GDPR and serving to the EU
What is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law on data protection and privacy for all individuals within the EU. The GDPR primarily aims to give EU residents control to over their personal data and how it is processed.
Who does GDPR apply to?
The GDPR applies to any organization that processes the personal data of EU data subjects, regardless of whether the organization has a presence in the EU or whether the processing is conducted in the EU.
It is likely that the GDPR affects your organization if you: collect, store, manage, or analyse personal data of any type, including email addresses.
If you are an AdButler subscriber who represents multiple publishers, it is your responsibility to ensure compliance and consent with all involved parties.
GDPR Compliance with AdButler
AdButler has incorporated “Privacy by Design” as a core principle since before we wrote the first lines of code. We believe in processing the absolute minimum amount of data needed to provide our services. Because of our approach to privacy, we were able to achieve GDPR compliance with minimal changes.
For advertisements placed on web pages, the only private data that we process is your user’s IP address. We process this to provide our ad serving, reporting and anti-fraud services. We anonymize the IP address by removing the last portion, for example “192.168.0.123” would become “192.168.0.xxx”, removing any possibility of associating the IP address with an individual.
For advertisements within mobile applications, our SDK has the ability to pass the advertiser ID if the mobile app user has given consent to receive more relevant ads. This advertiser ID is used to identify a specific device; however, the device user has the ability to reset this identifier at will. AdButler does not track the user by their advertiser ID, we simply provide the ID with ad network requests when you have zones incorporating programmatic advertising.
Using Data Keys in European Countries
When using AdButler's Data Key targeting, ad requests from EU countries must include the following additional parameters.
ds_consent_applies should be passed into all ad requests coming from any country where GDPR is applicable. ds_consent_given should be either a 0 (no consent) or 1 (consent given)
GDPR Data Processing Addendum
Although AdButler processes a very minimum amount of personal data, and in many cases no personal data, we have a Data Processing Addendum (DPA) that includes standard GDPR and contractual/model clauses, and is meant to define the role of you, the website/mobile app publisher, as the data controller and AdButler as the data processor. The DPA can be signed electronically, or you may request a fillable PDF.
GDPR and Cookies
AdButler only has two features that involve cookies to carry out their respective functionalities. Both of these cookies do not store any personal data (including personal IDs) which means that you do not need to collect explicit consent from your users before using these AdButler features.
Although the GDPR was not meant to address non-personal data, there was a misalignment on the implementation of two new regulations; GDPR and ePrivacy Regulation. ePrivacy regulation was intended to replace the Data Protection Directive, which was repealed on May 25th, 2018, but the ePrivacy Regulation has been delayed. In order to address the impending relatory gap that handles cookie privacy, a provision was added to the GDPR that says that references to the Data Protection Directive “shall be construed as references to this Regulation [the GDPR]”.
Because of this provision, and the fact that the Data Protection Directive addresses consent for cookies in general (not specifically those with personal data or IDs), there will be a period of time where GDPR transparency is required for cookies containing non-personal data.
Accordingly, you will need to disclose the following information to your EU users regarding these two cookies.
AdButler Frequency Capping Cookie
- Data Collected:
- A non-personal ID that links to the zone and/or advertisement (not the individual)
- A timestamp
- Purpose of Cookie:
- Ensure that a user doesn’t see the advertisement repeatedly
- Duration of Data Stored:
- The duration for this cookie is set by the administrator within the AdButler interface each time it is used
- Extent of Data Processing:
- The data this cookie collects is not shared with any third parties and is used exclusively by AdButler for the reason mentioned above
AdButler Conversion Tracking Cookie
- Data Collected:
- A non-personal ID that links to the zone and/or advertisement (not the individual)
- Purpose of Cookie:
- Allow attribution of an advertisement to a desired goal. This does not track an individual, only the source advertisement
- Duration of Data Stored
- This cookie expires within 180 days
- Extent of Data Processing:
- The data this cookie collects is not shared with any third parties and is used exclusively by AdButler for the purpose mentioned above
Managing Consent
The GDPR requires that you use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site and/or app. For the purpose of serving advertisements through AdButler, we require IP address as the only personally identifiable information, so your consent must be appropriate to the data and the purpose for which it’s collected.
AdButler does not track or segment users, and IP addresses are anonymized upon processing, leaving no personally identifiable information available. The risk to the data owner is minimal, and a clear and transparent disclosure in your privacy statement should be appropriate for the data considered.