Google adopts non-personal ad targeting for the GDPR

The PageFair Team GDPR

This note examines Google’s recent announcement on the GDPR. Google has sensibly adopted non-personal ad targeting. This is very significant step forward and signals a change in the online advertising market. But Google has also taken a new and problematic approach to consent for personal data use in advertising that publishers will find hard to accept.  Google decides to use non-personal ad targeting to comply with the GDPR  Last Thursday Google sent a policy update to business partners across the Internet announcing that it would launch an advertising service based on non-personal data in order to comply with the GDPR.[1] PageFair has advocated a non-personal approach to advertising for some time, and commends Google for taking this position. As we noted six months ago,[2] Google AdWords, for example, can operate without consent if it discards personalized targeting features (and unique IDs).…

PageFair Trusted Partners To Join GDPR Compliance Initiative

Dr Johnny Ryan GDPR

This note announces an initiative among adtech companies to keep online advertising operations outside the scope of the GDPR by using no personal data. Dublin, Ireland (24 January, 2018) – PageFair has announced a joint initiative with eight other advertising companies to help equip website and app publishers with new ways of advertising  that fully comply with Europe’s new GDPR regulations.  Among the members are Adzerk, Bannerflow, Bydmath, Clearcode, Converge Digital, Digitize, SegmentIQ, and Velocidi.  The EU’s new privacy regulations will prohibit the kind of online tracking that has powered advertising up to now, unless every user gives explicit consent to the companies that track them. Publishers, advertisers and tech companies who ignore the regulation could face fines of up to €20 million or 4% of their global turnover.  …

GDPR consent design: how granular must adtech opt-ins be?

Dr Johnny Ryan GDPR

This note examines the range of distinct adtech data processing purposes that will require opt-in under the GDPR.[1] In late 2017 the Article 29 Working Party cautioned that “data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes”.[2] Consent requests for multiple purposes should “allow users to give specific consent for specific purposes”.[3]  Rather than conflate several purposes for processing, Europe’s regulators caution that “the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose”.[4] This draws upon GDPR, Recital 32.[5] In short, consent requests must be granular, showing opt-ins for each distinct purpose. How granular must consent opt-ins be?

The regulatory firewall for online media and adtech

The PageFair Team GDPR

This note announces Perimeter, a regulatory firewall to enable online advertising under the GDPR. It fixes data leakage from adtech and allows publishers to monetize RTB and direct ads, while respecting people’s data.  PageFair takes a strict interpretation of the GDPR. To comply, all media owners need to protect their visitors’ personal data, or else find themselves liable for significant fines and court actions. In European Law, personal data includes not only personally identifiable information (PII), but also visitor IP addresses, unique IDs, and browsing history.[1] The problem is that today’s online ads operate by actively disseminating this kind of personal data to countless 3rd parties via header bidding, RTB bid requests, tracking pixels, cookie syncs, mobile SDKs, and javascript in ad creatives.…

How publishers verify their adtech partners’ GDPR readiness

The PageFair Team GDPR

PageFair believes that the GDPR will be strictly enforced. This means all unique identifiers (such as user IDs) and IP addresses will be regarded as personal data under the Regulation, and therefore must not be used in a way that would distribute them in the programmatic advertising system without consent.[1] This is why we launched Perimeter, to protect publishers from risk under the GDPR. When publishers install PageFair Perimeter on their sites or in their apps, Perimeter will block adtech that uses unique identifiers without consent. Adtech services that do not use personal data where consent is absent will be whitelisted. Criteria for whitelisting in on sites/apps protected by Perimeter (where required consent is absent) No use of unique IDs No storage of IP addresses or user agent details Adtech vendors can perform necessary campaign measurement, attribution, and frequency capping using non-personal data methods as we have outlined here.…