On 25 May 2018, the EU General Data Protection Regulation (“GDPR”) comes into force, replacing the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
The regulation could have a profound impact on the programmatic advertising industry. We covered those bases in a previous blog post. Pixalate is GDPR compliant. To see what that means for our business and our partners, check out this post.
The below is a brief Q&A with Jay Seirmarco, Pixalate's SVP of Operations and Legal Affairs, about the GDPR and what it means for programmatic advertisers from an ad fraud and security perspective.
A brief introduction to Jay Seirmarco, Pixalate's SVP of Operations and Legal Affairs
Seirmarco joined Pixalate from Cox Automotive, where he oversaw the legal team responsible for data strategy and intellectual property. Seirmarco joined Cox via its 2014 acquisition of Xtime, a SaaS company focused on customer retention in the automotive industry. Prior to Xtime, Jay served in operational and legal roles for Turn, Shopkick, SugarCRM, VA Linux (a.k.a. Geeknet) and IBM.
Seirmarco's background of computer science and legal affairs gives him a unique perspective on the GDPR as it relates to data security, data privacy, ad fraud, and the programmatic industry as a whole.
Q: Based on what you’ve heard and read from people in the digital ad industry, where do you think the industry as a whole stands in its understanding of GDPR?
Seirmarco: Regarding what people need to know more about, it’s important to remember that it’s called the General Data Protection Regulation. While one must remain cognizant of applicable consent and “legitimate purpose” obligations, one must also be mindful of the concepts of Data Protection by Design (i.e., information security as an integral part of the development process) and Data Protection by Default (i.e., start from the strictest privacy settings, and only process and retain personal data as reasonably required for the identified purpose).
In addition, controllers and processors are required to “implement appropriate technical and organisational measures to ensure a level of [information] security appropriate to the risk…” So, it’s important to take meaningful steps to be good stewards of personal information, including identifying and documenting information security deficiencies, and establishing and following through on remediation plans to “harden” information security environments.
Q: What do ad tech companies need to know about ad fraud, and invalid traffic (IVT), as it relates to the GDPR?
Seirmarco: Companies need to have a basis for processing personal data of European Union data subjects under the GDPR. Pixalate, for example, uses legitimate interest; more specifically, Pixalate’s GDPR compliance is grounded in Recital 47, which states expressly that preventing fraud constitutes a legitimate interest.
The vast majority of the ad tech ecosystem will rely on the consent framework. The tie-in to ad fraud and IVT may seem less obvious in this scenario, but ad tech companies relying on the consent framework stand to benefit in terms of GDPR compliance by taking an active stance against ad fraud and IVT.
When an EU data subject consents to share their data, it is not reasonable for them to expect that their information would be used by a third party in connection with IVT. By filtering out IVT, a data controller or processor is reducing the likelihood that EU data subjects’ data would in any way be associated with IVT or fraudulent activity, thus strengthening their end of the agreement they enter with the individual data subjects and buttressing their GDPR compliance.
Additionally, if a company has an apathetic approach to ad fraud and IVT, it could undermine the users’ willingness to consent. Consent is already hard enough, and there is palpable anxiety in the digital advertising industry as it relates to obtaining consent. If a company can show that they are a good steward of pseudonymised information, and that they are not a purveyor of IVT but rather actively working to reduce IVT, then it can increase the odds that said company will obtain consent.
Q: In your opinion, is the programmatic advertising industry sufficiently prepared from a data security perspective?
Seirmarco: It appears that appointment of data protection officers (“DPOs”) may not be getting as much mindshare as would be optimal. This may be especially true in the realm of digital advertising because advertisers and processors must appoint a DPO if their core activities require “regular and systematic monitoring” of EU data subjects, or if they’re processing “special categories” of personal information on a large scale.
Be sure to keep in mind that US-based companies without an EU affiliate may need to appoint an EU-based representative (or a European DPO), who will be the contact person for the EU authorities. Additionally, for certain European countries (e.g., the United Kingdom), your company may also have an obligation to register with the applicable data protection authority (DPA): https://www.dlapiperdataprotection.com/index.html?c=GB&c2=&t=registration
On a related topic, selection of DPOs may require additional thought. For businesses located outside of the EU, one should perhaps consider balancing the benefits of having an EU-based DPO (e.g., time zone, language) against the possible benefits of a DPO that might attain a deeper understanding of the business—and the GDPR’s precise applicability—because of consistent presence at the business.
Q: What unintended consequences, if any, could arise from the implementation of the GDPR?
Seirmarco: There is a possibility that the GDPR may harm trusted European publishers’ businesses if their revenue derived from digital advertising were to decline. In an age where marquee news organizations are struggling financially, even modest additional revenue declines could further undermine the fourth estate.
Q: Some companies plan to cease operation in the EU altogether rather than figure out how to best comply with the GDPR.
Seirmarco: I would urge any company looking to make significant, GDPR-based decisions to, at a minimum, do the following:
- Engage an attorney who is living and breathing the GDPR, many of whom kindly publish helpful Twitter feeds. Here’s one of my favorites: https://twitter.com/munmax
- Read the actual text of the GDPR. It’s available at the following link, and really isn’t that challenging of a read:
Q: Do you think the United States will adopt a similar policy in the coming years? The topic of data privacy reached U.S. policymakers in 2018 with the Cambridge Analytica scandal. Will it snowball from there?
Seirmarco: Perhaps at the state level in the U.S., but, given where things have headed at the federal level with environmental protections, consumer financial safeguards, etc., it would be a bit surprising to see similar policies adopted any time soon.
That said, Australia, Canada, China, and other countries outside of the EU, have taken significant steps at the national level in the areas of information security and privacy, so the U.S. may actually be a near-term outlier.
Want more data-driven insights? Sign up for our blog!