Geared for publishers, advertisers, and ad tech vendors, this article aims to explain the EU General Data Protection Regulation (GDPR).
Please note, we are not a law firm. Please view this as informational, not legal advice.
The GDPR, or the General Data Protection Regulation, is a European privacy law approved by the European Commission in April 2016. The GDPR regulates, amongst other things, how organizations may obtain, use, and store the personal data of EU residents (the EU is comprised of 27 countries and 445M people).
At its core, the GDPR follows two main principles:
The GDPR enables EU citizens, not online vendors, to have the final say on how their data will be used. Thus, consumer consent is required for PII collection, sharing, and usage. The GDPR also introduces the idea of "data rights", whereby individuals have the right to see, edit, and delete data a 3rd-party has on them.
The GDPR imposes tighter restrictions on how companies handle PII. This includes limiting what they collect, adding better security protocols, hiring Data Protection Officers, having data breach notification plans, and more.
The GDPR affects all organizations with an EU presence or who process personal data of EU citizens. This covers nearly every brand and effectively all of ad tech. On May 25th, 2018, EU started officially enforcing the GDPR, and the fines can be as high as 20M Euros or 4% of your yearly revenue, whichever is higher.
It's important to note that if illegal data is used for ad targeting, then all parties could be liable: the publisher who shares the data, the exchange that accepts it, the DMP that sells it, and the advertiser that uses it.
If you're interested in seeing a running tally of GDPR fines and who's being fined, there's a GDPR fines tracker here.
The GDPR is primarily against:
Advertising is not the sole activity GDPR wants to limit: it’s against any company that uses data without the user's consent to make personalized decisions. For instance, imagine an online bank ingesting your computer's IP address, comparing it to household incomes in your area, and denying you a credit increase based on that.
For example, if a data broker has a “rural and barely making it” segment (composed of IP addresses) and sells it to a gambling firm unbeknownst to the user, the gambling company could show those people ads and take advantage of their situation. The GDPR sees such practices as illegal and aims to quash them.
Even though most in the ad serving space aren’t doing anything nefarious, the GDPR regulations nonetheless impact EU ad serving (especially programmatic ads), hurting publishers, advertisers, and ad tech, no matter where one is headquartered.
If you have to ask, it's probably PII. It includes, but isn't limited to: name, SSN, IP address, lat/long coordinates, cookie IDs, user agents, RFID numbers, mobile identifiers (IDFA/GAID/etc), e-mail, physical address, and biometric/financial/behavioral/demographic data.
For publishers, probably the biggest change is that it's now illegal to share IP addresses and do user matching (cookies/mobile IDs) with their ad partners for EU traffic. Even frequency capping and interest targeting for direct-sold campaigns could be impacted. And without user matching, the value of one's traffic drops significantly, hurting everyone in the ad tech chain.
These rights are not theoretical; companies need to enable EU citizens to exercise them.
|Right to informed consent||Users must be clearly informed of what data is collected, why it's needed, and how it will be used|
|Right to be forgotten||User can request the data be deleted|
|Right to object||User can prohibit certain data uses (i.e., opt-out)|
|Right to rectification||User can request that any data be changed|
|Right to portability||User can request that the personal data be transferred|
|Right to access||User can access all collected data|
Honoring these rights is important to the GDPR, so even if you collect consent, you'd be violating the law if you then don't provide a way for users to see and change what data you have on them.
To clarify, the GDPR doesn't outlaw PII usage; it just requires companies to get explicit permission first to use it. Brands can by all means continue to do cookie matching, frequency targeting, programmatic ads, etc, as long as the user consents to it.
Getting this consent boils down into two parts:
Users must be told how and why you are using the data, including:
|What||Explain what type of data will be collected/shared. It must be specific to distinct purposes (i.e., getting consent to track IP addresses doesn't mean you can later track e-mails too)|
|With whom||You have to detail the specific vendors with whom you're sharing data|
|Why||Purpose of why you're collecting and/or sharing the data|
|Retention period||How long this data will be saved for|
|Specificity||All of the above have to be explicit and clear; vague statements like “for marketing purposes” or “future research” aren’t likely to be specific enough|
|Changes||If you add in a new vendor or want to collect different data, you need new consent|
Beyond the info you give, there are explicit rules on how you can legally ask for consent.
|Opt-in||Silence, pre-ticked boxes, or inactivity aren't enough. It has to be an opt-in checkbox/button the user clicks|
|Can't penalize users||You can't deny services/content to someone who refuses to give consent|
|Can't force a "yes"||Going along with above, you can't require a data-sharing "yes" to finish a registration process; it has to be optional without a penalty|
|Have to honor||If you'd still process the data regardless, asking for consent is misleading|
Additionally, as long as brands provide details on all the ways the data will be used, they can ask for consent with a single opt-in button (versus having different checkboxes for different ways of using the data).
It's still unclear how draconian EU regulators will be toward the consent-asking process. For instance, if you'd like to get consent for direct-sold campaigns, it may be fine having a disclaimer like, "We will be collecting and storing your IP address, mobile identifier, and browsing behavior in our internal database to show you more tailored, direct-sold advertisements."
Additionally, if you are using a 3rd-party to show ads (aka using an ad network/exchange), it's possible you'll need to mention all those involved (the ad server, exchange, DMPs, DSPs, etc), which makes getting consent for programmatic ads infeasible. That said, it may be that a broader statement of "we'll be sharing with various advertising partners" would be enough.
For more information on CMPs, check out our Consent Management Platforms: The Definitive Guide, as well as our Ad Tech Insights CMP tracker.
They are helping to simplify the consent lifecycle, although there is still the possibility that regulators view them as still too broad in their language.
Article 6.1(f) will likely be the most debated clause in ad tech. It says that data collection and profiling (without consent) is allowed if the controller or 3rd-party has a "legitimate interest" in doing so.
Ad tech rejoices! Since every business has a legitimate interest to not go bankrupt, nothing should change.
Alas, the law also states that legitimate interest only works if it doesn’t infringe on the rights of the data subject - which, in the eyes of the GDPR, is something that most advertising does. Additionally, the Article 29 Working Party has concluded that behavioral advertising and data brokering doesn’t fall under this clause.
(“Direct marketing” refers to adverts that don’t involve a 3rd-party, such as you ordering online from Pizza Hut, and then they e-mail you a special offer.)
Whether or not you need consent for web tracking tools like Google Analytics depends on which EU country's ruling you prefer, as they have come to competing conclusions. For a detailed overview, we have a guide to GDPR and Google Analytics compliance.
One heuristic for determining what data you can collect without consent is to ask yourself if the user “reasonably expects” their data to be used in a certain way.
|Scenario||Reasonable (likely no consent needed)||Not reasonable (likely needs consent)|
|You are a business looking for a new paid search vendor, and you fill out their “contact us” form||That the vendor is storing your info in a 3rd-party CRM||That the vendor then sells your e-mail to a data broker|
|You’re browsing Amazon.com||That Amazon will tailor the "recommended products" based on what you've purchased||That Amazon then retargets you on different websites with items you've looked at|
|You are applying for a bank loan||That the bank uses your info to look into your credit history||That the bank matches data about your location (using your computer's IP address) with household incomes and increases your interest rate based on that|
One of the biggest uncertainties with the GDPR is what we're calling the "traveling European" problem: is blocking data sharing for users currently in an EU-country be enough? In other words, companies could sniff the location of users using their IP address or lat/long data, and then block data sharing (and/or ask for consent) for those in the EU. And for any visitor not in the EU, it would be business-as-usual.
The complication here is what happens when a German resident is traveling in the US, as this method wouldn't block data sharing for them.
Still - in the slight chance it proves otherwise, companies would have to block all PII sharing (not just for those currently in the EU) - severely impacting all of ad tech.
The UK left the EU on January 31, 2020, but the GDPR will still apply to all UK countries - at least through the Brexit implementation period that's scheduled to end December 31, 2020.
We'll share updates as they're made available, but it's likely the UK will adopt a similar privacy law.
It's not clear how the GDPR will be enforced outside the EU. Regardless, there are many reasons why you'd want to comply with the GDPR even if you aren't headquartered there:
Additionally, the EU can appeal to international law. For companies in the US, this means that US authorities could assist the EU in enforcing the fine, leaving little recourse for escaping it.
CCPA is a US privacy law centered on California residents. LGPD is a Brazilian privacy law centered on Brazilian users. Thailand's PDPA is a privacy law centered on Thai users. All three are similar to GDPR but not just "light" versions. For detailed summaries of how these laws affect ad tech, you can read our CCPA overview, LGPD overview, and PDPA overview.
Yes, and thank you! As this article isn't a holistic GDPR overview, we've compiled a list of a few additional resources.
Chris has worked in ad tech for over fourteen years in a variety of roles - giving him customer support, PM, and marketing perspectives from both the advertiser and publisher sides. He's the VP of Marketing at Kevel.