What You Need to Know About Sovrn’s EU Reader Data Controls
On May 25, 2018 the General Data Protection Regulation (GDPR) will go into effect. The law requires entities known as “data controllers” to designate whether they have legal right to continue collecting and processing reader data in the European Union (EU). As a publisher, you are considered a data controller. To that end, Sovrn is giving publishers two different options for how EU reader data can be handled. We are fully committed to partnering with you, our valued publisher, to help navigate this shift in the way that works best for you and your business. You will be required to make a selection in your //Meridian account by May 24th, 2018. This post explains the two options provided and how the GDPR relates to you with regards to programmatic advertising. This is not legal advice and there is no substitute for having a lawyer review your unique situation. All publishers need to be aware of their obligations regarding the data privacy of EU residents under the GDPR and that it does not just cover programmatic advertising. Before we proceed, a warning: due to the complex nature of the GDPR legislation, some legal language appears below verbatim. While we’ve tried to provide digestible summary, some legalese is necessary to keep you informed.
What is Personal Data?
The GDPR creates a broader definition of “personal data” than you may be familiar with. Many think of personally identifiable information (PII) as names, addresses or social security numbers. But under the GDPR and the accompanying ePrivacy regulation, cookie IDs and IP addresses are also considered PII. These data are the bridge that connect digital content publishers to the GDPR. When publishers send ad requests to Sovrn, a few pieces of data accompany the request including cookie IDs created by Sovrn and its affiliates. These IDs provide programmatic advertisers the ability to target groups of readers based on common attributes. Under the GDPR, PII like cookie IDs will be restricted from programmatic ad transactions unless the data controller meets one of six criteria to continue legally processing personal data. These are: consent, contract, legal obligation, vital interests, public task, legitimate interest. You can read more about each of these here, but as a publisher the most relevant are legitimate interest and consent of the reader.
What does “Legitimate Interest” mean?
Because the GDPR is not yet fully clarified in some respects, many interpretations exist for legitimate interest as it pertains to programmatic advertising. The text of the legitimate interest clause states a data controller can continue processing PII of EU readers if: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” Many publishers and exchanges believe that data processing for programmatic advertising serves a legitimate interest under the GDPR because it is necessary to make content available to readers. The truth is, no one can say for certain how legitimate interest will apply to programmatic advertising until rule-makers or courts provide a specific clarification of what constitutes legitimate interest for publishers. We urge publishers to work with a legal professional to understand whether they have legitimate interest and the risks associated with the approach of declaring as much. Also note that you still need to comply with the Directive 2009/136/EC. We suggest that you utilize the free EU cookie consent kit to comply if you don’t already have something in place.
What does “Consent” mean?
The GDPR considers consent to be valid if a data subject provides a: “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, [that] signifies agreement to the processing of personal data relating to him or her;” Clear as mud? Don’t panic! The important factors to consider when evaluating whether you have consent from your EU readers are “what are you getting consent for?”, “is it communicated clearly?” and “how is consent obtained from EU readers being communicated to other parties?” Various opinions and standards have surfaced pertaining to consent. Sovrn, along with many industry participants, has chosen to adopt the IAB Europe’s GDPR Transparency & Consent Framework as the standard for communicating consent between parties in the programmatic advertising chain. Sovrn is also building a Consent Management Platform (CMP) utilizing the IAB Framework to assist publishers in requesting consent from EU readers. Regardless of your ultimate stance on legitimate interest or consent, you will need to make a selection in //Meridian to signify your preference for Sovrn’s handling of your EU reader data.
Sovrn’s GDPR Reader Controls For Publishers
Option 1: “Publisher has established a lawful basis for Sovrn and its affiliates to collect and process EU reader data.”
This option is for publishers who have taken steps to confirm that they have met one of the six lawful bases to continue processing EU personal data. Under this option, the publisher is signalling that ad requests generated by EU readers will only be sent to Sovrn when deemed appropriate. Sovrn and its affiliates can collect and process personal data. Many exchanges provide this as the sole option for publishers. Those publishers taking steps to ensure compliance with other exchanges’ policies may select this option with Sovrn.
Option 2: “Sovrn should limit collection and processing of EU reader data to only readers providing consent.”
This option is for publishers who cannot establish a lawful basis for processing EU reader data. Under this option, Sovrn will not process reader data for EU readers. This means no cookie ID or IP address will be delivered to Sovrn’s advertisers when an ad request is generated by an EU reader. As this data is integral in the process of programmatic ad targeting, it should be expected that yield will decrease for EU-based traffic. If selecting Option 2, Sovrn strongly recommends publishers implement a CMP to collect and pass reader consent signals to Sovrn. When an EU reader has provided consent to allow data processing, all standard data signals will be processed by Sovrn and sent to advertisers, thereby restoring yield to expected levels. Be on the lookout for updates on when Sovrn’s CMP will be available to publishers. We highly recommend publishers selecting this option inspect their agreements with their other demand sources. Many exchanges will require the publisher only provide them with an ad request when the publisher can guarantee GDPR compliance. These exchanges may offer higher yield as a result of this requirement, but additional burden is placed on the publisher to verify compliance. The only exception Sovrn will make to dataless processing is in the interest of anti-fraud detection. The GDPR provides for this exception under Legitimate Interest. Still Confused? Let’s break it down. In the diagram below, ‘standard’ represents a regular ad call and ‘dataless’ represents an ad request with the cookie removed and IP shortened.
- When will the //Meridian Control start working? Publisher’s will be asked to select their configuration by May 24th, 2018. We will turn on the functionality beginning May 22nd with a full release by May 25th to ensure a successful release by GDPR’s effective date.
- What happens if I don’t make a selection by May 24th, 2018? If you don’t submit a selection, we will default you to the standard configuration which means you have a lawful basis to process EU reader data.
- Can I change my configuration? Of course! You can change your configuration at any time by simply going to “My Account” within //Meridian. However, note it’s not recommended that you switch between options as you shouldn’t be changing your legal basis for processing frequently.