How to audit your adtech vendors’ GDPR readiness (and a call to adtech vendors to get whitelisted as Trusted Partners)

Dr Johnny Ryan GDPR Leave a Comment

This note describes how publishers can audit their adtech vendors’ readiness for the GDPR, and opens with a call for adtech vendors to collaborate with PageFair so that they can be whitelisted as Trusted Partners by PageFair Perimeter. 

How adtech and media will work under the GDPR

We anticipate that the GDPR will indeed be enforced, whether by national regulators or by NGOs or individuals in the courts. We also realise that consent is the only applicable legal basis for online behavioural advertising (See analysis). Personal data can not be processed for OBA in the absence of consent.

However, consent dialogues for adtech need a “next” button -or a very long scroll bar- because online behavioural advertising requires many different opt-ins to accommodate many distinct personal data processing purposes.  How many people will click OK 10+ times? (See analysis).

Even people do repeatedly opt-in for various adtech processing purposes, that consent will be inconsequential if there is continued widespread leakage of personal data through RTB bid requests, JavaScript in ads, mobile SDKs, and assets loaded from 3rd parties. Consent only has meaning if one prevents the personal data from falling into the hands of parties that do not have consent (See discussion).

Therefore, it is essential to plan for the eventuality that very few, if any, people will provide the ten or more opt-ins required to cover the diverse range of data processing purposes conducted by today’s online behavioral advertising ecosystem.

The only way to remove all risk of fines and legal suits for publishers, advertisers, and adtech vendors, is to use no personal data at all, unless one has consent. This would put routine advertising outside the scope of the GDPR, with no controllers, processors, nor personal data breaches.

PageFair Perimeter is working with a group of adtech vendors who can provide publishers with direct and programmatic adtech that uses only non-personal data (See footnote for a discussion of non-personal data).[1] Aside from non-personal cookie storage, there will be no need to seek consent because there will be no processing of personal data. 

In the minority of cases where valid consent is present, the corresponding vendors will be free to add incremental value by consensually using personal data.

Perimeter will block all 3rd parties that process personal data on its client publishers’ websites and apps, unless consent is present. Trusted Partner adtech vendors, who can operate programmatic and direct advertising without personal data, will be whitelisted (and promoted to publishers).

This note proceeds with two sections. The first describes Trusted Partner adtech vendors. The second outlines what questions publishers should ask their adtech vendors to audit their use of personal data and GDPR-readiness.

PageFair is calling for “Trusted Partner” Adtech vendors

PageFair is working with a group of adtech vendors who can provide publishers with direct and programmatic adtech that uses only non-personal data. (see footnote for a discussion of non-personal data). And of course, if appropriate consent is present, then these adtech vendors can process personal data.

Subject to verification that personal data is not processed without consent, PageFair Perimeter will whitelist Trusted Partners’ technology, while continuing to block all other 3rd parties.

We invite adtech vendors to work with us as Trusted Partners. Trusted Partners provide versions of their services that scrupulously prevent the collection or other processing of Personal Data, except where suitable consent has been obtained from the data subject and data protection requirements have been satisfied in a manner consistent with the GDPR.

Become a Trusted Partner

PageFair will share methods for performing essential adtech functions (bid requests, frequency capping, measurement and reporting, etc.) with partners.[2]

How publishers can examine their adtech vendors’ personal data processing and GDPR-readiness.

The following section is a questionnaire for web and mobile publishers to use when exploring whether their adtech vendors are safe under the GDPR.

Questionnaire for adtech vendors

1. Unique identifiers

For each unique user identifier that you use, or introduce into the page, please list the primary purpose, the type, the duration of the identifier, what other companies might receive it, and what secondary purposes it might be used for.

Identifier name Primary purpose Secondary purposes Type
Example: 1st party cookie. 3rd party cookie. localStorage cookie. eTag supercookie. Flash supercookie. HSTS supercookie. device fingerprint / statistical ID. IP stack fingerprint. Other.
Lifetime of ID Other recipients

2. Other personal data

Do you use any other personal data (e.g., IP address, name, address, social security numbers, credit card numbers, email addresses or email address hashes)?

  1. What are their purpose?
  2. Where do you obtain this data from?
  3. Is there auditable consent from the user for the use of this personal data for this purpose?
  4. How do you match this data to unique user IDs?

3. Adtech server-to-server calls

What other advertising systems do you make server-to-server calls to that may communicate user IDs or other personal information, for example RTB bid requests, or automated transfer of RTB or ad call logs?

4. Cookie syncing / user matching

What other domains do you perform cookie syncing / user matching with?

5. Frequency capping

Do you perform frequency capping using unique user IDs? How?

6. Impression counting

Do you depend on any unique user identifiers when you perform impression counting? (for example, to count “unique impressions”)

7. Conversion counting

If you perform conversion counting, does this depend on unique user identifiers to track the user from click to post-conversion?

8. View through counting

If you perform view-through counting, does this depend on unique user identifiers to track the user from view to post-conversion?

9. Viewability measurement

If you perform viewability measurement, does this depend on any unique user identifiers?

10. Cross-device identification

If you perform any cross-device identification of users, what IDs do you use, and how do you match mobile device IDs with other IDs?

11. Fraud detection

If you perform fraud detection, do you use unique identifiers to track devices between websites, or perform other per-user analytics to detect the possibility of bot traffic?

Conclusion

It is inevitable that the audit above will find the processing of personal data is the norm among adtech vendors. This exposes the vendors, and their clients, under the GDPR.

PageFair invites all adtech vendors to provide versions of their service that operate outside the scope of the GDPR. We intend is to share insights on the tweaks required to take personal data out of adtech (where consent is absent) with Trusted Partners, and promote vendors who operate as Trusted Partners to publishers who use Perimeter.

Our objective is to minimize the number of vendors that publishers must block to protect themselves from GDPR liabilities.

Become a Trusted Partner

Perimeter: the regulatory firewall for online media and adtech.

Feature-rich adtech, even without personal data. Control user data and 3rd parties in websites + apps. Get robust consent.

Learn more

Notes

[1] Non-personal data are any data that can not be related to an identifiable person. As Recital 26 of the GDPR observes, “the principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”. This recital reflects the finding of the European Court of Justice in 2016 that data are not personal “if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and manpower, so that the risk of identification appears in reality to be insignificant”. Judgment of the Court (Second Chamber) Patrick Breyer v Bundesrepublik Deutschland, Case C-582/14, 19 October 2016.

[2] For methods of performing frequency capping, impression counting, click counting, conversion counting, view through measurement, and viewability measurement see PageFair note at https://pagefair.com/blog/2017/gdpr-measurement1/.