The EU’s General Data Protection Regulation (GDPR)

 
download (6).jpeg

The EU’s General Data Protection Regulation (GDPR - full text here: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf) was passed in 2016. A somewhat similar directive has been in force since 1995. GDPR covers a wide range of data protections, but most relevant is data relating to online activities. Other things like CCTV analysis, automated credit assessment, HR databases, etc are also covered. Certain elements of GDPR present a dramatic overhaul that can change the face of ad tech in Europe. Enforcement of GDPR begins on May 25, 2018. Failure to meet the requirements may result in a penalty of the greater of €20 million or 4% of annual turnover - making it very significant. 

A material distinction is that the 1995 version applied only to processing of data within the EU proper. The GDPR now applies to the relevant processing of the data of any citizen of any EU member state, regardless of where the processing occurs. Thus an American entity with no EU presence whatsoever may still be subject to the GDPR, to the extent that it processes data of EU citizens or that it is intending to target EU citizens. Merely having a website that EU citizens can access, but otherwise having no presence in the EU and no intent to sell to EU citizens (e.g. only having a .com, not a .co.fr site), would not necessarily cause the proprietor of that website to be subject to the GDPR. To the extent that there’s a company that monitors the behavior of EU citizens and uses that data for behavioral or other decisioning, it would be subject to the GDPR. TripleLift, regardless, has a material EU presence and is thus required to conform to the GDPR. 

The GDPR is concerned with personal data. Anonymous data is thus exempt. That said, the threshold of anonymity is reduced through the definition of personal data, which includes identification numbers. Anonymous cookie IDs are therefore not anonymous under the GDPR. The GDPR is also concerned with “processing” this data. Again, the threshold is very low - processing means any operation performed upon personal data, such as collection, recording, organization, etc. 

Controllers and processors and important concepts in the GDPR. A controller is the entity that determines the purpose and method of processing personal data. The controller must be able to demonstrate compliance with the GDPR, and is responsible for implementing measures to ensure its data processing meets the requirements of the GDPR. All controllers must keep records of their processing activities and, upon request, these must be disclosed to the relevant authorities (there certain exemptions for companies w/ < 250 employees). Controllers outside the EU must have a representative that is subject to enforcement actions. Data security is a major component of the GDPR. Controllers that process material amounts of sensitive data are required to appoint a Data Protection Officer (DPO), that has expert knowledge of data protection law and practice. The company for which the DPO works cannot instruct them in the performance of their duties, nor can they terminate the DPO’s employment as a result of their work. They are required to process data in a secure fashion, and to notify authorities within 72 hours of a breach, as well as the affected data owners without undue delay (with some exemptions if the risk is limited due to encryption etc). 

The processor is an entity that processes the data on behalf of the controller. Previously, processors did not have a direct legal obligation - whereas the controller did. Under the GDPR, processors now must have contracts with controllers binding them to a code of conduct that would meet the controller’s own requirements - and are now subject to the GDPR themselves, including around appointing a DPO and reporting data breaches. Processors may only act on the controllers documented instructions. 

Explicit consent for data processing (not failure to opt out) is a core component of the GDPR. The consent must include the identity of the controller(s) and the specific purposes of data processing (no other purposes are allowed, other than “compatible” purposes) - disclosed in clear language - as well as how to communicate with the controller about how their data is being processed. The consent must be knowing - not pre-ticked boxes or similar. The user must retain the right to withdraw their consent without detriment, as well as the right to receive the personal data held by the controller in a consistent format. The data must also be stored in a manner compatible with the EU’s right to be forgotten. When there is a clear imbalance between the controller and the data subject, (e.g. an employer and employee), the validity of any consent is questioned under GDPR and other factors must be considered. 

How does this all impact TripleLift? Attorneys that we speak to simply have no idea how things will play out in ad tech. The important distinction is that persistent cookie identifiers are now considered non-anonymous. As a result, TripleLift is now either a controller or a processor. It would be preferable to be a processor - meaning that we would not need direct consent. Instead, we would require our European-focused publishers to obtain consents that enable them to use data for advertising purposes. This would require the publisher be proscribing how we use their publisher data on their behalf. Given our relatively limited need for the user data (DSPs, on the other hand...), this might be doable with an amendment to our publisher contract. 

If we are to be a controller, TripleLift must obtain explicit consent from every user. On a practical level, this is quite hard. Publishers will likely include pop-ups, much worse than their cookie popups, that include the list of other controllers (e.g. TripleLift) that will be processing data and obtain opt-ins. That said, the user must expressly opt-in - meaning that these will become more intrusive - and will have a long list of the companies that the publisher works with, which will likely result in a fairly irritating user experience across the European internet. TripleLift will likely need to develop certain functionality to enable a user to see the information we have about them, and to enable them to delete their profiles. It is unclear how DSPs that do not have any relationship with the publisher will obtain any form of consent, though maybe companies may emerge that provide global forms of "all-the-ad-tech-players" opt ins and vendor management. Or this may have the effect of fundamentally changing the balance of power in Europe towards the SSP for user data and analysis. The DSPs may look to the SSPs to act as their “processors” in terms of collecting and analyzing user behavior (which, in turn, the SSPs would specify with the publishers and which would appear in the user consent). 

Some in the industry believe that this will help the publishers themselves. This stems from the belief that "ad tech" will eventually be removed from the equation and agencies will deal directly with publishers. Given the relentless march towards more automation and more programmatic in media buying, it's highly unlikely that the entire industry will walk away from 20 years of work. Instead, ads will simply be less targeted, buyers will spend less because they will be less effective, and publishers will suffer.