The new General Data Protection Regulation, or GDPR, comes into effect on May 25th, and Crimtan has been preparing for this for some time. Providing data protection and transparency has always been at the forefront of Crimtan’s business approach. As a long-term member of the IAB’s Data and Privacy Council and a founder signatory to the EU Framework for Online Behavioural Advertising we have pro-actively adapted to changes in privacy laws over the years.
We have undertaken a thorough examination of how we control and process data and are confident that we have in place systems and processes that comply with the new rules imposed by the GDPR.
We support the IAB’s GDPR Transparency & Consent Framework and are on the IAB Global Vendor List. In addition, we have developed our own Consent Management Platform, consenTag™ which will enable our clients to gather consent legally for the purposes of display advertising.
To help our clients and business partners understand our approach to the GDPR we have set out here our understanding of the new legislation and how it affects our working relationship. However, every organisation is responsible for ensuring its compliance with the GDPR and we encourage our clients and partners to review their own responsibilities in regard to this new regulation.
We have included a short FAQ and some links to relevant documents. Should you have additional questions, please speak to your usual contact at Crimtan or email firstname.lastname@example.org.
What GDPR covers
GDPR has a significant impact on programmatic advertising.
Any advertising that uses the personal data of people within the EEA falls within the scope of GDPR.
The new definition of “Personal Data”
Personal Data is defined within the GDPR as any information relating to an identified or identifiable natural person (‘data subject’), and the Regulation specifically states that someone who can be identified by means of an “online identifier” is a data subject for these purposes. Even though Crimtan only uses a pseudonymous ID (sometimes from cookies) which is associated with a browser or device to deliver relevant ads, it is pretty clear that this constitutes an online identifier for the purpose of the new Regulation – and gives rise to Personal Data.
Therefore, under the GDPR, fields commonly used in Relevant Advertising are considered ‘Personal Data’ and will require a legal basis for processing, including:
- Un-truncated IP addresses
- Full Latitude and longitude
- Full Postcode
- Device ID
Campaigns that use “Personal Data”
For campaigns that use Personal Data for the purpose of ‘Relevant Advertising’, it is our understanding that our clients will need to work with us to obtain consent to continue to run this type of advertising in order to comply with the requirements of the ePrivacy Directive (2002/58/EC, as amended), and its proposed replacement, the yet-to-be-finalised ePrivacy Regulation, which complements the GDPR in the field of cookies and similar technologies. Many companies are trying to adopt a different legal means, but it is obvious to us that ‘Personal Data’, the ‘Purpose’ of its use, and the ‘Legal Entity’ that is controlling this data should generally do so on the basis of consent in order to comply with the combination of the GDPR and ePrivacy Directive (and, in the future, the ePrivacy Regulation).
As well as ensuring our organisation (our main legal entity and all subsidiaries, their processes and their dataflows) is compliant with GDPR and ePrivacy legislation, Crimtan has been working on the means for us and our advertising clients to maintain business continuity where campaigns that use Personal Data are run.
How we can work with our clients to support GDPR legislation
Crimtan aims to ensure that all Personal Data collected by clients, and Personal Data we collect or use for the purposes of Relevant Advertising, supports the new regulation and satisfies the legal requirements for the continued delivery of high performing campaigns.
We have been working on a number of solutions to achieve this:
- For third parties from whom we onboard data to improve campaign performance, we aim to ensure that they have the legal means to pass us that data under the new legislation.
- For first party data which we onboard through pixels, we have built a technical solution to support our clients and publishers in obtaining of appropriate consent providing a legal basis for processing. This includes the development of a Consent Management Platform, called consenTag™, that combines the core aspects of gathering and storing consent, firing tracking technologies based on user consent and supporting the rights of individuals.
What happens to stored legacy ‘Personal Data’ on May 25th?
Recital 171 of the GDPR states that processing already under way, on the date of application of this Regulation, should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force.
Where processing is based on consent pursuant to Directive 95/46/EC, to allow the controller to continue such processing after the date of application of this Regulation, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation. The current (and future) ePrivacy legislation requires consent for the use of relevant information derived from cookies and similar technologies.
As such, we will not delete legacy data, but that we need to work with you to receive the appropriate levels of consent for targeted advertising based on Personal Data.
How will GDPR impact campaign performance?
We operate multiple types of programmatic advertising – some that fall within scope of the GDPR, and some that do not. We will ensure that we maintain a mix to prevent any degradation of performance. We are working with publishers (including PMPs) and ad exchanges directly and ensuring the level of inventory quality is maintained.
What happens if someone asks to the see their data?
Crimtan will include a free data request tool on its website. If the specific query we receive is related to campaigns that we run on your behalf, we will provide you with a link to this tool to supply to the person making the query. You will also be responsible for supporting the rights of individuals for any data that you store against them.
Are there not six legal grounds for processing under GDPR?
Yes, but given the combination of the GDPR and the proposed ePrivacy Regulation, the only appropriate one for ‘Relevant Advertising’ purposes is for the data subject to provide consent to the processing of his or her personal data for one or more specific purposes.
What are the Rights of Individuals under the new legislation and how do you support them?
Our solutions will support the rights of individuals to Access their data, Correct, Port, Restrict Processing, Erase, and Object, along with Notification of any breach.
As we only store information against an ID and do not know who that data subject is, but data still falls within the ‘Personal Data’ criteria, we will be supporting data requests through our website.
What happens with Data transferred outside the EEA?
Crimtan Holdings Limited is registered in the UK and is the Data Controller for all relevant Personal Data within our group of companies. Where we need to do so, we will only transfer Personal Data from our systems to outside the EEA under the conditions specified in the GDPR.
How are pseudonymous IDs collected and stored?
After May 25th, for services offered to data subjects in the EEA, pseudonymous IDs are collected and stored based on the consent of the end-user.
What about delivering ads to EEA citizens outside the EEA?
The GDPR does not apply outside the EEA, so implied consent (with an opt-out) will continue to be accepted by default. Only individuals located in countries within the EEA will be required to give an affirmative action indicating clear and unambiguous consent to use their data for targeted advertising.