to show you more tailored, direct-sold advertisements."
There's potential that this isn't enough, though, as you aren't explicitly explaining how the PII is used, such as, "We use your IP Address so that we can sell ads at the city-level, and we use your mobile ID to retarget you based on your in-app behavior."
Additionally, if you are using a 3rd-party to show ads (aka using an ad network/exchange), it's possible you'll need to mention all those involved (the ad server, exchange, DMPs, DSPs, etc), which makes getting consent for programmatic ads infeasible. That said, it may be that a broader statement of "we'll be sharing with various advertising partners" would be enough.
What is a Consent Management Platform?
For more information on CMPs, check out our Consent Management Platforms: The Definitive Guide, as well as our Ad Tech Insights CMP tracker.
At a high-level, a Consent Management Platform (or Provider) is a tool that programmatic publishers are using to gather consent and share that information with the entire ad supply chain.
They are helping to simplify the consent lifecycle, although there is still the possibility that regulators view them as still too broad in their language.
What's this 'Legitimate Interest' clause?
Article 6.1(f) will likely be the most debated clause in ad tech. It says that data collection and profiling (without consent) is allowed if the controller or 3rd-party has a "legitimate interest" in doing so.
Ad tech rejoices! Since every business has a legitimate interest to not go bankrupt, nothing should change.
Alas, the law also states that legitimate interest only works if it doesn’t infringe on the rights of the data subject - which, in the eyes of the GDPR, is something that most advertising does. Additionally, the Article 29 Working Party has concluded that behavioral advertising and data brokering doesn’t fall under this clause.
What does fall under it are direct marketing, website personalization, security, fraud detection, and reporting of criminal acts.
(“Direct marketing” refers to adverts that don’t involve a 3rd-party, such as you ordering online from Pizza Hut, and then they e-mail you a special offer.)
What about web analytic tools?
Whether or not you need consent for web tracking tools like Google Analytics depends on which EU country's ruling you prefer, as they have come to competing conclusions. For a detailed overview, we have a guide to GDPR and Google Analytics compliance.
What about 'user expectations'?
One heuristic for determining what data you can collect without consent is to ask yourself if the user “reasonably expects” their data to be used in a certain way.
|Scenario||Reasonable (likely no consent needed)||Not reasonable (likely needs consent)|
|You are a business looking for a new paid search vendor, and you fill out their “contact us” form||That the vendor is storing your info in a 3rd-party CRM||That the vendor then sells your e-mail to a data broker|
|You’re browsing Amazon.com||That Amazon will tailor the "recommended products" based on what you've purchased||That Amazon then retargets you on different websites with items you've looked at|
|You are applying for a bank loan||That the bank uses your info to look into your credit history||That the bank matches data about your location (using your computer's IP address) with household incomes and increases your interest rate based on that|
The 'Traveling European' Problem
One of the biggest uncertainties with the GDPR is what we're calling the "traveling European" problem: is blocking data sharing for users currently in an EU-country be enough? In other words, companies could sniff the location of users using their IP address or lat/long data, and then block data sharing (and/or ask for consent) for those in the EU. And for any visitor not in the EU, it would be business-as-usual.
The complication here is what happens when a German resident is traveling in the US, as this method wouldn't block data sharing for them.
Fortunately, the guidance from many legal professionals is that location-targeting is within the "spirit of the law", and that the GDPR refers to "residents" (those currently in the EU), not "citizens".
Still - in the slight chance it proves otherwise, companies would have to block all PII sharing (not just for those currently in the EU) - severely impacting all of ad tech.
The UK left the EU on January 31, 2020, but the GDPR will still apply to all UK countries - at least through the Brexit implementation period that's scheduled to end December 31, 2020.
We'll share updates as they're made available, but it's likely the UK will adopt a similar privacy law.
Where you're headquartered likely won't matter
It's not clear how the GDPR will be enforced outside the EU. Regardless, there are many reasons why you'd want to comply with the GDPR even if you aren't headquartered there:
- If you have offices in or ever want to expand to the EU
- If you want to do business with EU companies or consumers (a GDPR fine, even if non-enforced, is terrible PR)
- If you ever want to be acquired or merge with a larger entity, who would likely require compliance
- If you want to avoid court fees and legal hassles
Additionally, the EU can appeal to international law. For companies in the US, this means that US authorities could assist the EU in enforcing the fine, leaving little recourse for escaping it.
How does GDPR compare to CCPA, LGPD, and PDPA?
CCPA is a US privacy law centered on California residents. LGPD is a Brazilian privacy law centered on Brazilian users. Thailand's PDPA is a privacy law centered on Thai users. All three are similar to GDPR but not just "light" versions. For detailed summaries of how these laws affect ad tech, you can read our CCPA overview, LGPD overview, and PDPA overview.
Thanks for the write-up! Any additional reading materials?
Yes, and thank you! As this article isn't a holistic GDPR overview, we've compiled a list of a few additional resources.
Official GDPR Texts
GDPR Guides From Data Processors
Consent UX Examples
Overall Industry Privacy
"SameSite Cookie Attribute: What It Is And Why It Matters" - Adzerk
"How Apple’s Safari ITP Can Limit Your Ad Revenue — and How to Counter That" - Adzerk
"Third-Party Agreements: The Bulletproof Checklist for Evaluating Vendors" - Red Clover Advisors