The EU’s General Data Protection Regulation (GDPR), set to go into effect on May 25, 2018, will fundamentally change how companies are legally able to handle personal data. Given that much of the value creation of adtech companies is derived from applying data to deliver more relevant advertisements, the implications are massive for our industry.
Adopted in 2016, the European Parliament, the Council of the European Union and the European Commission passed GDPR to strengthen and unify data protection for individuals, referred to as data subjects, in the EU. In addition to protecting personal data, it also aims to give control back to individuals over their data and to simplify the regulatory environment for international business. So what does this mean? Let’s dig in.
Who does GDPR apply to?
Pretty much every AdTech business. Specifically, GDPR applies to any company that processes personal data of data subjects in EU member states, even if the data subject is not an EU citizen. It also applies to the processing Europeans’ data, even if the company that processes personal data is outside of Europe. Geographically speaking, GDPR’s reach is unprecedented. Economically speaking, the fines are severe; companies can face fines up to 4% of the annual global turnover (revenue) of the company, including its ultimate parent company, or €20 million, whichever is greater.
What does the processing of personal data mean?
Processing covers pretty much anything you could imagine doing to personal data; it includes collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
What are data controllers and a data processors?
Both ‘controllers’ and ‘processors’ of data have to abide by GDPR. While the controller determines the purposes and means of processing personal data, the processor solely processes the data on behalf of the controller. For the controller, there is a cascade of responsibility when it comes to processing data, as they are not only responsible for ensuring they comply with GDPR, but are also accountable for the compliance of downstream processors.
What is personal data?
The definition of personal data is broad under GDPR and includes any information related to an identified or identifiable natural person. Identification can be direct, like a name, or indirect, like a phone number, cookie ID or IP address.
GDPR also covers pseudonymised data, which is defined in Article 4(5) as:
…the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information…
Pseudonymization strips out the identifying portions of the data and replaces them with artificial identifiers, or pseudonyms. For example, you could replace a name with a unique number to pseudonymize it, rendering the data less identifying. However, GDPR is forward-looking in that it not only covers whether pseudonymized data could be reasonably tied back to an individual now, but it also applies to future methods for singling out the data subject. Thus, even pseudonymized data is subject to the same compliance requirements as other types of personal data under GDPR. Only truly anonymized data that is impossible to reverse engineer and identify someone falls outside of the scope of GDPR. Unfortunately, truly anonymized data is not likely to have real commercial value for adtech companies.
It is important to remember that processing personal data is not illegal under GDPR, but instead requires the use of at least one of the six legal grounds for processing data and the provision of defined rights.
What are the six legal grounds for processing data?
Legal grounds for processing data include:
- Consent from the data subject
- Legitimate interest of the data controller
- Performance of a contract to which data subject is party
- Controller’s compliance with a legal obligation
- Protection of the vital interests of a natural person
- Public interest / Controller representing official authority
The first two will be the most applicable to companies in the adtech industry, so we’ll focus there.
What is consent?
Consent is a statement or clear affirmative action signifying agreement to the processing of personal data. It must be:
- Freely given – genuine choice, no duress
- Specific – no blanket consent
- Informed – full transparency
- Unambiguous – no doubt as to meaning of action
- Affirmative – silence or inactivity (e.g., not using a provided opt-out) cannot be consent
Additionally, controllers must be able to demonstrate that the data subject has consented to the processing of his/her personal data. Users must also be able to revoke consent at any time and doing so must be as easy as granting consent in the first place.
What is legitimate interest?
“Legitimate interest” is one of the more ambiguous and confusing concepts within GDPR. Here is how it reads in Article 6(1):
…processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
While legitimate interest casts a broad umbrella that can include several activities key to adtech including marketing, there is a real balancing test to be applied, comparing the legitimate interest of the controller and the fundamental rights and interests of the data subject.
The balancing test weighs the reasonable expectation data subjects have regarding how their data is processed in a given situation against the legitimate interest the business has to process their data.
As a basic example, when a user goes to a non-subscription based website (read ad-supported), it can be argued they can expect to receive relevant advertising derived from anonymized segments in exchange for that free content. However, it would surpass reasonable expectations and infringe on privacy if the website collected and sold non-anonymized personal data to third parties without disclosing it to the user.
What rights do data subjects have under GDPR?
Regardless of what basis you choose for processing, companies are still required to notify the data subject of the collection and processing of their personal data. The information must be concise, transparent and delivered in an easily accessible format. In addition to having the right to access the data you’ve collected on them, data subjects also have the following rights as they relate to their personal data:
- The right to rectification or erasure
- The right to restrict or object to processing
- The right to data portability (i.e. to move that data onto another platform – like a competitor’s platform)
GDPR is an undeniably complex regulation that will have broad impacts on the adtech industry. Feeling overwhelmed? Stay tuned. We’ll be rolling out a series of blog posts dedicated to helping our publishers and partners educate themselves on GDPR and prepare for its implementation.
Want to learn more about GDPR? Check out the rest of our series:
- SpotX’s GDPR Task Force
- What is GDPR? What You need to Know about Ad Tech and the General Data Protection Regulation
- GDPR: Top 7 Things Publishers Should Do to Protect Themselves
- How US Based companies should be thinking about GDPR
- Why US companies should care about PII, non-PII, and Personal Data
- What is ‘Privacy by Design and Default’ and how can it help me make tough choices in a post-GDPR world?
- How GDPR will tighten Google and Facebook’s grip on global advertising dollars – Isn’t it ironic?
- Vlog: Senior Product Manager, Jessica Berman Speaks on GDPR
Leah Brite, Director, Product Marketing