April 23, 2018

What is the GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. When the GDPR takes effect, it will replace the 1995 Data Protection Directive (Directive 95/46/EC). This will be effective May 25, 2018.

The GDPR says that if you process the personal data (like IP addresses or cookies) of EU residents, or offer goods and services aimed at EU residents, the GDPR applies to you. So, even if you’re an American company or site, the GDPR is something you need to comply with.

How does the GDPR affect programmatic buying partners?
Most ad platforms collect user data for the purposes of delivering targeted and relevant advertisements. They receive data passed to through SDKs, SSPs, exchanges, attribution partners, and 3rd party data partners. Their efforts to become compliant with GDPR have introduced opportunities to clarify their relationships with data partners, streamline their data processing controls, and help data subjects understand and directly manage uses of their personal data.

How are TBG partners preparing for compliance?


Sizmek: “We have an entire team dedicated to this change due to our International footprint. The treatment of these residents in the US is a factor but there are certainly many more areas of the statue to prioritize.”

Media IQ: “The compliance process has been a 4-stage journey that MiQ has conducted with privacy specialists at Squire Patton Boggs. MiQ is now in the final implementation phase of this process, the bulk of which will be completed in Q1 2018. As for our clients there will be an alteration to our Terms and Conditions in order to bring them into alignment with the new laws. We will be able to share these new terms with clients toward the end of Q1 2018.”

Foursquare: “We are in the process of completing a gap analysis and evaluating our approach to complying with the Regulation. We intend to update our privacy policy to reflect our EU processing activities. We intend to enhance our internal compliance program, which includes reviewing our products to ensure they meet EU regs and integrating privacy by design into the product lifecycle and that we can comply with the new rights given to data subjects. We are continually reviewing and improving our data security program as is appropriate.”

Bidtellect: “We are entering into an integration with the DigiTrust consortium that will provide us pre-opted in persistent Global IDs and will only deliver impressions and collect any data on those provided through the trust. Additionally, we pseudonymize our data by deprecation of the last octet of any recorded IP, encryption of device or global ID, and drop any 3rd party PII data from our logs. We also maintain and enforce processes to physically and electronically secure our data proportionate to the risk. We only maintain data for the minimum amount of time to fulfill its purpose.”

LinkedIn: “LinkedIn will post a GDPR overview and FAQs for customers on its external webpage, post an updated Data Processing Agreement (effective immediately upon posting), post an updated Privacy Policy (binding on its effective date) and communicate links to these updated documents to all customers.”

GDPR Helpful Resources:
IAB EU General Site
IAB EU Compliance Info
EU Commission