Publisher Controls - Sovrn, Inc.

What You Need to Know About Sovrn’s EU Reader Data Controls

On May 25, 2018 the General Data Protection Regulation (GDPR) will go into effect. The law requires entities known as “data controllers” to designate whether they have legal right to continue collecting and processing reader data in the European Union (EU). As a publisher, you are considered a data controller. To that end, Sovrn is giving publishers two different options for how EU reader data can be handled. We are fully committed to partnering with you, our valued publisher, to help navigate this shift in the way that works best for you and your business. You will be required to make a selection in your //Meridian account by May 24th, 2018. This post explains the two options provided and how the GDPR relates to you with regards to programmatic advertising. This is not legal advice and there is no substitute for having a lawyer review your unique situation. All publishers need to be aware of their obligations regarding the data privacy of EU residents under the GDPR and that it does not just cover programmatic advertising. Before we proceed, a warning: due to the complex nature of the GDPR legislation, some legal language appears below verbatim. While we’ve tried to provide digestible summary, some legalese is necessary to keep you informed.

What is Personal Data?

The GDPR creates a broader definition of “personal data” than you may be familiar with. Many think of personally identifiable information (PII) as names, addresses or social security numbers. But under the GDPR and the accompanying ePrivacy regulation, cookie IDs and IP addresses are also considered PII. These data are the bridge that connect digital content publishers to the GDPR. When publishers send ad requests to Sovrn, a few pieces of data accompany the request including cookie IDs created by Sovrn and its affiliates. These IDs provide programmatic advertisers the ability to target groups of readers based on common attributes. Under the GDPR, PII like cookie IDs will be restricted from programmatic ad transactions unless the data controller meets one of six criteria to continue legally processing personal data. These are: consent, contract, legal obligation, vital interests, public task, legitimate interest. You can read more about each of these here, but as a publisher the most relevant are legitimate interest and consent of the reader.

What does “Legitimate Interest” mean?

Because the GDPR is not yet fully clarified in some respects, many interpretations exist for legitimate interest as it pertains to programmatic advertising. The text of the legitimate interest clause states a data controller can continue processing PII of EU readers if: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” Many publishers and exchanges believe that data processing for programmatic advertising serves a legitimate interest under the GDPR because it is necessary to make content available to readers. The truth is, no one can say for certain how legitimate interest will apply to programmatic advertising until rule-makers or courts provide a specific clarification of what constitutes legitimate interest for publishers. We urge publishers to work with a legal professional to understand whether they have legitimate interest and the risks associated with the approach of declaring as much. Also note that you still need to comply with the Directive 2009/136/EC. We suggest that you utilize the free EU cookie consent kit to comply if you don’t already have something in place.

What does “Consent” mean?

The GDPR considers consent to be valid if a data subject provides a: “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, [that] signifies agreement to the processing of personal data relating to him or her;” Clear as mud? Don’t panic! The important factors to consider when evaluating whether you have consent from your EU readers are “what are you getting consent for?”, “is it communicated clearly?” and “how is consent obtained from EU readers being communicated to other parties?” Various opinions and standards have surfaced pertaining to consent. Sovrn, along with many industry participants, has chosen to adopt the IAB Europe’s GDPR Transparency & Consent Framework as the standard for communicating consent between parties in the programmatic advertising chain. Sovrn is also building a Consent Management Platform (CMP) utilizing the IAB Framework to assist publishers in requesting consent from EU readers. Regardless of your ultimate stance on legitimate interest or consent, you will need to make a selection in //Meridian to signify your preference for Sovrn’s handling of your EU reader data.

Sovrn’s GDPR Reader Controls For Publishers

Within your //Meridian Account Settings you will have two options: Let’s break down what your two options mean.

Option 1: “Publisher has established a lawful basis for Sovrn and its affiliates to collect and process EU reader data.”

This option is for publishers who have taken steps to confirm that they have met one of the six lawful bases to continue processing EU personal data. Under this option, the publisher is signalling that ad requests generated by EU readers will only be sent to Sovrn when deemed appropriate. Sovrn and its affiliates can collect and process personal data. Many exchanges provide this as the sole option for publishers. Those publishers taking steps to ensure compliance with other exchanges’ policies may select this option with Sovrn.

Option 2: “Sovrn should limit collection and processing of EU reader data to only readers providing consent.”

This option is for publishers who cannot establish a lawful basis for processing EU reader data. Under this option, Sovrn will not process reader data for EU readers. This means no cookie ID or IP address will be delivered to Sovrn’s advertisers when an ad request is generated by an EU reader. As this data is integral in the process of programmatic ad targeting, it should be expected that yield will decrease for EU-based traffic. If selecting Option 2, Sovrn strongly recommends publishers implement a CMP to collect and pass reader consent signals to Sovrn. When an EU reader has provided consent to allow data processing, all standard data signals will be processed by Sovrn and sent to advertisers, thereby restoring yield to expected levels. Be on the lookout for updates on when Sovrn’s CMP will be available to publishers. We highly recommend publishers selecting this option inspect their agreements with their other demand sources. Many exchanges will require the publisher only provide them with an ad request when the publisher can guarantee GDPR compliance. These exchanges may offer higher yield as a result of this requirement, but additional burden is placed on the publisher to verify compliance. The only exception Sovrn will make to dataless processing is in the interest of anti-fraud detection. The GDPR provides for this exception under Legitimate Interest. Still Confused? Let’s break it down. In the diagram below, ‘standard’ represents a regular ad call and ‘dataless’ represents an ad request with the cookie removed and IP shortened.

FAQs:

When will the //Meridian Control start working? Publisher’s will be asked to select their configuration by May 24th, 2018. We will turn on the functionality beginning May 22nd with a full release by May 25th to ensure a successful release by GDPR’s effective date.
What happens if I don’t make a selection by May 24th, 2018? If you don’t submit a selection, we will default you to the standard configuration which means you have a lawful basis to process EU reader data.
Can I change my configuration? Of course! You can change your configuration at any time by simply going to “My Account” within //Meridian. However, note it’s not recommended that you switch between options as you shouldn’t be changing your legal basis for processing frequently.

More GDPR

There is more to GDPR than just lawful bases for data processing. Many publishers will need to re-examine their privacy policies and other third party tools that they use on their sites. Sovrn updated it’s privacy policy recently too in order to address specific requirements of GDPR. Please familiarize yourself with this new policy and make sure your own is in order. For more detailed information, check out these links:

The full text of the regulation is available here.
The European Commission Data Protection Rules here.
A short but sweet GDPR FAQ here.
A comprehensive guide here.

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
csrftoken	1 year	This cookie is associated with Django web development platform for python. Used to help protect the website against Cross-Site Request Forgery attacks
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
_auth	1 year	This cookie is set by Pinterest that collects statistical details to track the use of its services.
_pinterest_referrer	past	This cookie is set by Pinterest to track the use of its services.
_pinterest_sess	1 year	This cookie is set by Pinterest that collects statistical details to track the use of its services.
_routing_id	session	This cookie is set by Pinterest that collects statistical details to track the use of its services.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
language	session	This cookie is used to store the language preference of the user.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
sp_landing	1 day	The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.
sp_t	1 year	The sp_t cookie is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.

Cookie	Duration	Description
__hstc	1 year 24 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_52355958_2	1 minute	This cookie is set by Google and is used to distinguish users.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_mkto_datetime	1 month	This cookie is set by Marketo.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.