The European Union’s General Data Protection Regulation (GDPR) took effect on May 25, 2018. Learn about the regulation and its impact on the digital advertising industry. Better understand GDPR’s impact on your business’s data processing activities? IAB and the IAB Global Network are here to help you navigate this new regulation.
What is GDPR?
The GDPR establishes new requirements on companies that collect, use, and share data about EU citizens. As of May 25 2018, all companies handling data of EU citizens must adhere to these new data privacy and security measures, regardless of whether the organization is located within the EU or not. Companies that fail to comply with these new rules could be subject to fines as high as 4% of annual global revenue. Several key definitional changes that impact the digital advertising industry include:
Introducing the GDPR Transparency & Consent Framework
Launched on April 24, 2018, the GDPR Transparency & Consent Framework (Framework) has a simple objective – to help all companies in the digital advertising chain ensure that they comply with the EU’s General Data Protection Regulation when processing personal data or accessing non-personal or personal data on user devices.
The Framework is particularly relevant for “first parties,” publishers and other suppliers of online services, who partner with “third parties” (vendors) to enable those third parties to process user data on one of the legal bases laid down by the Regulation, including both legitimate interests and consent, where applicable. The Framework standardizes the capture of user consent for data processing and “signals” this information across the advertising supply chain. It is open-source, not-for-profit with consensus-based industry governance led by IAB Europe with significant support from industry parties and technical support from IAB Tech Lab.
A key piece of the Framework is a unique registry of third-party data controllers, a Global Vendor List, on whose behalf consent may be requested by the first parties that have the direct interface with users.
If your organization collects, uses, or shares personal data of EU citizens, GDPR will likely apply, regardless of whether or not you have physical operations in Europe.
Fines can be high for non-compliance with GDPR: Serious infringements can result in fines of up to €20m, or 4% of your company’s global annual revenue, whichever is higher. Advertising identifiers are now explicitly within the scope of personal data and companies that collect and use these identifiers must demonstrate a valid legal basis for doing so.
New obligations for demonstrating valid consent will require companies to go beyond existing “cookie banners”.