The EU’s General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, and requires a significant amount of coordination between all members of the digital advertising ecosystem.
In our previous GDPR posts, we focused on the impact of GDPR on the supply-side of the business. In this blog post, we’ll focus on the buy-side of the ecosystem.
GDPR roles in ad tech
Under GDPR, SpotX views the publisher as the controller, and therefore the publisher is responsible for determining the legal basis for processing Personal Data. SpotX views itself as a processor, processing personal data on behalf of the controller. This means that the demand-side platform (DSP) serves as a sub-processor, processing Personal Data provided by SpotX to complete “the purposes and means” the Controller defines, i.e., monetizing impressions.
Under this interpretation, both SpotX and the DSP rely on the publisher to establish its legal basis for processing the personal data it collects on a data subject. These roles are defined and the chain of liability is secured through the use of data processing agreements (DPAs) between controllers, processors and sub-processors. If a DSP does not sign a DPA with us by May 25, we will not send bid requests originating from within the EU to that DSP.
Legal grounds for processing personal data
There are six legal grounds for processing personal data; the two most applicable to advertising are legitimate interest and consent from the data subject.
- Legitimate Interest: Anything that is legal can be a legitimate interest, but we must maintain a balance between the legitimate interest of the controller and the fundamental rights and interests of the data subject. In the case where the controller utilizes legitimate interest, we are prepared with our own legal basis based on legitimate interest.
- Consent: Consent is a statement or clear affirmative action signifying agreement on behalf of the user to have their personal data processed. In the case that the controller relies on consent, we will plan to utilize the IAB’s consent mechanism.
How will SpotX communicate if GDPR applies in the bid request?
SpotX will follow the IAB’s OpenRTB Advisory recommendation to communicate GDPR to DSPs in the bid request using custom extensions of the Regs and User objects.
The regs object will communicate whether or not the request is subject to GDPR. The extension attribute regs.ext.gdpr will be used, and a value of 0 will indicate the request is not originating from a data subject that GDPR applies to and a value of 1 will indicate that the request is originating from a data subject under the jurisdiction of GDPR.
The user object will be used to communicate user consent, and although not required is highly recommended when the request is subject to GDPR. The extension attribute user.ext.consent will be used with an optional string value, also called the daisybit, that will allow publishers to collect and communicate vendor specific consent. The data structure for this string was defined by IAB Europe’s GDPR Consent Working Group in April 2018, and as such, industry-wide adoption by the May 25 deadline is unrealistic.
If publishers send us a blank User object, we will process the personal data and continue with the bid request under the legitimate interest legal basis.
Will the DSPs that accept legitimate interest please stand up?
In our discussions with publishers, we learned that most will utilize legitimate interest as their legal basis for processing personal data. Given that it is an equally valid legal basis for processing under GDPR, we expect that this method will result in a minimal impact to publisher traffic in the EU. The Information Commissioner’s Office (ICO) has a helpful checklist of questions to ask when using legitimate interest. Most questions revolve around the balancing test of the interests of the data subject vs. the company and the company’s behaviors are justifiable as long as the correct transparency, data minimization and control measures are in place.
On the other hand, several large DSPs have indicated they will only accept affirmative vendor-specific consent for processing/bidding. Initial testing has shown that this could result in a significant reduction in traffic from the EU. We also do not expect immediate, industry-wide adoption of the full IAB daisybit consent framework, which could further limit the available traffic for these DSPs to bid on if they require publishers to name them specifically in the affirmative consent. We encourage any DSP that is willing to utilize legitimate interest to speak up to buyers and the market, as the ad dollars in the EU will still need to reach their target audiences after May 25.
Why does this matter for brands and agencies?
If you’re a brand or agency buying through a DSP that requires affirmative vendor-specific consent for bidding, you could see a sudden decline in your ability to reach EU audiences after May 25. To avoid an inability to reach European audiences, we suggest that you evaluate using a DSP that is willing to proceed using legitimate interest or binary consent. If this isn’t an option, you should explore ways to buy without personal data. For example, you could conduct a historical analysis of where you’ve successfully reached your target audience in the past, and continue to buy impressions from publisher properties where you consistently saw your target audience.
SpotX is committed to upholding GDPR and is diligently working to align all of our demand partners in support of this regulation. Reach out to your SpotX account team if you have any questions about GDPR and what you must do to comply by the May 25, 2018 deadline.
Want to learn more about GDPR? Check out the rest of our series:
- SpotX’s GDPR Task Force
- What is GDPR? What You need to Know about Ad Tech and the General Data Protection Regulation
- GDPR: Top 7 Things Publishers Should Do to Protect Themselves
- How US Based companies should be thinking about GDPR
- Why US companies should care about PII, non-PII, and Personal Data
- What is ‘Privacy by Design and Default’ and how can it help me make tough choices in a post-GDPR world?
- How GDPR will tighten Google and Facebook’s grip on global advertising dollars – Isn’t it ironic?
- Vlog: Senior Product Manager, Jessica Berman Speaks on GDPR