What is GDPR?

GDPR (General Data Protection Regulation) is a regulation in EU law on creating consistent data protection and privacy. It was adopted by EU parliament in April 2016, with an official enforcement effective May 25, 2018.  It is intended to give citizens of the EU control over what data is collected by publishers, technology, and brands.  It requires brands to allow EU citizens the opportunity to opt out of having their data collected for marketing purposes.  The fines associated with violations are substantial.

Who does it impact?

While it is an EU regulation, it impacts all businesses that offer goods and services, and process and hold personal data of data subjects residing in the EU; regardless of the physical location of the business.  If you have EU traffic coming to your site, you are required to be GDPR compliant.

  • Consumers now have a greater opportunity to understand and control what information a business has collected about them.
  • Please note while UK has separated themselves from the EU, Brexit will not affect its’ compliance for GDPR.

How should companies prepare?

Companies should confer with their IT/ Webmaster team to ensure they have proper privacy policies in place (and within 2 clicks of collecting data). At any point that data is being collected, it is recommended to clearly define what data is being collected, and how it will be utilized. These regulations are expected to be enforced with strict monetary penalties. As each entity is responsible to ensure they are compliant, it is recommended that a Data Protection Offer be appointed to develop a compliance framework that is adopted across the company. These regulations will continue to evolve and may have different definitions and implications by region.  It is recommended that companies institute a consent management platform (CMP), like OneTrustor Evidonto ensure proper compliance.  

  • eEffectiveis not associated with either OneTrustor Evidon, but our DMP can integrate via API with both, so that your EU audience consent rules are passed through to our campaigns
  • Examples of questions that Businesses should ensure are being answered (but not limited to):
    • Who is collecting the data?
    • What data is being collected, and what is considered essential data?
    • What is the legal basis for processing the data?
    • Will the data be shared with any third parties?
    • How will the information be used?

In relation to advertising, any point a business is collecting data on conversions or audience information utilizing pixels or form fills, the business must meet compliance guidelines with notifying the consumer. Privacy policies should clearly define how any data collected is utilized. There should also be an opt-out opportunity for anyone who wishes to not have their data utilized; as well as gaining access to any records that may be stored. It is recommended that if not already, each client should be engaging in discussions in onboarding a Consent Management Platform (CMP). Due to current legislation in states such as California, there is likelihood of similar GDPR regulations being enforced in the US (California as example).

How does this impact advertising?

Most vendors have been preparing for the GDPR changes since it went into effect (and as early as when it was approved in 2016). Rather than creating isolated changes strictly for the EU, they are developing global changes. Examples of this are length of time PII data can be stored, as well as ensuring that compliance is asked for when use of cookies/ data collection.  eEffectiveand our tech partners are GDPR compliant, if we are working with you on EU related campaigns we do require signature on a Data Processing Agreement that identifies eEffectiveas a data processor, and your brand as the data controller.

With display/ audience targeted advertising managed through eEffective, ads served include opt-out opportunities through services such as AdChoices(https://www.youradchoices.com/). Google as well as Facebook have also made policy changes to how data is collected and utilized across their platforms. In some cases, (Facebook as example), there may limitations on certain targeting capabilities that were previously allowed. 

In terms of our DMP (Data Management Platform), all accounts are set to "strict" in the EU. This means that we will collect no data from EU audiences unless they consent specifically. We also have adopted a Consent Management API to directly pass our client CMP preferences to our DMP and ensure that our DMP is compliant with GDPR. 

While it is up to each 3rd party to ensure that they follow the new regulations; each of our tech partners have committed to the compliance regulations set forth. Please note that if a person does opt-out, it may not deter that person from being served a specific ad. Clearing browsing history, changing preferences, as well as utilizing other devices could result in being served ads that they previously had requested to be excluded from.

Client must have a kick-off call with the eEffectiveData Officer on how they intend to use EU data, and what data they are expecting to collect

  • Client must have a consent management platform in place. 
  • Client must sign the Data Processing Agreement
  • If a client wishes to use the DMP for tracking EU audiences, they must implement the DMP Consent Management API, and must include that intention in the initial DMP pixel request

Resources:

EU GDPR: https://www.eugdpr.org/eugdpr.org.html

Google Privacy Policy: https://privacy.google.com/

Google EU User Consent Policy: https://www.google.com/about/company/user-consent-policy.html

DigidayGuide To GDPR: https://digiday.com/wp-content/uploads/2018/01/GDPR-download.pdf

Facebook General Consent Guide: https://developers.facebook.com/docs/privacy

Facebook GDPR: https://www.facebook.com/business/gdpr

Google Consent Tools: https://www.cookiechoices.org/intl/en/