What Role Does GDPR Play in AdTech?

With the explosion of technology use in e-commerce, the collection and storage of personal data has become a hotly debated topic. Consumers have become more aware of how their unique data is shared with third-party sites, pushing more rigid security and privacy measures into place. This has led to the passage of stricter, user-protection laws and regulations, including the GDPR, CCPA, and others.

The GDPR has shifted the way data can be collected and business can be done for companies dealing online with users in the EU. It has mandated stricter requirements for obtaining consent and providing users with additional access and information about the data collected. More on that a little later. 

But first…

What is GDPR? What does GDPR stand for?

The General Data Protection Regulation (GDPR) is a set of laws passed by the European Parliament, Council of the European Union, and the European Commission as a response to diminishing user privacy. 

As its name suggests, its primary purpose serves to define and protect personal data, but it also seeks to give data control back to the individual user while simplifying the regulatory environment for the European Union (EU) and international business.  

A few items to note about GDPR:

• It defined and broadened the definition of personal data to mean any information that can be used to identify an individual, including name, identification number, location data, and online identifier. 
• It applies to the entire processing, storage, and/or use of the personal data of people living within the EU, regardless of where the organization itself is located. 
• GDPR violations can result in severe financial penalties with up to 4% of an organization’s annual global revenue or 20 million Euros.

What does this mean? How does it affect AdTech? 

At its core, GDPR seeks to protect the rights of consumers from having their personal information shared across a host of third-party entities. This affects a majority of companies and almost every AdTech business that deals with personal data collection in any form. 

Does GDPR affect U.S. companies?

The simple answer: if you process information from or do business with anyone currently in the EU, then yes.

The complicated answer: The regulation applies to any company that processes the personal data of individuals living within European Union (EU) member states, even if the person is not an EU citizen. The determining factor is the location where a person is physically located when the information is collected, not that individual’s citizenship. The processing of Europeans’ data still counts even if the company responsible for doing so is located outside of Europe. 

This includes any company selling to individuals living within the EU. So, if you operate an e-commerce business with international shipping, this affects the way you process information online. If an organization or business in the U.S. interacts with citizens in the EU by storing and using their personal data, that entity is then subject to GDPR. 

What do they mean by processing of personal data?

When it comes to the term processing, this covers almost anything you can imagine involving personal data. Mostly, this refers to collecting, storing, and using that sensitive data, but the laws include even more.

The legal jargon includes but is not limited to the following: collection, recording, organization, storage adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

What does this mean for AdTech companies? Let’s go into some of the requirements for complying with GDPR – and avoiding hefty fines.

What are the GDPR Requirements?

First and foremost, the publishers and AdTech companies must gather direct consumer consent on their sites, including the following specific information:

1. Which unique device provided consent including the browser and operating system combination 
2. To which specific party the consent was given 
3. Which specific data would be collected 
4. For what specific purpose the data would be used
5. For how long the consent is given

While this seems simple, it’s actually far more particular than it seems. For example, to properly gather consent, a website’s pop-ups must include every single AdTech company involved by name, a list of what data each of those companies is collecting, the purposes for the data for, and so on. 

Consider how lengthy a pop-up with all of that content would be for viewers visiting the site. These sorts of lags and delays negatively affect the user, shortening their experience on that website. 

It’s clear that the EU’s GDPR has fundamentally changed how companies are legally able to handle personal data.

When did GDPR go into effect?

While the GDPR was adopted on April 14, 2016, it became enforceable starting on May 25, 2018. Given that much of the value creation of AdTech companies is derived from using that data to deliver more relevant, targeted advertisements, the implications have been massive for the industry.

Does GDPR apply to the US?

As we stated above, if your company conducts business with individuals living within the EU, then it does affect you. But should you expect a broader set of laws like GDPR to be passed in the United States? 

In short, probably not. 

It’s very unlikely that the U.S. will ever adopt GDPR as broadly as it currently stands. Companies within the U.S. are generally much more likely to allow for data collection and processing than their European counterparts. 

However, certain pieces of GDPR are likely to make their way into U.S. policies in the future with the continued risk of privacy issues and security breaches. It makes sense for businesses to stay ahead of any shifts in government regulation and consumer ethics. Plus, it builds customer confidence and brand validation. 

Not only does mishandling personal data pose a financial risk; customers will lose their trust in you for abusing their sensitive data – and customer awareness of privacy is only likely to continue to increase with new tech developments.

Even if your brand does not operate out of the EU yet, if you ever plan to conduct business and sell products or services to EU citizens or move into the EU market, you will need to make sense of GDPR in order to navigate it.

What are the 7 principles of GDPR?

The GDPR is organized around seven key principles for the lawful processing of personal data:

1. Lawfulness, fairness, and transparency
   • This means that the data was acquired on a lawful basis with the individual fully informed of the collection, storing, and processing. Fairness translates to the company actually keeping its word to its customers.
2. Purpose limitation
   • Here, companies need to be specific about the purpose of the data collection. Data can be collected and used only for the exact purposes conveyed to the individual giving consent. 
3. Data minimization
   • This principle encourages businesses to collect the minimum data needed as “adequate, relevant and limited to what is necessary…for the purposes for which they are processed.” Plus, whatever data is collected will need to be justified. 
4. Accuracy
   • Whatever information is collected needs to be as accurate and up-to-date as possible. This means ensuring that you erase all inaccurate personal data and old, outdated contacts.
5. Storage limitations
   • This principle reinforces the idea that the personal data be kept “for no longer than necessary.” Information can only be stored for the period of time necessary for your unique objectives and that timing must be justified and documented accordingly. 
6. Integrity and confidentiality (security)
   • When collecting sensitive, personal information, it is paramount for companies to invest in and establish proper security measures to prevent potential breaches. Official certifications like ISO 27001 can also prove your company’s commitment to maintaining the integrity and privacy of your customers.
7. Accountability
   • Document everything. Keep track of all processes for the collection and processing of data. Analyze each step in the process with clear justifications demonstrating your GDPR compliance if requested.

Keeping these principles in mind can guide an easy transition to GDPR compliance. Want to understand how your organization falls within the GDPR scope? 

We’ve included a convenient compliance checklist below. 

GDPR Compliance Checklist

1. Data: What data do you store? Who are the data subjects and where do they reside? Are there other entities with which this data is being shared?
2. Access: Can customers easily request and update their own information? Can they request deletion or erasure of their data? Can they ask that their data be delivered to them? Can they easily stop the processing of their information?
3. Consent: Have you obtained the data fairly? Do you have all necessary consents from the individuals you are collecting information from? Is it easy to understand the language in your privacy policy and consent forms? Have you informed all individuals of the specific, accurate use for their personal data? Were you clear about the purpose and their right to withdraw consent?
4. Retention: How long do you store this data? Are you holding the personal data for only as long as is necessary? Are you maintaining only up-to-date information? Are you correctly erasing outdated information?
5. Security: Is all information being stored securely and safely away from potential privacy breaches? Is any personal data being transferred outside the EU? Are there additional encryption or security measures needed for added protection? Is access limited? Do you know what to do if there is a data breach?
6. Accountability: Who is ensuring that this information is accurate and up-to-date? Does your company have an appointed Data Protection Officer (DPO) in place? If your company operates outside of the EU, have you appointed a representative within the EU? 

A few other questions to consider:

• Does your company have an accessible privacy policy in place, outlining all processes related to personal data? Do you inform customers of updates to your policy?
• Do you have a contract in place with any and all data processors involved in your data sharing?
• Have you researched all cross-border transfer laws, if you are operating outside of the EU?

Read more information about the GDPR’s compliance checklist for U.S. companies here.

How is CCPA different than GDPR?

While the California Consumer Privacy Act (CCPA) was inspired by EU regulations, they are not one in the same. The GDPR has broken ground in setting the precedent for the new data privacy standards and the CCPA has thereafter brought modern data protection rules to the United States. For companies that perform business online, they are most likely subject to comply with one — if not both — of these laws.

As stated above, the GDPR applies to any business collecting or processing data of citizens or residents of the EU; this includes businesses that physically operate outside of the EU. 

The CCPA applies to any company that conducts business with California citizens and generates an annual revenue of $25 million or more; collects, shares, buys, or sells the data of more than 50K consumers in California; and earns 50% or more of its revenue from the sale of Californian consumer data.

Despite the differences, they both share common goals and requirements. At the core of their creation, each of these regulatory acts is set up to make sure that individual users are protected and informed of their rights. Both require consumer consent to collect information where clear permission and disclosure of all data usage are both required.

Both require that businesses, upon request, provide users with access to the following:

• The information that is collected about them
• The information that is shared or sold
• Who the information may be shared with or sold to

What are the penalties for noncompliance? Who is liable?

Failing to meet these regulations can be incredibly costly. For GDPR violations, businesses can face fines up to 4% of the company’s annual gross revenue or 20 million Euros, while those violating the CCPA can be forced to pay $750 USD per person, per violation. These fees can add up quickly. 

Bear in mind that if illegal data is used for any kind of ad targeting, then all involved parties could be held liable. This includes the publisher who shares the personal data, the exchange that accepts it, the platform that sells it, and the advertiser that uses it.

HIPAA vs. GDPR

While HIPAA and GDPR both value security at their foundation, they are quite a bit different. GDPR is much broader in scope, setting standards for all sensitive personal data, while HIPAA only deals with Protected Health Information. 

Protected Health Information is defined as “any information that can be used to identify a patient, such as a name, address, DOB, bank/credit card details, social security number, photos, and insurance information combined with health information.”

However, GDPR deals with a broader, different range of data sets linked to being directly or indirectly identified within the EU, including race, religion, political affiliation, sexual preference, and other information. HIPAA standards are limited to covered entities dealing with restricted health information, while GDPR applies to all organizations handling personal data.

Additionally, GDPR gives individuals specific user rights that differ from HIPAA — like the “Right to be Forgotten.” This right gives users the ability to request that an organization erases or rectifies any wrong data. This user right requires for companies to maintain a large degree of internal control over data processes. 

Beyond that, users also have the right to narrow the scope of and completely object to personal data processing; they also have the right to data portability, which is transferring that data to another provider. 

In terms of providing consent for marketing and communications as per the GDPR, the EU citizen or resident must give their direct consent to opt in to any form of communication, whether it be through phone, email, direct mail, or other advertising methods. 

GDPR also requires a much shorter timeframe for data breach notification. Under Article 33, there is a 72-hour breach reporting requirement. Care providers are required to report a breach to their supervising authority.

GDPR and Ad Tech 

These GDPR regulations have been difficult to comply with for publishers, advertisers, agencies, and brands alike – and difficult to enforce. Because of the amount of data sharing taking place between third-party entities, it’s difficult for existing companies to truly wield control over their collected data. While this switch is difficult, it is important.

With the rapid increase in mobile website browsing, these major concerns are not going away. There will continue to be scrutiny over the lack of security and privacy that come with advancements in technology. 

Major companies like Google have made sweeping changes to the way they collect data and track users. Why have Google, Safari, Firefox, and other browsers decided to phase out third-party cookies? Like the EU, they believe the current solutions fail to meet consumer expectations for privacy, aren’t sustainable, and don’t stand up to regulatory restrictions. This places ad buyers in a crucial spot. What now?

Privacy and ALFI

While other AdTech platforms blur the line when it comes to user privacy, Alfi is building the future of DOOH advertising, by crafting tools that empower media buyers to reach their exact target market, at the right time, for a fraction of the cost in a respectful and ethical manner. 

The platform pairs powerful computer vision with AI and machine learning models to display clients’ ads only to their target customers when they’re most susceptible to making buying decisions. Computer vision allows DOOH platforms to capture demographic and behavioral data of consumers as they view DOOH ads to increase the accuracy and effectiveness of targeting. Then, AI combined with the machine learning-powered recommendation engine looks for patterns and responses in human behavior to offer the right content to the right person at the right time. 

What’s amazing about this is that while the smart technology can detect behavior, it does not use cookies or store personal data, facial images, or information.  

While it sets new standards by providing precise targeting information to advertisers, it does so without intruding by collecting information in non-intrusive ways that are compliant with GDPR, CCPA, and HIPAA. 

With ALFI, it’s possible – and even easy – to target users, master AdTech, and generate revenue ethically while respecting the right to privacy. 

Want to know more? Drop us a line and our team will get in touch with you!