By Tony Evans, Corporate Development Director, Crimtan.
There’s been a lot of talk about the GDPR lately, and many people are understandably confused about how this will affect the digital advertising industry. While much of the new law is still a grey area, some areas are becoming clearer – though things may yet change. The UK’s Information Commissioner’s Office (ICO), The Article 29 Working Party (A29WP) and EU regulators themselves will continue to publish further guidance until the GDPR comes into force.
Crimtan sits on the IAB’s Data and Privacy and the Regulatory Affairs & Public Policy Councils so we are able to follow all the latest developments. The IAB have done great work in protecting the interests of our industry and providing extensive guidance about changing privacy laws, so many thanks to them for helping us put together this post which sets out the current status of the GDPR and what it means for Crimtan and our industry.
INTRODUCING THE GDPR
This General Data Protection Regulation (GDPR) will come into force on May 25, 2018 and will apply across all EU markets. In the UK it replaces the existing Data Protection Act 1998 and will apply to all companies processing the personal data of users living in Europe, no matter where the business is located. Note here that we are talking about ‘personal data’ – and the definition of this is changing – more on that in a minute.
What about the Cookie Law?
A few years ago the EU introduced the ePrivacy Directive (or ePD, AKA ‘the cookie law’) which the UK implemented as the Privacy and Electronic Communication Regulations (PECR). This law set out rules on accessing information stored on a device (whether personal data or not). As this is part of UK law it is separate to the GDPR and will not disappear when it comes into force.
However, the European Commission is currently reviewing a new electronic communications law – the ePrivacy Regulation (or ePR) – that it is aligned with the broader GDPR and effectively replaces the ePD. We don’t know what the final ePR will look like, but it will contain specific rules about cookies – possibly involving browser settings. We hope the ePR will be repealed as all of its privacy-related obligations are now addressed within the GDPR. In the meantime, the EDAA Trust Seal is sufficient to satisfy the requirements of the ePrivacy Directive – and Crimtan has held the Seal for three years.
Does it include Safe Harbour?
The EU-U.S. Privacy Shield replaced Safe Harbour in 2016, and is a legal mechanism for data transfers between the EU and U.S. The GDPR allows for data transfers but, again, this may need updating when the UK leaves the EU. The UK’s Information Commissioner’s Office (ICO) is expected to publish guidance on this soon.
Will the GDPR be affected by Brexit?
The GDPR (which may or may not incorporate the ePR and cover data transfer) will apply as long as the UK is a member of the EU, but whether it still applies after we leave depends on the UK’s future arrangements with the EU. Whatever happens, it is likely that the GDPR will apply to all ads delivered to citizens based in EU countries, and some form of similar privacy regulation will be applied by the UK government.
SO WHAT EXACTLY IS THE GDPR, AND WHAT IS EVERYONE WORRIED ABOUT?
The fundamental purpose of the GDPR is to provide greater privacy protection for EU citizens by updating existing EU data protection in light of today’s digital world. And the penalties for not complying with the GDPR are, indeed, scary, as the EU will be able to fine organisations up to €20m or 4% of annual turnover (whichever is greater).
The GDPR tries to provide greater privacy protection by regulating the use of all personal data in digital advertising – so it will apply to brand advertisers, agencies, advertising networks, data technology businesses and publishers. Most importantly, the definition of personal data has been extended to include all online identifiers e.g. an IP address, a cookie, location data or an advertising ID.
The importance of ‘pseudonymisation’.
The GDPR helpfully introduces the concept of ‘pseudonymisation’, which is relevant for companies like Crimtan who don’t use any personal data as defined under the current laws. Their (paraphrased) definition of this is “the processing of personal data so that it can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and securely to ensure that it cannot be attributed to an identifiable person.” How pseudonymisation works in practice will need to be clarified, but it seems that personal data that does not have any directly identifying details could be pseudonymised at the point of collection by using a randomised cookie that allows a user to be recognised but not directly identified. The EU’s final views on pseudonymisation are also important because organisations that pseudonymise data are also alleviated of some of the GDPR’s obligations that require user identification (such the right to data examination, erasure, portability etc.).
How to lawfully process personal data
The GDPR outlines six ways that companies can process personal data – including cookies and other targeting methodologies, but of these, only two really concern the digital advertising industry – consent and legitimate interests.
Because personal data now includes cookies, anyone who wishes to place a cookie on an individual user (or use their IP address or advertising ID) will need to get their permission first. So while dropping a cookie needs consent, the data associated with it would be considered as pseudonymous data providing it cannot be used to identify an individual.
The GDPR strengthens the conditions for consent: it will need to meet very high standards (e.g. it cannot be bundled in with T&Cs) and the user will need to give consent “unambiguously and freely” with “an affirmative action” (assumed consent following a notice will not be sufficient). In all cases, evidence that the consent has been obtained will have to be recorded, and where there is no direct relationship with the user, the organisation will have to find a way to establish that consent has been given.
Exactly what this means and how it’s is achieved in practice is unclear at present and the ICO and A29WP is expected to publish further guidance on consent soon. Current thinking suggests that publishers will need much more obvious ‘opt-in’ mechanisms and that companies who want to process any user data will first need to be able to establish that consent has been given. Where consent isn’t given, no one will be able to use any user data and no cookie can be dropped.
The GDPR permits the processing of personal data when it is in the legitimate interests of an organisation (subscription services are an obvious one). The increased rights offered to individuals under the GDPR combined with pseudonymisation may make this an attractive legal basis for some companies to try and justify their processing of personal data. However, it looks unlikely that the A29WP will agree that processing of personal data for the purposes of delivering targeted advertising can be viewed as a legitimate interest.
OTHER IMPORTANT POINTS TO NOTE
The GDPR grants considerably more rights to web users and places far greater obligations on companies who process user data. Companies engaged in targeted digital advertising will not only need to ensure they are aware of the regulations concerning handling user data, but will also need to take steps to ensure they conform to the law.
Records, contracts and public declaration.
Businesses involved in digital advertising will be classified as data controllers (companies who decide how data is processed) or data processors (companies who act on behalf of the controller) under the GDPR. It is possible to be both but, whatever your status, there are obligations, e.g. to maintain records of processing activities, provide information about how data is used and have written contracts with the data provider that are publicly available. Contracts between companies should include details on how each party achieves their obligations under the GDPR and, specifically, how user notice is given and consent obtained.
The Data Protection Officer and DPIA
Every company that uses personal data will have to complete a Data Protection Impact Assessment (DPIA). The ICO has already published guidance on this but is likely to update this following further advice from the A29WP.
It is also highly likely that every company involved in digital advertising will need to appoint a Data Protection Officer (DPO). This person should be an expert in data protection law and practices and is expected to inform and advise an organisation and its employees about their obligations under the GDPR and other privacy law. It will be their job to monitor compliance and provide advice on impact assessments, as well as being the first point of contact for Supervisory Authorities and web users.
The DPO can be an existing employee or the role can be contracted out. The A29WP is expected to provide further guidance on the role of DPOs soon.
Individual rights and control
The GDPR significantly reinforces individual rights, such as the right to erasure (often understood to be the ‘right to be forgotten’), the right to rectification and the right not to be subjected to profiling (including an individual’s personal preferences, interests, behaviour, and location or movements), so it is highly likely to include behavioural or interest-based advertising. However, as mentioned earlier, we understand that companies who only use pseudonymous data will be alleviated of some of the GDPR’s obligations that require user identification (not least because, by definition, it is impossible to identify a ‘pseudonymous user’). The ICO and the A29WP will be publishing further guidance on individual rights and data portability in the coming months.
Children & sensitive data
The age beneath which companies are not allowed to process data (without permission from a parent or guardian) is not yet decided. While 16 has been proposed the UK currently sets this at 13, so it is advisable to continue with this for now.
The GDPR also refers to ‘special categories of personal data’ (i.e. sensitive personal data) which are broadly the same as under the existing legal framework and restrict the processing of personal data revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership – as well as data concerning health or an individual’s sex life or sexual orientation.
WHAT HAPPENS NEXT?
You can see that there is still much to be agreed, so it is difficult to predict how the GDPR will affect the digital advertising industry. We do know though, that consent will be harder to get, acceptance must be logged and there will be a few hoops to jump through between now and May 25th 2018. Here’s a summary of some action points for every company using personal data for targeted advertising:
- Ensure key staff understand about user privacy and the GDPR.
- Keep up to date with EU user privacy developments.
- Undertake an initial data audit.
- Make sure that all contracts with inventory and data suppliers include GDPR obligations.
- Appoint a Data Protection Officer to ensure you comply with the GDPR.
- Conduct a DPIA.
- Update your website to reflect the change in the law and include supplier GDPR contract summaries.
To find out more about the GDPR, the ICO has a dedicated section and the IAB regularly posts articles about the latest developments and how they affect our industry, or just get in touch with your Crimtan contact and we will be happy to help.