The European Union’s General Data Protection Regulation (GDPR) took effect on May 25, 2018. Learn about the regulation and its impact on the digital advertising industry. Better understand GDPR's impact on your business’s data processing activities? IAB and the IAB Global Network are here to help you navigate this new regulation.
The GDPR establishes new requirements on companies that collect, use, and share data about EU citizens. As of May 25 2018, all companies handling data of EU citizens must adhere to these new data privacy and security measures, regardless of whether the organization is located within the EU or not. Companies that fail to comply with these new rules could be subject to fines as high as 4% of annual global revenue. Several key definitional changes that impact the digital advertising industry include:
A broader definition of personal data that includes IP addresses and cookie identifiers: Article 4.1: “personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
A higher standard for establishing valid consent: Article 4.11: “consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
The introduction of the concepts of profiling and automated decision making: Article 4.4: “profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”
Companies must provide users the ability to exercise the following rights over their personal data:
Launched on April 24, 2018, the GDPR Transparency & Consent Framework (Framework) has a simple objective – to help all companies in the digital advertising chain ensure that they comply with the EU’s General Data Protection Regulation when processing personal data or accessing non-personal or personal data on user devices.
The Framework is particularly relevant for “first parties,” publishers and other suppliers of online services, who partner with “third parties” (vendors) to enable those third parties to process user data on one of the legal bases laid down by the Regulation, including both legitimate interests and consent, where applicable. The Framework standardizes the capture of user consent for data processing and “signals” this information across the advertising supply chain. It is open-source, not-for-profit with consensus based industry governance led by IAB Europe with significant support from industry parties and technical support from IAB Tech Lab.
A key piece of the Framework is a unique registry of third-party data controllers, a Global Vendor List, on whose behalf consent may be requested by the first parties that have the direct interface with users.
If your organization collects, uses, or shares personal data of EU citizens, GDPR will likely apply, regardless of whether or not you have physical operations in Europe.
Fines can be high for non-compliance with GDPR: Serious infringements can result in fines of up to €20m, or 4% of your company’s global annual revenue, whichever is higher. Advertising identifiers are now explicitly within the scope of personal data and companies that collect and use these identifiers must demonstrate a valid legal basis for doing so.
New obligations for demonstrating valid consent will require companies to go beyond existing “cookie banners”.
Here are some links and resources with more information about the EU General Data Protection Regulation (GDPR):
May 17: “Implementing the Transparency and Consent Framework: A Technical How-To and Q&A Webinar” - In the final weeks before GDPR May 25th enforcement date, this webinar gives product and engineering leads from publishers, buyers, ad tech vendors the opportunity to walk through implementation details in the Transparency and Consent Framework. We’ll walk through common questions and the guidance that is given in accordance with the technical specifications. There will be an open Q&A session, for you to ask the experts your questions!
The Transparency and Consent Framework: A Technical How-To and Q&A
The Transparency and Consent Framework: A Technical How-To and Q&A 2
May 11: “Beyond Readiness: GDPR - What to expect after May 25” - Join IAB for a dynamic policy symposium exploring what the digital advertising industry can expect after the May 25 GDPR implementation deadline. Leading industry experts and key U.S. and EU lawmakers will explore topics including the latest guidance and enforcement trends, the upcoming ePrivacy Regulation, and the GDPR’s impact on U.S. and global privacy laws.
May 10: “GDPR Publisher Roundtable” - Join IAB and the IAB Tech Lab for a discussion on the latest GDPR compliance developments, including information about the recently released GDPR Transparency and Consent Framework. Open to all IAB and IAB Tech Lab members, this event will explore current and future GDPR compliance challenges and solutions with an emphasis on the publisher’s perspective.
Watch the GDPR Publisher Roundtable Video