How publishers verify their adtech partners’ GDPR readiness

The PageFair Team GDPR

PageFair believes that the GDPR will be strictly enforced. This means all unique identifiers (such as user IDs) and IP addresses will be regarded as personal data under the Regulation, and therefore must not be used in a way that would distribute them in the programmatic advertising system without consent.[1] This is why we launched Perimeter, to protect publishers from risk under the GDPR.

When publishers install PageFair Perimeter on their sites or in their apps, Perimeter will block adtech that uses unique identifiers without consent. Adtech services that do not use personal data where consent is absent will be whitelisted.

Criteria for whitelisting in on sites/apps protected by Perimeter (where required consent is absent)

  • No use of unique IDs
  • No storage of IP addresses or user agent details

Adtech vendors can perform necessary campaign measurement, attribution, and frequency capping using non-personal data methods as we have outlined here.

How publishers verify their adtech’s GDPR readiness

Many publishers are uncertain of whether the adservers or other adtech services they use will be compliant with the GDPR. To remedy this situation, we present below a questionnaire that equips publishers to ask the right questions of their adtech vendors.

Media owner's questionnaire for adtech vendors

1. For each unique user identifier that you use, or introduce into the page, please list the primary purpose, the type, the duration of the identifier, what other companies might receive it, and what secondary purposes it might be used for.

Identifier table 

Identifier name Primary purpose Secondary purposes Type
Example: 1st party cookie. 3rd party cookie. localStorage cookie. eTag supercookie. Flash supercookie. HSTS supercookie. device fingerprint / statistical ID. IP stack fingerprint. Other.
Lifetime of ID Other recipients

2. Do you use any other personal data (e.g., IP address, name, address, social security numbers, credit card numbers, email addresses or email address hashes)?

a) What are their purpose?
b) Where do you obtain this data from?
c) Is there auditable consent from the user for the use of this personal data for this purpose?
d) How do you match this data to unique user IDs?

3. What other advertising systems do you make server-to-server calls to that may communicate user IDs or other personal information, for example RTB bid requests, or automated transfer of RTB or ad call logs?

4. What other domains do you perform cookie syncing / user matching with? 

5. How do you perform frequency capping using unique user IDs?

6. Do you depend on any unique user identifiers when you perform impression counting? (for example, to count “unique impressions”)

7. If you perform conversion counting, does this depend on unique user identifiers to track the user from click to post-conversion?

8. If you perform view-through counting, does this depend on unique user identifiers to track the user from view to post-conversion?

9. If you perform viewability measurement, does this depend on any unique user identifiers?

10. If you perform any cross-device identification of users, what IDs do you use, and how do you match mobile device IDs with other IDs?

11. If you perform fraud detection, do you use unique identifiers to track devices between websites, or perform other per-user analytics to detect the possibility of bot traffic?

 

 

You can read about Perimeter here.

Perimeter: the regulatory firewall for online media and adtech.

Feature-rich adtech, even without personal data. Control user data and 3rd parties in websites + apps. Get robust consent.

Learn more

 

Notes

[1] See Article 4 of Regulation (EU) 2016/679 of The European Parliament and of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).