Your email inbox is overflowing with a GDPR-CMP-IAB alphabet soup reminding you of all those emails you can’t remember subscribing to. Your favorite websites seem to be overtaken by banners updating their Terms of Service for May 25th. Your company’s legal counsel mumbles about compliance and does not appear to have slept in weeks.
Historians will later note these were the tell-tales signs of the last weeks before the General Data Protection Regulation (GDPR) rained down on Friday, May 25th, 2018.
How exactly did we get to this? GDPR replaces the Data Protection Directive, an analogue EU framework issued in 1995, when the word googol was little known, spelled lowercase and understood (if at all) to mean the number one followed by one hundred zeroes. The Data Protection Directive was implemented through various national laws of EU member states. On May 25th, 2018, after a two-year transition period, the GDPR will take effect, superseding the Data Protection Directive, and unifying and harmonizing EU data protection law.
While GDPR is European law , its effect is very much global. GDPR applies to any organization that processes personal data of individuals who are in the European Economic Area, or EEA (which includes EU member states plus Iceland, Liechtenstein and Norway), if the processing relates to offering goods or services, or monitoring behavior, no matter where the organization is based.
Businesses must have a GDPR-compliant legal basis (one of which is obtaining a user’s consent, but processing can also be based on a data controller’s “legitimate interest”) before collecting, using, storing, sharing or processing personal data. “Personal data” is defined very broadly and includes any information relating to an identified or identifiable natural person. Notably for our industry, personal data can include IP address, location data or even device information.
Additionally, GDPR grants EEA users (called “data subjects” under the law) a wide variety of rights, including the right to access their personal data and the right to ask a company to delete their personal data. The penalties for violating the GDPR are steep. Companies risk fines of up to 20 Million Euros or 4 percent worldwide revenue (whichever is larger).
Cue: All those emails and banners.
Processor versus Controller?
One of the most common GDPR questions bandied about in conference rooms from Athens to Amsterdam is whether an organization is a controller or a processor.
The GDPR defines a controller as an entity that “determines the purposes and means of the processing of personal data” and a processor as one that “processes personal data on behalf of the controller.” But what does this really mean?
Consider the following analogy: Suppose you join a health club. The club might collect some personal data from you as you set up your membership, but then farm out the task of storing and digitizing your information to a data center. The club and data center are both responsible for how your personal data is managed. Under the GDPR, the health club would be a controller because it would determine the purposes and means of processing your personal data, whereas the data center would be a processor that puts the club’s plan in action.
Similarly, PubMatic is typically a controller with respect to the services it offers because we determine the purposes and means of data processing. For example, PubMatic might determine the recipients of IP addresses in bid requests, or pre-filter impressions for RTB auctions with third-party buyers.
Although GDPR itself does not require consent for data processing (since data processing can be based on other lawful bases, such as legitimate interest), another legal regime, the e-Privacy Directive, requires user consent to access any information stored on an end user’s device using cookies or other tracking technologies. PubMatic is supporting publishers’ requirements to obtain consent, including by offering the following options:
OPTION 1: Integrate with Third Party Consent Management Providers (CMPs)
Publishers may opt to partner with Consent Management Providers (CMPs) who work with publishers to pop-up consent forms where users can see all the third-party vendors with whom the publisher is working.
CMPs come in many shapes and sizes but we recommend publishers select an IAB EU spec-compliant solution that does not limit vendor choices to minimize potential revenue loss.
OPTION 2: Implement PubMatic JS Helper Script in Page Code
LAST RESORT: Non-Targeted Advertising
What if a publisher chooses “none of the above?” If a publisher does not pick either option, we have to resort to non-targeted or contextual advertising. Non-targeted advertising means lost opportunities for the publisher with lower fill and monetization rates.
We are here to save you from non-targeted advertising. To best serve you, we need to understand which Consent Management option you will select for GDPR compliance. If you are a PubMatic partner, please complete this two-minute questionnaire to help us provide you a seamless transition.
PubMatic is fully prepared for the GDPR deadline and we are dedicated to helping our clients prepare, too. But we can only do this with your partnership.
We have a dedicated GDPR library at your disposal and the below documents are intended to help address any GDPR-related questions you may have:
- PubMatic GDPR Overview provides a guide to PubMatic’s GDPR policies, supporting initiatives, and supplementary documents
- PubMatic GDPR FAQ for Publishers: Explanatory document outlining publisher GDPR compliance and PubMatic’s supporting initiatives
So, let your rivals wade through the legalese. We, at PubMatic, are committed to providing a smooth GDPR transition with a Global PubMatic GDPR SWAT team on standby. If you have any questions about GDPR or would like to speak to the PubMatic legal team, please email GDPR@PubMatic.com.