On 25 May 2018, the EU General Data Protection Regulation (“GDPR”) comes into force, replacing the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
The regulation could have a profound impact on the programmatic advertising industry. We covered those bases in a previous blog post. Pixalate is GDPR compliant. To see what that means for our business and our partners, check out this post.
The below is a brief Q&A with Jay Seirmarco, Pixalate's SVP of Operations and Legal Affairs, about the GDPR and what it means for programmatic advertisers from an ad fraud and security perspective.
Seirmarco joined Pixalate from Cox Automotive, where he oversaw the legal team responsible for data strategy and intellectual property. Seirmarco joined Cox via its 2014 acquisition of Xtime, a SaaS company focused on customer retention in the automotive industry. Prior to Xtime, Jay served in operational and legal roles for Turn, Shopkick, SugarCRM, VA Linux (a.k.a. Geeknet) and IBM.
Seirmarco's background of computer science and legal affairs gives him a unique perspective on the GDPR as it relates to data security, data privacy, ad fraud, and the programmatic industry as a whole.
Seirmarco: Regarding what people need to know more about, it’s important to remember that it’s called the General Data Protection Regulation. While one must remain cognizant of applicable consent and “legitimate purpose” obligations, one must also be mindful of the concepts of Data Protection by Design (i.e., information security as an integral part of the development process) and Data Protection by Default (i.e., start from the strictest privacy settings, and only process and retain personal data as reasonably required for the identified purpose).
In addition, controllers and processors are required to “implement appropriate technical and organisational measures to ensure a level of [information] security appropriate to the risk…” So, it’s important to take meaningful steps to be good stewards of personal information, including identifying and documenting information security deficiencies, and establishing and following through on remediation plans to “harden” information security environments.
Seirmarco: Companies need to have a basis for processing personal data of European Union data subjects under the GDPR. Pixalate, for example, uses legitimate interest; more specifically, Pixalate’s GDPR compliance is grounded in Recital 47, which states expressly that preventing fraud constitutes a legitimate interest.
The vast majority of the ad tech ecosystem will rely on the consent framework. The tie-in to ad fraud and IVT may seem less obvious in this scenario, but ad tech companies relying on the consent framework stand to benefit in terms of GDPR compliance by taking an active stance against ad fraud and IVT.
When an EU data subject consents to share their data, it is not reasonable for them to expect that their information would be used by a third party in connection with IVT. By filtering out IVT, a data controller or processor is reducing the likelihood that EU data subjects’ data would in any way be associated with IVT or fraudulent activity, thus strengthening their end of the agreement they enter with the individual data subjects and buttressing their GDPR compliance.
Additionally, if a company has an apathetic approach to ad fraud and IVT, it could undermine the users’ willingness to consent. Consent is already hard enough, and there is palpable anxiety in the digital advertising industry as it relates to obtaining consent. If a company can show that they are a good steward of pseudonymised information, and that they are not a purveyor of IVT but rather actively working to reduce IVT, then it can increase the odds that said company will obtain consent.
Seirmarco: It appears that appointment of data protection officers (“DPOs”) may not be getting as much mindshare as would be optimal. This may be especially true in the realm of digital advertising because advertisers and processors must appoint a DPO if their core activities require “regular and systematic monitoring” of EU data subjects, or if they’re processing “special categories” of personal information on a large scale.
Be sure to keep in mind that US-based companies without an EU affiliate may need to appoint an EU-based representative (or a European DPO), who will be the contact person for the EU authorities. Additionally, for certain European countries (e.g., the United Kingdom), your company may also have an obligation to register with the applicable data protection authority (DPA): https://www.dlapiperdataprotection.com/index.html?c=GB&c2=&t=registration
On a related topic, selection of DPOs may require additional thought. For businesses located outside of the EU, one should perhaps consider balancing the benefits of having an EU-based DPO (e.g., time zone, language) against the possible benefits of a DPO that might attain a deeper understanding of the business—and the GDPR’s precise applicability—because of consistent presence at the business.
Seirmarco: There is a possibility that the GDPR may harm trusted European publishers’ businesses if their revenue derived from digital advertising were to decline. In an age where marquee news organizations are struggling financially, even modest additional revenue declines could further undermine the fourth estate.
Seirmarco: I would urge any company looking to make significant, GDPR-based decisions to, at a minimum, do the following:
Seirmarco: Perhaps at the state level in the U.S., but, given where things have headed at the federal level with environmental protections, consumer financial safeguards, etc., it would be a bit surprising to see similar policies adopted any time soon.
That said, Australia, Canada, China, and other countries outside of the EU, have taken significant steps at the national level in the areas of information security and privacy, so the U.S. may actually be a near-term outlier.
Want more data-driven insights? Sign up for our blog!
Disclaimer: The content of this page reflects Pixalate’s opinions with respect to the factors that Pixalate believes can be useful to the digital media industry. Any proprietary data shared is grounded in Pixalate’s proprietary technology and analytics, which Pixalate is continuously evaluating and updating. Any references to outside sources should not be construed as endorsements. Pixalate’s opinions are just that - opinion, not facts or guarantees.
Per the MRC, “'Fraud' is not intended to represent fraud as defined in various laws, statutes and ordinances or as conventionally used in U.S. Court or other legal proceedings, but rather a custom definition strictly for advertising measurement purposes. Also per the MRC, “‘Invalid Traffic’ is defined generally as traffic that does not meet certain ad serving quality or completeness criteria, or otherwise does not represent legitimate ad traffic that should be included in measurement counts. Among the reasons why ad traffic may be deemed invalid is it is a result of non-human traffic (spiders, bots, etc.), or activity designed to produce fraudulent traffic.”