The European privacy law, GDPR, caused quite some commotion and raised many questions. Although everybody is roughly familiar with the main implications of the law, nobody knows exactly how this will affect the industry and how to respond to its obligations. As an adtech provider, we also get many questions from clients about GDPR. Unfortunately, many of them can not yet be answered: practical solutions are still to be developed by the industry as a whole. But although we can’t provide you all the answers, we will answer some of the most common questions in this article.
How should I manage opt in for campaigns?
- Active action is required (no pre-tick or part of terms and conditions)
- You must inform the recipient clearly what his data will be used for (not ‘To improve experience’)
- Separate permission must be given for each purpose
- The opt ins must be registered
- You must refer to the privacy statement
How should I manage opt out for campaigns?
This is more problematic. Consumers have the right to correct and remove their personal data from the databases of a company at all times. The programmatic ecosystem is a complex network of brands, agencies and technologies and as such correcting and removing personal data needs to be done throughout the whole chain. There is no system in place yet that enables easy opt out management.
This means that when a consumer asks an advertiser to opt out of their ads, the advertiser needs to inform their agency or adtech provider. They in turn, need to ask the DSP (Demand Side Platform) to remove the data from their system. The DSP must also notify the SSP (Sell Side Platform). The SSP has to inform all other parties that are synced with their data.
The industry is still working on an appropriate solution. Until then, please contact Adcombi if a consumer wants to opt out. We will provide you with a link you can directly send to the consumer so they can opt out.
Who is accountable?
The GDPR also introduces the principle of accountability. This means that the controller of the data is responsible for making sure all privacy principles are adhered to. Also the controller needs to able to demonstrate compliance upon request.
But the question often is: who is the controller? This is not always clear. It often comes down to a shared responsibility, that differs per situation. Therefore it is important to have processing agreements in place with all the parties that process any kind of personal data on behalf of your company.
What measures is Adcombi taking?
Adcombi takes measures to make sure that we are GDPR-compliant by the 25th of May:
- We run campaigns exclusively on GDPR-compliant DSP’s.
- We don’t store personal data.
- We do process personal data, however. We document and log these according to the principles of the GDPR.
- The DSP cookies we use anonymize the personal data they collect.
- We are working on the necessary processing agreements.