Overview:
There has been a lot of communication over the past few months related to the upcoming General Data Protection Regulation (GDPR) coming from Europe, as well as growing murmurs of the subsequent ePrivacy Regulation, and the impact these will have on organizations working to maintain compliance in a shifting privacy landscape. Where GDPR is intended to provide consumers with greater control and protections of their personal data, the purpose of the ePrivacy Regulation is to put further consideration into the rights of European citizens as it pertains to electronic communications. The ePrivacy Regulation is an update to the existing ePrivacy Directive. Centro takes privacy seriously, and as a company, we are taking the necessary steps to be fully GDPR compliant.
It is important to note that the ePrivacy Regulations (separate from GDPR; or as the underpinnings to GDPR) are still being crafted, and, until they are agreed to and ratified, exactly what constitutes fully compliant is still being worked out. One item that’s important to note is that until the ePrivacy Regulation takes effect, the ePrivacy Directive is still in place. Moreover, the GDPR replaces the current (i.e., murky) consent requirements around placement for cookies and replaces them with the GDPR’s consent definitions. As a result, in most of the EU, default browser settings may not be an appropriate consent tool for cookies and similar tracking technologies after May 25. While it is still mostly up to website operators to obtain consent for cookies, we believe that this interpretation is driving the IAB EU consent framework and Google (and others) recent call for consent across the marketplace.
One of the drivers for this guidance is that GDPR recognizes ‘legitimate interest’ as a legal basis for processing personal data (i.e., without consent), which – with some work clarifying roles with our existing data providers and exchanges – allows Centro to continue operating without significant concern in EU. However, this does limit certain aspects of what vendors such as Centro are able to collect and share back to advertisers: for instance, we have disabled certain macros we generated previously that provide greater insight into the identity of recipients of ads. This being said, many of these macros may be able to be returned to active status once appropriate documentation is in place between the consumers receiving ads, the advertiser collecting consent and Centro.
The goal for all organizations that intend to comply with GDPR and the ePrivacy Regulation, including Centro, is to ensure they are taking the steps necessary to avoid collecting or sharing data that falls under GDPR’s definition of Personally Identifiable Information (expanded to include Cookie ID, Mobile Advertising ID, Lat/Long, etc.), to obtain the permissions necessary to do business that utilizes more intimate user data, and to clearly demonstrate that our activities can be seen and defended as ‘legitimate interest’.
As a company, we are committed to achieving and maintaining compliance once ePrivacy is agreed to and ratified.
GDPR & ePrivacy Compliance:
To ensure we are positioned to successfully continue delivering the tools and services necessary to our European-based and multi-national customer base uninterrupted, we have enlisted the help of multiple outside consultants and experts. To specifically address the requirements of GDPR, we’ve enlisted the help of the ePrivacy Consult organization based in Germany. This engagement is designed to have us evaluate and improve upon current practices, and come out with the necessary documentation required to demonstrate regulatory compliance. To further ensure Centro is positioned for success, we have enlisted the head of ePrivacy Consult, Dr. Christoph Bauer, to act as our Data Privacy Officer and Representative in the EU. This allows us to have a direct view into the regulatory atmosphere in the EU through one of the primary influencers, and also allows us the comfort of knowing nothing will inadvertently slip through the cracks.
In addition to adjusting our Privacy Policy to align with GDPR standards, we will be finalizing a “TOMs” document (Technical and Organizational Measures) that we can share with any current and prospective customer to provide greater clarity around our structure and the systems to ensure compliance.
Additional Certifications:
In addition to our engagement and work with the ePrivacy team, we are in the process of working through several certifications to provide our customers with the assurances needed to know that their data is safe with Centro.
In the coming weeks and months, we’ll join the following regulatory bodies:
Additionally, we’re in the process of joining both the EDAA’s and DAA’s consumer choices websites to ensure consumers have an easy and clear understanding of the technologies presently targeting them with advertisements, and the reasons why.
Keep in mind the certifications and memberships mentioned above are in addition to our existing relationships with the following regulatory organizations:
We take our responsibility of protecting our customers’ data seriously, and we see GDPR and ePrivacy as an opportunity to further confirm that commitment to our customers. As we continue to move towards the compliance required at the ratification of ePrivacy, we will provide further insight into our work and the impact that may have for our customers doing business in the European Union.
Additional Resources:
For customers who have ongoing concerns about the impact of GDPR and ePrivacy on their existing business, we are happy to provide additional recommendations for external providers who can help navigate the legal and regulatory complexities of their business.
FAQs
What is GDPR?
GDPR, which stands for General Data Protection Regulation, is a new law in the European Union governing the collection and processing of personal data of European member state citizens (data subjects). Under the GDPR, personal data that is used to offer goods and services, or to profile users, can only be collected for explicit, specified purposes, and the processing of that data must be compatible with those same purposes. There are only a few very specific legal basises for processing, most notably, through the consent of the data subject. In addition, data subjects have very broad rights, including the right to access, view and correct information about the data collection and processing, the right to be forgotten (erasure of data), the right to object to processing, and others. The intention of the regulation is to give data subjects more control over their personal data: who can use it, how it is used, who it can be shared with, etc. All companies that interact with European end users are obligated to comply with the law after May 24, 2018, regardless of said companies’ geographic location. Those that don’t will be vulnerable to harsh monetary penalties.
Does this only impact programmatic ad-buying?
No. The GDPR is designed to cover personal data of EU data subjects regardless of industry.
Who is responsible for ensuring consumer privacy?
All companies that handle personal data should be responsible for ensuring consumer privacy. While the GDPR only relates to EU data subjects, other jurisdictions have their own privacy laws that should be taken into account as well.
How are advertisers going to be affected?
Every company that operates in digital media is unique because of business models, partners, customers, country operations, and many other factors. Centro recommends advertisers review the GDPR and seek legal advice applicable to their unique business model. In general terms, advertisers will need to ensure that their advertising activities are lawful under the GDPR when targeting EU member states in their campaigns. Advertisers that are collecting and processing personal data, and have determined that their activities fall within the GDPR’s scope, will need to be certain they have a valid legal basis (such as user consent) for doing so. In regards to personal data shared with advertisers by Centro, we will be making changes to our terms governing the transfer of personal data in accordance with the new law.
How would the Internet user experience change in the E.U. member states?
End users may see an increase in solicitations for consent from companies that are actively collecting data. This may be a publisher, an Internet service provider, a device manufacturer or an app creator. The GDPR is intended to cover a wide net. We’ll also likely see a variety in the ways for which this consent is asked.
Is this coming for U.S. Internet users?
The GDPR is now considered to be the gold standard in privacy legislation world-wide. It is expected that its principles will be emulated by other jurisdictions. As an example, amid the recent Facebook hearings in the U.S., two senators introduced the ‘CONSENT Act’ bill, which has very similar requirements to GDPR. Whether or not it is passed, the general industry sentiment points to momentum behind the idea of increased privacy protections. I think there will be a lot more evolution in this area. One area that privacy law experts are following is a California ballot initiative that may set the stage for strict broader laws to be introduced at the Federal level, preemptively. However, there is a belief that is it unlikely we’ll see a law similar to GDPR in the next 18-24 months.
What is Centro doing to meet GDPR requirements?
Centro takes privacy seriously and intends to fully comply with the GDPR. All processing activities are under review and we have engaged professional privacy consultants and legal experts to assist with the effort. Existing agreements, terms and our privacy policy will be revised to ensure compliance with the new regulations. Centro is also pursuing membership in the Privacy Shield framework — a program founded by the U.S. Department of Commerce, and the European Commission and Swiss Administration to help companies facilitate transfers of personal data with their transatlantic partners.
What is my role in all of this as a media professional?
Get educated and get used to operating with transparency and consent-driven advertising. Know what your company practices are in handling data. Regardless of regulation, companies who are collecting data and are serving targeted advertising should be responsible for keeping user data safe and secure.
