With new requirements on Digital Advertising, marketers feel like they are being under a constant attack. All these transparency-oriented novelties have changed the world of programmatic advertising. And there is more to come.
As many of you may already know, the European Authorities are about to implement the GDPR in May 2018. There is only a couple of months left, so we all gotta speed up.
What’s the Fuss All About?
The GDPR or the General Data Protection Regulation is a new European legislation aimed to protect EU residents from any potential privacy and data breaches. Unlike the previous directives, the GDPR has an extra-territorial nature, meaning that it applies not only to the EU-based companies but companies outside Europe that collect sensitive data about EU inhabitants.
However, it is not the only snag. Data Collectors and Data Processor will have to gather explicit consent to keep doing what they do now. There are many consent gathering requirements, which we will touch upon shortly.
What Kind of Data the GDPR Protects
The GDPR aims to protect the following users’ information:
- Name, Factual Address, IP Number
- Cookies, User Location, RFID Tags
- Health, Genetic, Sexual Orientation Data
- Biometric Data
- Racial or Ethnic information
- Political and Religious Opinions
Who’s Affected by the GDPR
Basically, every company, which deals with EU residents’ sensitive data falls under the regulation. And we are not talking only about organizations that directly collect information but also about third-party data processors. They all need to get a user’s permission to work with visitors’ information.
It also doesn’t matter whether your business is located inside or outside of Europe. If you are involved in European data collection, you must comply, otherwise, you may face a serious fine, which can be as big as 20 million euros depending on the violation.
Publishers, Advertisers, DMPs and other programmatic advertising parties are all considered as either Data Collectors or Data Processors, so we would suggest you think through your strategy for the upcoming regulation.
How to Collect Users’ Consent
The main point here is to ask visitors for consent using simple but informative Consent Notice. No pre-ticked boxes or heavy legalese. You must tell users what’s going on before you proceed to data collection.
Another thing to implement is easy information withdrawal. In case an individual has changed his mind, it should be easy to remove his personal information from your database.
Make sure that your Consent Notice:
- Is clearly and prominently displayed before you start collecting data
- Asks users to opt-in and explains them why you are doing it
- Gives detailed information about data flows
- Tells how you are going to use the information
- Is designed in a clear and easy way so users can make an informed decision
- Provides all visitors with an unticked opt-in box
Steps to Undertake to Prepare Yourself for the GDPR
While our list is non-exhaustive, it will give you a clear understanding of what steps you should undertake to be ready for the GDPR.
Conduct Data Protection Impact Assessment (DPIA)
Audit your data flows and figure out where you are collecting data from, who you are sharing it with, whether there is any condition for information leakage, and how you are going to maintain, store, and protect sensitive data while you have it. It will show you the right direction.
Look through Contracts with Your Partners
Do not forget to include GDPR clauses in your supply-chain contracts to keep them up-to-date. Contact all ad tech vendors and agree on the new data policy. Mind that a data collector is responsible for gathering consent on behalf of data processors.
Create an Explicit Privacy Notice
Update your Private Policy and Terms of Use and create a thorough consent (privacy) notice specifying what information visitors give up, with whom it is going to be shared, how long it will be stored, and for what purposes.
Put it in a simple language and make it easily accessible. You can use different HTML layers to include all the possible information like who are involved in data processing and how it is working.
To collect data from minors under 16, you will need parents’ permission.
Take a look at how a proper privacy notice should look here.
You Will Have to Recollect Personal Data from Existing Users
Yep, if you haven’t gotten explicit consent before the GDPR, you will have to do it before the regulation rolls into effect. Otherwise, say bye bye to the data you’ve collected over the past years.
Keep a Record of Every Data In and Out Flow
Now, you want to make sure that you always know what’s happening to the personal data you collect. Any data operation should be kept in your records regardless of how small or big it is.
What’s Going to Happen Next
The regulation still has lots of grey areas and is hard to interpret precisely, so we all need to be patient until it is implemented. We would suggest you to start preparing right now to avoid possible consequences of not complying with the GDPR.
In the meantime, check the official guidelines, which are full of detailed information you may need to know to be ready. Our video ad network is also here to help you with any questions you have in mind.
