1. The GDPR significantly changes data protection requirements for companies doing business in the EU and increases obligations for advertisers and networks/publishers who can now be jointly liable. It comes into effect in May 2018 with fines up to 4% of global revenue.
2. Under the GDPR, personal data is more broadly defined and users have more rights around consent, access, and removal of their data. Requirements around ad profiling and tracking remain unclear as guidance is still pending.
3. Companies should map their data flows, review consents and policies, and engage regulators to understand impacts on their business from the GDPR. Industry alignment with the FTC is also discussed.
Discussion of the main elements of the draft Data Protection Regulation: what difference will it make to industry practice and user rights to control their data?
The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
GDPR Is Coming – Are Search Marketers Ready?MediaPost
The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
Discussion of the main elements of the draft Data Protection Regulation: what difference will it make to industry practice and user rights to control their data?
The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
GDPR Is Coming – Are Search Marketers Ready?MediaPost
The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
From the FinTech Webinar Series. Explores:
1. Storage and Processing of Data in “the Cloud”
2. Mobile Devices and Mobile Apps
3. “Big Data”
4. Security and Privacy Issues in Third-Party Contracts
5. Data Security and Corporate Governance
6. International Privacy and Data Security
7. Data Security as a National Security Concern: Legislation and Executive Initiatives
Linking Data: The Legal Implications - SemTech2010mleyden
To date most of the focus on the Semantic Web has, quite rightly, been focused on the enabling technologies. However, as the technologies are becoming more mainstream, and as ever increasing volumes of Linked Data is produced, the implications of linking this data becomes more of an issue. This presentation highlights some of the current thinking as to the possible legal implications of linking data while discussing some solutions that are emerging.
eMetrics Summit Boston 2014 - Big Data for Marketing - Privacy Principles & P...Aurélie Pols
Advertisers are collecting as much data as possible in order to sell finely targeted audiences to corporations. Privacy advocates are trying to wake up the populace to the continuous loss of civil liberties. Marketers are just trying to use the best tools to sell more stuff without alienating the public. Aurélie offers up a global view privacy rules and regulations to highlight how the upcoming European Union Personal Data Protection Regulation will influence digital analytics around the world. Then David identifies key data collection and usage issues and discusses ways to obtain the data we need while maintaining the trust and confidence of those we need to reach.
Ethical, Social, and Political Issues in E-commerceNor Ayuzi Deraman
Internet, like other technologies, can:
Enable new crimes
Affect environment
Threaten social values
Costs and benefits must be carefully considered, especially when there are no clear-cut legal or cultural guidelines
This presentation explores the risk facing all charities and businesses if adequate thought is not given to the protection and security of one of its most treasured assets, its website.
Our yearly INFOMAGAZINE features technical articles and covers the latest technology advancements, innovative projects, new products, service capabilities, business news and market developments covering all aspects of the IT protection, optimization and control.
In this issue we are FOCUSING ON GDPR COMPLIANCE, new technologies such us protection against cryptolocker, advanced threats, monitoring and optimization tools, cryptography trends and many more… all missing pieces of puzzle in user’s IT and idea to offer partners and costumers new technologies for successful planning.
Managing Privacy Maximizing Data In Affiliate Marketing Gary KibelAffiliate Summit
Affiliate marketing thrives on valuable data, such as lead gen, email marketing and campaign results/statistics. Privacy, data and security issues are critical today, especially in an industry where valuable data is a competitive advantage.
Gary Kibel, Partner, Davis & Gilbert LLP (Twitter @GaryKibel_law)
IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Bl...FLUZO
In a data driven economy, analysts must be concerned with how data is collected, processed and subsequently used to improve online customer experiences, during those moments that matter.
Unlocking Value & Controlling Risk by #MindYourPrivacy
Does your company adequately manage and control the Data Life Cycle? Are you aware of European Privacy fines? Did the Target security breach that emanated through a 3rd party worry you and make you wonder about where to start?
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation is designed to update the current legislation which was drafted in a time that was in technology terms, prehistoric.
The Data Protection Directive, drafted back in 1995, harks back to a time when data processing was more about filing
cabinets than data rack enclosures. It’s time to evolve.
From the FinTech Webinar Series. Explores:
1. Storage and Processing of Data in “the Cloud”
2. Mobile Devices and Mobile Apps
3. “Big Data”
4. Security and Privacy Issues in Third-Party Contracts
5. Data Security and Corporate Governance
6. International Privacy and Data Security
7. Data Security as a National Security Concern: Legislation and Executive Initiatives
Linking Data: The Legal Implications - SemTech2010mleyden
To date most of the focus on the Semantic Web has, quite rightly, been focused on the enabling technologies. However, as the technologies are becoming more mainstream, and as ever increasing volumes of Linked Data is produced, the implications of linking this data becomes more of an issue. This presentation highlights some of the current thinking as to the possible legal implications of linking data while discussing some solutions that are emerging.
eMetrics Summit Boston 2014 - Big Data for Marketing - Privacy Principles & P...Aurélie Pols
Advertisers are collecting as much data as possible in order to sell finely targeted audiences to corporations. Privacy advocates are trying to wake up the populace to the continuous loss of civil liberties. Marketers are just trying to use the best tools to sell more stuff without alienating the public. Aurélie offers up a global view privacy rules and regulations to highlight how the upcoming European Union Personal Data Protection Regulation will influence digital analytics around the world. Then David identifies key data collection and usage issues and discusses ways to obtain the data we need while maintaining the trust and confidence of those we need to reach.
Ethical, Social, and Political Issues in E-commerceNor Ayuzi Deraman
Internet, like other technologies, can:
Enable new crimes
Affect environment
Threaten social values
Costs and benefits must be carefully considered, especially when there are no clear-cut legal or cultural guidelines
This presentation explores the risk facing all charities and businesses if adequate thought is not given to the protection and security of one of its most treasured assets, its website.
Our yearly INFOMAGAZINE features technical articles and covers the latest technology advancements, innovative projects, new products, service capabilities, business news and market developments covering all aspects of the IT protection, optimization and control.
In this issue we are FOCUSING ON GDPR COMPLIANCE, new technologies such us protection against cryptolocker, advanced threats, monitoring and optimization tools, cryptography trends and many more… all missing pieces of puzzle in user’s IT and idea to offer partners and costumers new technologies for successful planning.
Managing Privacy Maximizing Data In Affiliate Marketing Gary KibelAffiliate Summit
Affiliate marketing thrives on valuable data, such as lead gen, email marketing and campaign results/statistics. Privacy, data and security issues are critical today, especially in an industry where valuable data is a competitive advantage.
Gary Kibel, Partner, Davis & Gilbert LLP (Twitter @GaryKibel_law)
IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Bl...FLUZO
In a data driven economy, analysts must be concerned with how data is collected, processed and subsequently used to improve online customer experiences, during those moments that matter.
Unlocking Value & Controlling Risk by #MindYourPrivacy
Does your company adequately manage and control the Data Life Cycle? Are you aware of European Privacy fines? Did the Target security breach that emanated through a 3rd party worry you and make you wonder about where to start?
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation is designed to update the current legislation which was drafted in a time that was in technology terms, prehistoric.
The Data Protection Directive, drafted back in 1995, harks back to a time when data processing was more about filing
cabinets than data rack enclosures. It’s time to evolve.
Talk by Polina Zvyagina, Airbnb (San Francisco), at Stanford Engineering on February 25 2019, Session #6: 'Growing ‘Bitcoin Cities’ Across the Globe from Slovenia || GDPR Compliance Case Study || EU Digital Economy Policy'.
Website: http://www.StanfordEuropreneurs.org
YouTube Channel: https://www.youtube.com/user/StanfordEuropreneurs
Twitter: @Europreneurs
TrustArc Webinar-Advertising, Privacy, and Data Management Working TogetherTrustArc
Today, more and more companies use advertising technologies (AdTech) to reach their consumers and better understand their preferences. This can lead to multiple data protection risks. Data privacy awareness is increasing due to seismic developments in the industry brought about by key players such as Google and Apple. In parallel, global regulations set stricter guidelines around the collection, storage, and use of personal data.
This is not over. With the decisions coming out soon on analytics, how will the advertising technologies landscape adjust? Ultimately, how can advertising, privacy, and data management work together?
Our panel in this webinar explored the practical steps your organization should take to ensure that its digital advertising practices are compliant with data protection laws.
This webinar reviews:
- The current practices and developments in the AdTech industry
- The laws and regulations governing AdTech
- How to address the privacy issues related to advertising technology
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
With General Data Protection Regulation (GDPR) a legal requirement for all UK companies from May 2018, there have been numerous articles written either demonstrating the confusion surrounding the new regulations, or detailing the downsides of the legislation.
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
In 2016, the European Union (EU) approved its General Data Protection Regulation (GDPR) to protect European citizens’ data. As a regulation, the GDPR does not require the implementation of legislation, and will immediately become an applicable law as of the 25th of May, 2018.
What is GDPR exactly trying to accomplish? According to the official documents, the goal is the “protection of natural persons with regard to the processing of personal data and on the free movement of such data.”
In short, organizations that conduct business in the EU will need to be compliant with GDPR, and must come to terms with the huge fines that non-compliance can carry. Fines can be up to €20M or 4% of the annual turnover. For companies that experience breaches that result in the loss of personal data (such as Talk Talk, which lost 170,000 people’s data), the fines will be tremendous.
Join us for discussion about GDPR to learn more about:
The principles that organizations that use personal data need to adhere to
The consequences organizations can face if that do not adhere to this new regulation
How your organization can prepare for the future
Data protection is all about respecting an
individual’s right to privacy and the new data
protection regulations, currently going
through final review by the European
parliament, will provide organizations with
the momentum they need to manage their
data more effectively. But what do you need
to do in order to ensure your organization
complies with data protection legislation
while increasing customer satisfaction?
Designing for Privacy in an Increasingly Public World
GDPR - Applift firstscreen june 2016
1. Why You Should Pay Attention
to the GDPR*
FirstScreen Conference
Berlin, June 15, 2016
Saira Nayak, Chief Privacy Officer
*not legal advice
2. One way to address data protection/privacy in ads...
"The internet is the world's largest tracking machine, and
anything that can be tracked, will be tracked, so the
only way to deal with it is to:
embrace the tracking *
and say how do we civilize it... tame it.. domesticate it?"
Kevin Kelly, “The Inevitable”
*get over it
3. Today’s Discussion
1. What is the GDPR? Why should you care?
2. Ad ecosystem under current EU law vs. GDPR
3. US alignment with EU approach
4. Safe Harbor/Privacy Shield update
5. What you should be doing now to get ready.
4. What’s in a word?
For purposes of this discussion:
Privacy = end user rights around collection, use and sharing of “personal data” i.e. something
that can identify the individual person.
Data = contractual requirements that secure data between companies, or mobile platform
requirements e.g. Apple’s developer guidelines for IDFAs.
Security = practices that companies use to “secure” data; security is often defined in terms of
how much the data is de-identified or anonymized.
5. 1. What we should pay attention to the GDPR
● GDPR = General Data Protection Regulation
● Comes into force : May 2018
● Significantly changes data protection requirements for companies doing
business in all 28 EU Member States and the EEA
● Increases obligations on advertisers, and for the first time, includes
potential liabilities for networks and publishers too.
● Fines = up to 4% of global revenue
Isabelle Falque-Pierrotin of the CNIL.
6. 2. Ad ecosystem under current EU law
Publishers
● Typically an advertiser
who is interested in
monetizing its app traffic
● As a data controller or
first party, still holds
primary responsibility for
data protection & privacy
compliance
Ad Network
● Usually classified as a data
processor (EU) or third
party (US)
● Can be viewed as a data
controller if it determines
“purpose and means” of the
processing...
Advertisers
● Classified as a data
controller (EU) or a first
party (US)
● As a data controller or
first party, holds primary
responsibility for data
protection & privacy
compliance
7. 2. Ad ecosystem under GDPR
Advertisers, Networks and Publishers can be jointly responsible
and liable for data protection violations.
8. 2. GDPR: Personal Data
● Personal data has now been expanded to include location data or an online identifier
linked to the following:
“one or more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.”
Sensitive data (requires opt-in) - now includes biometrics, genetics and sexual orientation.
How will this impact: advertising, biometrics, internet of things, robotics, wearables?
● Technical identifiers that are “pseudonymized,” are exempt from access, data portability
and right to be forgotten requirements.
9. Requirements around ad profiles/ tracking remain unclear.
● GDPR specifies “unambiguous consent” from end users when collecting
personal data (including IP adds, ad IDs).
● But data processing OK if it’s in the “legitimate interest” of data controller OR
to further a contract between end user and data controller.
● For now:
○ Upcoming Guidance on consent and profiling; UK DPA leading.
○ Industry groups e.g. IAB UK, are liaising with EU regulators to figure out
how GDPR will apply to advertising, mobile, internet of things.
2. GDPR: Profiling & Tracking
10. 2. GDPR: Other issues to watch
Evidencing Operational Privacy
● Everyone is going to need to demonstrate Accountability through a
comprehensive data management program, headed by a data protection officer
New End User Rights
● 72 hour data breach notification
● Right to be forgotten (for personal data that isn’t pseudonymous)
● Data Portability (for personal data that isn’t pseudonymous)
● Children’s privacy law (age by individual country, under 13-16 years)
11. 2. Will EU COPPA follow US rules?
● US COPPA - “verified parental consent” when targeting kids under 13
● Even if you don’t target kids, but think kids are on your app/site, you need an age-gate
(cc: Yelp)
● COPPA was first law in the world to categorize tech IDs Ad IDs and other “persistent
identifiers” as “personal data”
Advertisers and Publishers are
responsible for COPPA compliance on
their apps
Networks are responsible for COPPA
compliance only if they have actual
knowledge that they are targeting ads
to kids under 13.
12. 3. What’s the FTC focused on nowadays?
Cross Device
Native Advertising
Mobile Platform Security Practices
Transparency, including ad disclosures
Children’s Privacy (COPPA)
13. 3. US-FTC alignment with GDPR position?
Definitely. There’s COPPA. And check out these recent comments
and blog post from the FTC’s Jessica Rich:
"Even without a name, you can learn a lot about people if you use a
persistent identifier to track their activities over time on a particular device.
You also can communicate with them. So what does that mean for the online
advertising industry? If you’re collecting persistent identifiers, be careful
about making blanket statements to people assuring them that you don’t
collect any personal information or that the data you collect is anonymous.
And as you assess the risks to the data you collect, consider all your data, not
just the data associated with a person’s name or email address."
14. ● In October 2015, the EU’s Court of Justice declared Safe Harbor
“inadequate” for EU to US transfers of personal data.
● Companies are scrambling to get contracts in place to address the gap.
e.g. EU model clauses ( validity is also in doubt, FB case before ECJ).
● So far, EU and US negotiators haven’t been able to reach a decision on
Safe Harbor 2.0 aka “Privacy Shield.”
● At issue: data retention, ability of EU citizens to sue US companies
4. Safe Harbor & Privacy Shield update
15. 5. Takeaways?
● Pull together a cross-functional team to figure out how the GDPR applies
to your business (legal, engineering, product, marketing, etc.)
● Map your data flows - end user, vendor, HR, etc.
● Then, map your upstream and downstream data relationships. Clients.
Vendors. Users. Make sure you are covered on EU obligations.
● Get even more transparent with your privacy policy and consents.
● Consider a certification to evidence Accountability - eDAA, ePrivacy
16. 5. Takeaways
● Get involved with industry groups who can educate EU regulators about how the
European ad ecosystem works, and who it benefits.
● Challenge some assumptions?
➔ Does hashing really protect end user privacy?
○ If an ad ID can be reset by the end user, why should we hash an ad ID?
○ If all you have is a dynamic IP address, and a digital fingerprint, can you truly
identify an end user?
➔ Is end user consent necessary if data collection is needed to deliver, optimize, or
revolutionize your app or service?
● Are these issues are related to other important things you might be thinking about?
Fraud …. Ad blockers…. Staying in the game.
17. GDPR
Ambiguity of Unambiguous Consent by Phil Lee, FieldFisherWaterhouse
What’s Relevant for Cookies, etc. under GDPR, by Christoph Bauer of ePrivacy
Privacy Shield
Don’t Hold your Breath (for Privacy Shield), ArsTechnica
Don’t Cut off your Nose to Spite your Face (said my grandmother), by Jules Polonetsky, Future of Privacy
US & Industry Best Practices
FPF-CDT Best Practices (for Mobile App developers):
Privacy on the Go (CA privacy rules):
FTC “Start with Security” (US - data security guidelines for mobile apps):
Importance of Securing Data (TUNE guidance on how the TMC secures data)
6. Resources
18. Thank You !
Especially Thomas, Johana, Svenja and Andrew
Saira Nayak
Chief Privacy Officer
saira@tune.com
@SairaNayak