What is the GDPR?
The EU General Data Protection Regulation (GDPR) is a comprehensive privacy regulation that will replace the current Data Protection Directive 95/46/EC, with an implementation date of May 25, 2018. In April 2016, after more than four years of negotiation, the European Union approved the GDPR, with the goals of strengthening and harmonizing data protection regulation for individuals across the EU and strengthening the digital economy in the EU. The GDPR is directly applicable to member states without the need for implementing national legislation.
For more information and resources about GDPR, visit the IAB Europe’s GDPR informational website.
When does the GDPR come in effect?
The GDPR will be enforceable beginning on May 25, 2018.
To whom does the GDPR apply?
The GDPR applies to any business, whether or not it is based in the EU, that processes the personal data of EU citizens. The GDPR applies to these businesses even if the goods or services that they offer are free.
If you’re a publisher, and would like to see the potential impact of GDPR on your advertising revenue stream, check out our online calculator.
Why did regulators want a GDPR in place?
Today’s consumers are starting to realise that they need to share some of their personal data with organisations to get the service that these organisations provide, such as free website content. One of the primary objectives of the EU Commission was to give EU citizens back the control of their personal data.
In addition, the Commission wanted to simplify the regulatory environment for international business by unifying the regulation within the EU. By harmonising the data protection regulations, the intention of the GDPR is to make it easier for companies to comply with these regulations.
What changes does the GDPR introduce about the definition of personal data?
The definition of personal data under the GDPR is broad and intentionally all-encompassing. In particular, pseudonymous data is defined as a sub-category of personal data, and still triggers application of the GDPR. Pseudonymous data includes cookies and other device and online identifiers (some IP addresses, IDFA, AAID, etc.) that can be used to single out an individual, even if you do not know that individual’s specific identity (for example, even if you don’t know the individual’s name or address). Online identifiers are explicitly called out as examples of personal data under the GDPR.
Due to this broad definition of personal data, it is highly likely that data being processed in the online advertising ecosystem falls within the definition of personal data, and is regulated under the GDPR. Quantcast collaborated with the IAB Europe and other industry experts on IAB Europe’s paper on the Definition of Personal Data. We highly recommend that you review it for a deeper dive on the definition of personal data.
What obligations does the GDPR introduce in relation to the individual’s right to access and delete data about themselves?
Under the GDPR, individuals can ask for access at “reasonable intervals”, and controllers must generally respond within one month. The GDPR requires that controllers and processors must be transparent about how they collect data, what they do with it, and how they process it, and must be clear (using plain language) in explaining these things to people.
Individuals have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it.
In addition, under the GDPR, individuals have the right to revoke their consent at any time. Individuals have the right to have their personal data deleted “without undue delay”, at their request.
No, the proposed ePrivacy Regulation does not prohibit cookies. The expectation across industry is that the new ePrivacy Regulation will allow individuals to consent to the setting of cookies on their computers, although the requirements around that consent will likely be different than they are under the current ePrivacy Directive.
Quantcast is an active part of the IAB Europe’s GIG that has developed the Open Transparency & Consent framework. Quantcast has developed Quantcast Choice — a free Consent Management Provider solution — based on the IAB’s open, non-commercial standard. Quantcast Choice is a GDPR compliant solution that enables publishers and advertisers to acquire, manage and propagate user consent across the digital content and ads ecosystem.
How can companies obtain consent for the purpose of advertising?
The GDPR introduces a new standard for consent. Where a company relies on consumer consent to process personal data, the process to obtain such consent must meet the higher standard of GDPR.
The current draft guidance from the UK ICO describes the requirements for consent under the GDPR, including the following:
- Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
- Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
- Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
- Consent should be obvious and require a positive action to opt in.
- There is no set time limit for consent. How long it lasts will depend on the context.
- You should review and refresh consent as appropriate.
- Evidence that consent has been obtained will have to be recorded, and organisations that have no direct relationship with the individual will have to rely on their partners to obtain consent on their behalf.
Quantcast is actively working with the IAB Europe on the Open Transparency & Consent Framework — an open, and non-commercial standard that facilitates obtaining and managing consumer consent.
Quantcast has built Quantcast Choice, a consumer-facing consent solution, based on the IAB Europe’s standard. Quantcast Choice is a free Consent Management Provider (CMP) solution that will enable publishers and advertisers to acquire, manage and propagate user consent across the digital content and ads ecosystem. Quantcast Choice is now available for self-service download and implementation at https://www.quantcast.com/gdpr/quantcast-choice-self-serve/.
How does Quantcast Choice, or a Consent Management Provider (CMP) solution work?
Quantcast, or any other IAB approved Consent Management Provider (CMP), provides publishers and advertisers with a mechanism to obtain consent, and then control which third-party vendors can request consent to track users of their websites and apps. Read this white paper outlining the function of a CMP and the Quantcast Consent implementation.
What actions should be taken in the case of a data breach?
If you suffer a data breach that puts the rights and freedoms of individuals at risk, you must notify a data protection authority (for instance: the Information Commissioner’s Office in the UK) within 72 hours of your organisation becoming aware of it.
While you can’t be expected to detail every aspect of a breach upon discovering it, you should notify the data protection authority of the nature of the data that has been breached, and the approximate number of people affected. You should also detail the potential consequences for those people and what measures you have taken or plan to take.
What happens if you don’t comply?
Entities that do not comply with GDPR requirements may be fined up to $20mm or 4% of their worldwide turnover (revenue), whichever is greater. You may also be subject to lawsuits by affected data subjects.
- Quantcast Choice self-serve download
- GDPR Consent Revenue Risk Calculator
- IAB Europe GDPR compliance primer
- IAB Europe working paper on the definition of personal data
- FAQ about the GDPR by the European Commission
- IAB Europe Open Transparency & Consent Framework technical specs and FAQs