4. Contents
1. What thenew European rules (the GDPR and the ePR) are.
(a)Global impact and risk
2.The three big challenges for online media & advertising.
3.Outlook
(a) Adtech data players.
(b) Google.
(c) Facebook.
(d) Publishers.
slide 1
5. General Data Protection
Regulation (GDPR)
ePrivacy Regulation (ePR)
Area of focus
Protection of personal data
(Article 8 of the EU Charter of
Fundamental Rights)
Current status
Has entered in to force, and will
soon be applied.
Date of
application
25 May 2018
Geographic
impact
Global
Respect for private life and
communications (Article 7 of
the EU Charter of Fundamental
Rights)
Currently being negotiated
between lawmaking institutions.
25 May 2018 (or later)
European Economic Area
(may widen) slide 2
6. 513+ million people
• Processing data by, or for,
an EU business.
• Businesses that offer
services to, or sell to, or
monitor and profile users
in the EU.
EuropeanEconomicArea
Geographicscope
slide 3
7. Penalties
4% of total worldwide annual turnover
(or €20M, whichever is higher)
for infringements related to the legal basis for processing, consent, and processing of sensitive
data (including profiling), notification about users rights and the processing of their data, the
rights of users (e.g. data rectification, erasure, portability, etc.), transfers of data outside of the
EU,and failure to comply with a supervisory authority’s order to cease processing or to suspend
a dataflow
2% of total worldwide annual turnover
(or €10M,whichever is higher)
for infringements relating to the consent of a child, processing that does not require
identification, data protection by design, the tasks of the data protection officer, and
certification
plus court actions by data subjects and their representatives.slide 4
8. 3 BigChallenges
1. Risk: Not getting consent
2. Risk: Data leakage
3. Risk: Data portability
slide 5
9. “Personaldata”
“any information relating to an identified or
identifiable natural person ('data subject'); an
identifiable natural person is one who can be
identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person…”
-GDPR, Article 4
slide 6
10. “Single customer view”
Indirectly identifiable:
Netflix users’ TV & movies
Directly identifiable:
IP addresses, where ISP
can identify the subscriber
slide 7
11. Tracking Preferences
TRACKING QUESTIONS THAT MUST BE ASKED AT INSTALLATION
based on the e-Privacy Regulation draft text amended by the European Parliament LIBE Committee’s Rapporteur’s draft
report, June 2017
Amended Recital 23 makes rejection of
third party trackers and cookies the
default.
Accept all tracking
Reject all tracking
OK
Reject tracking unless strictly
necessary for services I request
Accept only first party tracking
this is proposed in recital 23 as amended, but
recital 21says that consent is not required for
“technical storage or access which is strictly
necessary and proportionate for …the use of a
specific service explicitly requested bythe
user”.
Browsers etc. must
present users with a
menu like this the
first time they are
used.
This is the list of options described in
Recital 23, and required in Article 10.
slide 8
12. We would like to share your browsing
habits on our site with Ad Name and
their analytics partners, to understand
what offers may be of interest to you.
These data will be deleted
after 6 months. You can withdraw
permission at any time in My Data.
Learn more?
Pop-up Dialog
OKNo
Purpose of processing,
and notification of
profiling.
Article 13,para 1,c, and para 2,f.
Durat ion
Article 13,para 2, a.
Text links to t o o l f o r
withdrawing consent.
Article 7, paragraph 3.
Can say no
Recital 42.
Details of recipients and
categories of recipients.
Text links to contact
details of the
controller and their
data protection officer.
Article 13,para 1,a, b, ande.
EXAMPLE OF A GDPR CONSENT REQUEST
Scenario: a website requests consent to share data with a brand f o r product offers
Text links to t o o l to
complain to supervisory
authority, and to access,
correct, and transfer
data, etc.
Article 13,para 2, b, c, and d.
slide 9
13. Please allow your browsing habits on our
sites to be shared with
[Consortium] and its participants
We will then be able to identify offers that
are more interesting to you, and process
business transactions with our partners.
(Alternatively, we will use generic ads,
which might be less interesting to you.)
You can cancel at any time by clicking
the icon on any ad.
Learn more about your data.
Help us keep Example.com profitable
OKNo OK
6 months 12 months
the icon on any ad.
Learn more about your data.
Help us keep Example.com profitable
OKNo OK
6 months
[DSP] i
You can c[aVnecriefilcaattiaonvteimndeobr]ycilicking
Please allow your browsing habits on our
sites to be shared with
[ConsoOrtipuemn]IaDnpdairtsticpipaartnictsipants
We will then[Abdeeaxbclheatnogied]entifyoffiers that
are more in[Atedreesxticnhgatnogeyo]u, and iprocess
business tr[aDnMsaPc]tions with our piartners.
(Alternativ[DelMy,Pw]ewill use generiic ads,
which mig[hDtSbPe]less interesting ito you.)
Might GDPR consent requests l o o k like this?
12
s
m
l
o
i
n
d
ths
e 10
14. • Consent can not be disruptive. Must be
obtained freely, without detriment. (Consent
Walls may or may not be permissible)
You must tell the user:
• Who or what type of party is receiving the data
• What are the purposes of processing, and legal
basis for that
• How long are the data stored (or what criteria
determine duration)
• If this giving that data is part of a contract
what are the consequences of not providing data
• If the data are being transferred to a third country,
what safeguards or binding corporate rules are in
place?
• In cases of automated decision-making, including
profiling, what logic is applied and what is the
significance of the outcomes.
Consent
slide 11
GDPR & ePrivacy Regulation:
Businesses must obtain consent to use
personal data.
• It must be specific and informed.
Can not be buried in “Terms & Conditions”.
15. Usercontrols
• Ability to opt-out at any time
• Ability to delete one’s data
• Ability to move one’s data to another service
slide 12
16. Visitor Site SSP Ad Exchange DSP
requestpage
requestsegment
sync
deliversegment
servepage
Adrequest
cookietoSSP
adrequest
requestbid
deliver ad
sync
Risk:howa‘programmatic’adis served
$BrandDMP
storedata
slide 13
17. “Controller” “Processor” “Processor” “Processor”
Contract Contract Contract
Risk
GDPR requires a newchain of accountability
Contracts required that determine the following:
• the nature of processing and its duration,
• the obligations of the “controller”,
• and a guarantee that the “processor” handles the data only as
dictated by documented instructions from the controller
slide 14
18. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
Step 8.
Assets load
from CDN
Step 9.
Agency ad server
loads verification
vendor
ADVERTISERS
website.com
AD
DMP
DMP
DMP
DMP
DMP
DMP
DMP
DMP
DMP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DMP
DSP
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Verification
javascript
Agency
ad server
Verification
vendor
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Channel of dataleakage
Personal data
Legend
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
CDN
Money
Risk
DATA LEAKAGE
IN ONLINE
ADVERTISING
This is the current process of
real-time bidding that isused
in online behavioural
advertising.
slide 15
19. countless partners.
BROKER
3 Buying behavioural ads online, which currently requires the sharing of personal data with
2 Buying personal data (directly or indirectly identifiable) from other sources to augment
profiles
1 Holding first-party personal data that are now non-compliant
Risk(brands)
slide 16
20. All potentially liable!
TheCourts
Multiple controllers and processors “involved in the same processing”
can each be held liable for damages awarded in a case.
A person can complain to the regulator, and at the same time go to court.And
can take the regulator to court for inaction.
SupervisoryAuthority
Visitor Site SSP AdExchange DSP DMP
$Brand
Risk
slide 17
23. 4 Must ask for specific consent for these
specific purposes, and can not deny
access to the service if the user says
“no”.
•FacebookAudience Network
• WhatsAppadvertising (see assumption 1)
3 Requires consent, but likely to obtain.
2 Can use consent obtained for other
purposes, but must inform users and
show how to opt-out.
• NewsFeed ads (based only on personal data with no “special”
personal data (e.g. ethnicity, political opinion, religious or
philosophical beliefs, sexual orientation), unless marked “public”
or visible to “friends of friends” (see assumptions 1and 2)
• Instagramads (see assumption 1)
1Out of scope of the regulation, if
business ismodified.
0 Already out of scope of the regulation.
Assumption 1.That the use of personal data to target advertising will be accepted as a “compatible” purpose with the original purpose for which personal data were shared by users, under GDPRArticle 6, paragraph 4. GDPR Recital 61says that if the
further processing is compatible then the company must alert the data subject that it is using their data for this further purpose before it starts processing. GDPRArticle 21,paragraph 2 and 3 say that the data subject must be alerted about their right
to object to their data being used for direct marketing, and can do so at any time. GDPR Recital 70 says this alert should be presented clearly and separately from any other information. However, the Article 29 Working Party’s opinion on purpose
limitation notes that among the various things that the compatibility assessment must consider are “the impact of the further processing on the data subjects”. The recent Facebook scandal over the segmentation of teens who “feel worthless” is
relevant.
Assumption 2. GDPRArticle 6, paragraph 4, c, indicates a higher bar for “special categories of personal data” that reveal race, ethnicity, political opinion, religious or philosophical beliefs, trade union membership, or related to a data subject’s sex
life or sexual orientation. However, this does not apply if the data have been “manifestly made public by the data subject” (GDPR,Article 9, paragraph 2, (e)). This may mean that the publicity settings that a user places on their post will prevent or
enable those posts to be mined for advertising.
Outlook:Facebook
slide 20
24. 10-k, 3 February 2017
Q2 Earnings call,
26 July 2017
Outlook:Facebook
slide 21
25. 4 Must ask for specific consent for these
specific purposes, and can not deny
access to the service if the user says
“no”.
• Most personalized AdWordsads on Google properties including
Search, Youtube, Maps, and the Google Network (including
“remarketing”,“affinity audiences” , “in-market audiences”,
“demographic targeting”, "similar audiences”, “Floodlight” cross-
device tracking), “customer match”, “remarketing” (see assumption 3)
• Gmailads
• Programmaticservices (DoubleClick)
3 Requires consent, but likely to obtain.
2 Can use consent obtained for other
purposes, but must inform users and
show how to opt-out.
• Location targeting in Maps (see assumption 1)
1Out of scope of the regulation, if
business ismodified.
• AdWords(if all personalized features are removed) on Google
properties including Search,Youtube,Maps
0 Already out of scope of the regulation.
Assumption 1.That the use of personal data to target advertising will be accepted as a “compatible” purpose with the original purpose for which personal data were shared by users, under GDPRArticle 6,
paragraph 4. GDPRRecital 61says that if the further processing is compatible then the company must alert the data subject that it is using their data for this further purpose before it starts processing.
GDPRArticle 21,paragraph 2and 3 say that the data subject must be alerted about their right to object to their data being used for direct marketing, and can do so at any time. GDPRRecital 70 saysthis
alert should be presented clearly and separately from any other information. However, the Article 29 Working Party’s opinion on purpose limitation notes that among the various things that the
compatibility assessment must consider are “the impact of the further processing on the data subjects”. The recent Facebook scandal over the segmentation of teens who “feel worthless” is relevant.
Assumption 3. That the average user does not “sign in” to Google Search or Chrome. If, however, users did sign in then Google might be able to further process their data for other purposes.
Outlook:Google
slide 22
28. Summary
(a) Advertising technology and data businesses face
enormous disruption.
(b) Parts of Google will be disrupted.
(c) Parts of Facebook will be disrupted.
(d) Publishers face short term difficulty, but have the
potential to transform their position.
(e) Trust in websites, rather than clicks, may become the
key currency.
slide 25