4. General Data Protection
Regulation (GDPR)
ePrivacy Regulation (ePR)
Area of focus
Protection of personal data
(Article 8 of the EU Charter of
Fundamental Rights)
Respect for private life and
communications (Article 7 of
the EU Charter of Fundamental
Rights)
Current status
Has entered in to force, and will
soon be applied.
Currently being negotiated.
Date of
application
25 May 2018
25 May 2018 (could be later -
Austrian Presidency?)
Geographic
impact
Global
European Economic Area
(may widen?)
5. “any information relating to an identified or
identifiable natural person ('data subject'); an
identifiable natural person is one who can be
identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person…”
-GDPR, Article 4
“Personal data”
6. “Single customer view”
Indirectly identifiable:
Netflix users’ TV & movies
Directly identifiable:
IP addresses, where ISP
can identify the subscriber
7. “Behavioural” ad targeting
& “programmatic” trading.
What this jargon means is: automatic
auctions for the right people’s attention.
10. ///
Visitor Site SSP Ad Exchange DSP DMP
serve page
request page
request bid
request segment
ad request
cookie to SSP
deliver ad
sync
deliver segment
sync
Ad request
Brand
$
store data
“Demand side”“Supply side”
17. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
Step 8.
Assets load
from CDN
Step 9.
Agency ad server
loads verification
vendor
ADVERTISERS
website.com
AD
DMP
DMP
DMP
DMP
DMP
DMP
DMP
DMP
DMP
DMP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
W
inningbid
DSP
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Verification
javascript
Agency
ad server
Verification
vendor
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
CDN
Channel of data leakage
Personal data
Legend
Money
DATA LEAKAGE
18. ///
Visitor Site SSP Ad Exchange DSP DMP
serve page
request page
request bid
request segment
ad request
cookie to SSP
deliver ad
sync
deliver segment
sync
Ad request
Brand
$
store data
“Demand side”“Supply side”
19. “Controller” “Processor” “Processor” “Processor”
Contract Contract Contract
Contracts required that determine the following:
• the nature of processing and its duration,
• the obligations of the “controller”,
• and a guarantee that the “processor” handles the data only as
dictated by documented instructions from the controller
GDPR requires a chain of accountability
22. Holding first-party personal data that are now non-compliant
Buying personal data (directly or indirectly identifiable) from other sources to augment
profiles
Buying behavioural ads online, which currently requires the sharing of personal data with
countless partners.
BROKER
3
2
1
Risk (brands)
23. All potentially liable!
The Courts
Multiple controllers and processors “involved in the same processing”
can each be held liable for damages awarded in a case.
A person can complain to the regulator, and at the same time go to court. And
can take the regulator to court for inaction.
Supervisory Authority ///
///
Visitor Site SSP Ad Exchange DSP DMP Brand
$
25. Consent
• Consent can not be disruptive. Must be obtained
freely, without detriment.
• Can not be buried in T&C. Must be specific and
informed.
26. Must inform in more detail
(while also being clearer),
and obtain specific consent
27. • Who or what type of party is receiving the data
• What are the purposes of processing, and legal basis for
that
• How long are the data stored (or what criteria determine
duration)
• If this giving that data is part of a contract what are the
consequences of not providing data
• If the data are being transferred to a third country, what
safeguards or binding corporate rules are in place?
• In cases of automated decision-making, including profiling,
what logic is applied and what is the significance of the
outcomes.
28. We would like to share your browsing
habits on our site with Brand Name and
their analytics partners, to understand
what offers may be of interest to you.
These data will be deleted
after 6 months. You can withdraw
permission at any time in My Data.
Learn more?
Pop-up Dialog
OKNo
Purpose of processing,
and notification of
profiling.
Article 13, para 1, c, and para 2, f.
Duration
Article 13, para 2, a.
Text links to tool for
withdrawing consent.
Article 7, paragraph 3.
Text links to tool to
complain to supervisory
authority, and to access,
correct, and transfer
data, etc.
Article 13, para 2, b, c, and d.
Can say no
Recital 42.
Details of recipients and
categories of recipients.
Text links to contact
details of the
controller and their
data protection officer.
Article 13, para 1, a, b, and e.
EXAMPLE OF A GDPR CONSENT REQUEST
Scenario: a website requests consent to share data with a brand for product offers
29. We would like to share your browsing
habits on our site with Brand Name and
their analytics partners, to understand
what offers may be of interest to you.
These data will be deleted
after 6 months. You can withdraw
permission at any time in My Data.
Learn more?
Pop-up Dialog
OKNo
Thinking of yourself as a visitor to websites,
what would you select if shown this message?
79%
21%
30. Please allow your browsing habits on our
sites to be shared with
We will then be able to identify offers that
are more interesting to you, and process
business transactions with our partners.
(Alternatively, we will use generic ads,
which might be less interesting to you.)
You can cancel at any time by clicking
the icon on any ad.
Learn more about your data.
Help us keep Example.com profitable
OKNo OK
6 months 12 months
Might GDPR consent requests look like this?
[Consortium] and its participants
duration
“Ad choices”
31. Please allow your browsing habits on our
sites to be shared with
Open ID participants
We will then be able to identify offers that
are more interesting to you, and process
business transactions with our partners.
(Alternatively, we will use generic ads,
which might be less interesting to you.)
You can cancel at any time by clicking
the icon on any ad.
Learn more about your data.
Help us keep Example.com profitable
OKNo OK
6 months 12 months
[Ad exchange]
[Ad exchange]
[DMP]
[DMP]
[DSP]
[DSP]
[Verification vendor]
i
i
i
i
i
i
i
[Consortium] and its participants
Might GDPR consent requests look like this?
Each
controller.
and
categories of
processors.
37. 51%
64%13%
Do you believe that users will opt-in to tracking for the
purposes of advertising?
No YesYes, if denied access to the site otherwise
1st party tracking on
a website
23%
0% 100% 200%
Can not deny access
Article 7(2) prohibits conditionality.
38. 3%46% 51%
64%13%
Do you believe that users will opt-in to tracking for the
purposes of advertising?
1st party tracking on
a website
3rd party tracking on
a website
23%
0% 100% 200%
No YesYes, if denied access to the site otherwise
39. 3%
3%32%65%
46% 51%
64%13%
Do you believe that users will opt-in to tracking for the
purposes of advertising?
No Yes, if denied access to the site otherwise Yes
1st party tracking on
a website
3rd party tracking on
a website
Tracking by any
party, anywhere on
the web
23%
0% 100% 200%
41. Needs “opt-in”
consent, but
user has little
incentive to
agree
4
Needs “opt-in”
consent, and
may get it
3
Can show an
“opt-out”
before using
data
2
Out of scope
of Regulation if
business is
modified
1
Already out of
scope of the
Regulation
0
GDPR scale (digital advertising)
5
Needs “opt-in”
consent, but is
unable to
communicate
with users
42. 5 Needs “opt-in” consent, but is unable to
communicate with users
4 Needs “opt-in” consent, but user has little
incentive to agree
• Facebook Audience Network
• WhatsApp advertising (see assumption 1)
3 Needs “opt-in” consent, and may get it
2 Can show an “opt-out” before using data
• NewsFeed ads (based only on personal data with no “special” personal data (e.g.
ethnicity, political opinion, religious or philosophical beliefs, sexual orientation),
unless marked “public” or visible to “friends of friends” (see assumptions 1 and 2)
• Instagram ads (see assumption 1)
1 Out of scope of the regulation, if business
is modified.
0 Already out of scope of the regulation.
Assumption 2. GDPR Article 6, paragraph 4, c, indicates a higher bar for “special categories of personal data” that reveal race, ethnicity, political opinion, religious or philosophical beliefs, trade union membership,
or related to a data subject’s sex life or sexual orientation. However, this does not apply if the data have been “manifestly made public by the data subject” (GDPR, Article 9, paragraph 2, (e)). This may mean that the
publicity settings that a user places on their post will prevent or enable those posts to be mined for advertising.
GDPR scale: FACEBOOK
Assumption 1. That the use of personal data to target advertising will be accepted as a “compatible” purpose with the original purpose for which personal data were shared by users, under GDPR Article 6,
paragraph 4. GDPR Recital 61 says that if the further processing is compatible then the company must alert the data subject that it is using their data for this further purpose before it starts processing. GDPR
Article 21, paragraph 2 and 3 say that the data subject must be alerted about their right to object to their data being used for direct marketing, and can do so at any time. GDPR Recital 70 says this alert should be
presented clearly and separately from any other information. However, the Article 29 Working Party’s opinion on purpose limitation notes that among the various things that the compatibility assessment must
consider are “the impact of the further processing on the data subjects”.
43. Assumption 1. … the Article 29 Working Party’s opinion
on purpose limitation notes that among the various
things that the compatibility assessment must consider
are “the impact of the further processing on the data
subjects”.
44. Until this week, when we asked Facebook about it,
the world’s largest social network enabled advertisers
to direct their pitches to the news feeds of almost
2,300 people who expressed interest in the topics of
“Jew hater,” “How to burn jews,” or, “History of ‘why
jews ruin the world.’”
To test if these ad categories were real, we paid $30
to target those groups with three “promoted posts” —
in which a ProPublica article or post was displayed in
their news feeds. Facebook approved all three ads
within 15 minutes.
45. 5 Needs “opt-in” consent, but is unable to
communicate with users
4 Needs “opt-in” consent, but user has little
incentive to agree
• Most personalized AdWords ads on Google properties including Search,
Youtube, Maps, and the Google Network (including “remarketing”,“affinity
audiences” , “in-market audiences”, “demographic targeting”, "similar
audiences”, “Floodlight” cross-device tracking), “customer match”,
“remarketing” (see assumption 1)
• Gmail ads
• Programmatic services (DoubleClick)
3 Needs “opt-in” consent, and may get it
2 Can show an “opt-out” before using data • Location targeting in Maps (see assumption 2)
1 Out of scope of the regulation, if business
is modified.
• AdWords (if all personalized features are removed) on Google properties
including Search, Youtube, Maps
0 Already out of scope of the regulation. • “Placement-targeted” ads on Google properties.
Assumption 1. That the average user does not “sign in” to Google Search or Chrome. If, however, users did sign in then Google may be able to further process their data for other purposes.
GDPR scale: GOOGLE
Assumption 2. That the use of personal data to target advertising will be accepted as a “compatible” purpose with the original purpose for which personal data were shared by users, under GDPR Article 6,
paragraph 4. GDPR Recital 61 says that if the further processing is compatible then the company must alert the data subject that it is using their data for this further purpose before it starts processing. GDPR
Article 21, paragraph 2 and 3 say that the data subject must be alerted about their right to object to their data being used for direct marketing, and can do so at any time. GDPR Recital 70 says this alert should be
presented clearly and separately from any other information. However, the Article 29 Working Party’s opinion on purpose limitation notes that among the various things that the compatibility assessment must
consider are “the impact of the further processing on the data subjects”.
46. Agencies
Agency
Trading Desks
DSPs Exchanges
Sharing Data /
Social Tools
SSPs
Publisher
Tools
Ad Servers
Media Mgmt Systems and Operations
DMPs and Data
Aggregators
Data Suppliers
Media Planning
and Attribution
Creative
Optimization
Retargeting
Verification /
Privacy
Measurement
and Analytics
Ad Servers
Tag Mgmt
Ad Networks
Vertical / Custom
Targeted Networks/AMPs
Performance
Mobile
M
A
R
K
E
T
E
R
P
U
B
L
I
S
H
E
R
C
O
N
S
U
M
E
R
47. Sharing Data /
Social Tools
SSPs
Publisher
Tools
Ad Servers
P
U
B
L
I
S
H
E
R
C
O
N
S
U
M
E
R
GDPR
AND
THE
LUMA-
SCAPE
DMPs and Data
Aggregators
Data Suppliers
Agencies
Agency
Trading Desks
DSPs Exchanges Ad Networks
Media Mgmt Systems and Operations
Media Planning
and Attribution
Creative
Optimization
Retargeting
Verification /
Privacy
Measurement
and Analytics
Ad Servers
Tag Mgmt
M
A
R
K
E
T
E
R
Vertical / Custom
Targeted Networks/AMPs
Performance
Mobile
Risk Legend
Needs consent,
unlikely to get it
Needs consent,
may get it
OK, if users have
consented for
“compatible” uses,
and do not opt out
when notified.
Out of scope of
Regulation if
business is modified
Already out of
scope of the
Regulation
50. PLAN “A”:
SEEK CONSENT (AND
END DATA LEAKAGE).
PEOPLE WILL OPT-IN TO TRACKING FOR ADS?
BUT... HOW CONFIDENT ARE YOU THAT
51. How confident are you
that the average user
will click ‘OK’ to share
data with other
companies?
0% 100% 200%
32% 32% 21% 12%
4%
Not at all To a small degree Moderately Highly Very highly
52. Not at all
How confident are you
that the average user
will click ‘OK’ to share
data with other
companies?
0% 100% 200%
To a small degree Moderately Highly Very highly
How concerned are you
about your online
behaviour being
tracked?
5% 7%
21% 35% 32%
32% 32% 21% 12%
4%
54. Sharing Data /
Social Tools
SSPs
Publisher
Tools
Ad Servers
P
U
B
L
I
S
H
E
R
C
O
N
S
U
M
E
R
DMPs and Data
Aggregators
Data Suppliers
Agencies
Agency
Trading Desks
DSPs Exchanges Ad Networks
Media Mgmt Systems and Operations
Media Planning
and Attribution
Creative
Optimization
Retargeting
Verification /
Privacy
Measurement
and Analytics
Ad Servers
Tag Mgmt
M
A
R
K
E
T
E
R
Vertical / Custom
Targeted Networks/AMPs
Performance
Mobile
Risk Legend
Needs “opt-in”
consent, but is unable
to ask
Needs consent,
unlikely to get it
Needs consent,
may get it
OK, if users have
consented for
“compatible” uses,
and do not opt out
when notified.
Out of scope of
Regulation if business
is modified
Already out of scope
of the Regulation
55. DMPs and Data
Aggregators
Data Suppliers
Agencies
Agency
Trading Desks
DSPs Exchanges Ad Networks
Sharing Data /
Social Tools
SSPs
Ad Servers
Media Mgmt Systems and Operations
Media Planning
and Attribution
Creative
Optimization
Retargeting
Verification /
Privacy
Measurement
and Analytics
Ad Servers
Tag Mgmt
M
A
R
K
E
T
E
R
P
U
B
L
I
S
H
E
R
C
O
N
S
U
M
E
R
Vertical / Custom
Targeted Networks/AMPs
Publisher
Tools
Performance
Mobile
Risk Legend
Needs “opt-in”
consent, but is unable
to ask
Needs consent,
unlikely to get it
Needs consent,
may get it
OK, if users have
consented for
“compatible” uses,
and do not opt out
when notified.
Out of scope of
Regulation if business
is modified
Already out of scope
of the Regulation
56. Sharing Data /
Social Tools
SSPs
Ad ServersM
A
R
K
E
T
E
R
P
U
B
L
I
S
H
E
R
C
O
N
S
U
M
E
R
Publisher
Tools
Data
Protection
Platform
DMPs and Data
Aggregators
Data Suppliers
Agencies
Agency
Trading Desks
DSPs Exchanges Ad Networks
Media Mgmt Systems and Operations
Media Planning
and Attribution
Creative
Optimization
Retargeting
Verification /
Privacy
Measurement
and Analytics
Ad Servers
Tag Mgmt
Vertical / Custom
Targeted Networks/AMPs
Performance
Mobile
Risk Legend
Needs “opt-in”
consent, but is unable
to ask
Needs consent,
unlikely to get it
Needs consent,
may get it
OK, if users have
consented for
“compatible” uses,
and do not opt out
when notified.
Out of scope of
Regulation if business
is modified
Already out of scope
of the Regulation
57. Agencies
Agency
Trading Desks
DSPs Exchanges Ad Networks
Sharing Data /
Social Tools
SSPs
Ad Servers
Media Mgmt Systems and Operations
Media Planning
and Attribution
Creative
Optimization
Retargeting
Verification /
Privacy
Measurement
and Analytics
Ad Servers
Tag Mgmt
M
A
R
K
E
T
E
R
P
U
B
L
I
S
H
E
R
C
O
N
S
U
M
E
R
Vertical / Custom
Targeted Networks/AMPs
Performance
Mobile
Consumer Brand
Loyalty Schemes
Publisher
Tools
Data
Protection
Platform
Data Suppliers
DMPs and Data
Aggregators
Risk Legend
Needs “opt-in”
consent, but is unable
to ask
Needs consent,
unlikely to get it
Needs consent,
may get it
OK, if users have
consented for
“compatible” uses,
and do not opt out
when notified.
Out of scope of
Regulation if business
is modified
Already out of scope
of the Regulation
59. tracking choices that must be shown at installation
based on the draft text proposed by the European Commission, January 2017
Tracking Preferences
Accept all cookies
Accept only first party cookies
Reject all cookies
SELECT AN OPTION TO CONTINUE
This is the list of
options described in
Recital 23, and
required in Article
10.
Article 10, para. 2,
says that a user must
select an option
before installation
can continue.
60. Tracking Preferences
Amended Recital 23
makes rejection of
third party
trackers and
cookies the default.
Accept all tracking
Reject all tracking
OK
Reject tracking unless strictly
necessary for services I request
Accept only first party tracking
this is proposed in
recital 23 as amended,
(but it seems redundant,
since recital 21 says that
consent is not required
for “technical storage
or access which is
strictly necessary and
proportionate for … the
use of a specific service
explicitly requested by
the user”.)
based on the text as amended by the European Parliament LIBE Committee’s Rapporteur’s draft report, June 2017
tracking choices that must be shown at installation
61. Tracking Preferences
Accept all tracking
Reject all tracking
OK
Reject tracking unless strictly
necessary for services I request
Accept only first party tracking
What will people click?
56%
20%19%
5%
65. 1. Much online ad tech exposes
personal data to unwarranted parties.
2. The consenting audience will be tiny.
3. Using non-personal data are the
answer.
@johnnyryanSummary