Understanding the GDPR
The General Data Protection Regulation (GDPR) will become enforceable on 25th May, 2018, with a goal of harmonising data protection across the member states of the European Economic Area (EEA), including the 28 member states of the European Union (EU), plus Iceland, Norway, and Lichtenstein. This regulation is replacing the EU Data Protection Directive (Directive 95/46/EC).
The GDPR seeks to inform and empower consumers by providing transparency and control over their personal data. It will affect organisations worldwide that collect and/or process personal data of individuals working, visiting or residing in the EU, regardless of where an organisation is located. The new regulation impacts how companies collect, process, retain, and delete personal data, and creates additional accountability.
We are one of the industry leaders working closely with the Interactive Advertising Bureau Europe (IAB EU) to establish digital marketing best practices and advocating for a consistent consumer experience in accordance with the GDPR. The following key concepts are important to understand:
The GDPR Broadens the Definition of Personal Data
At Conversant and CJ Affiliate, we do not collect or retain any consumer personally identifiable information (PII). This means our data does not directly identify any individuals (i.e. name, email address, or billing information). That said, the GDPR broadens the definition of personal data to include the data that we collect.
The GDPR introduces the term “pseudonymous data”, which is a subset of “personal data”. Pseudonymous data is data that does not directly identify the individual without the use of additional data. This includes data that can be used to understand a consumer’s behaviour (including cookie IDs, device IDs, and other individual identifiers).
The GDPR recommends that companies pseudonymise personal data whenever possible as part of a Privacy by Design approach to ensure that companies are only collecting data that is needed, while still protecting the privacy of consumers.
Collecting and Processing Personal Data Under GDPR
The GDPR allows for six legal bases for processing personal data. The two most relevant bases to the digital marketing industry are “legitimate interest” and “consent”. For the services that we provide, legitimate interest is an acceptable legal basis in which to process personal data.
That being said, there is an additional law that also impacts online data processing: the ePrivacy Directive (Directive 2002/58/EC). Under this law (Article 5, Section 3), individuals must provide consent before a company can read or write any information to or from their devices, such as reading and/or writing cookies.
The ePrivacy Directive references the Data Protection Directive (Directive 95/46/EC) for the definition of consent. On 25th May, 2018, the Data Protection Directive will be replaced by the GDPR. This means the definition of consent under the ePrivacy Directive will reference the definition of consent under GDPR, which requires that consent be “unambiguous”.
The GDPR-defined “unambiguous” consent is required to read or write any information, such as cookies, to or from a consumer’s device. Legitimate interest, however, allows us to process and retain personal data collected via those cookies.
In alignment with this, and in light of these upcoming changes, the IAB EU has created a framework for digital advertising companies to inform each other when unambiguous consent has been granted. This shared knowledge allows all parties involved in a consumer interaction to know when a request for consent is needed, allowing for a more conscientious customer experience (including only requesting consent when one or more parties need it).
Understanding “Unambiguous” Consent
As mentioned above, unambiguous consent will be required in order to read or write information to or from a consumer’s device. Unambiguous consent requires clear and affirmative action be taken by the consumer. The GDPR (Recital 32) states that “silence, pre-ticked boxes or inactivity should not … constitute consent.” Later, the recital states that consent can be given through “conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.”
This means, that by taking an action, such as clicking a box or link to accept, or continuing to browse, the consumer is providing consent, as long as it is clearly and prominently disclosed that this consent allows us to drop cookies, process consumer information, and states the intended uses. Companies are required to provide consumers with the option to revoke consent at any time.
Explicit consent, on the other hand, is needed only for sensitive uses of personal data, such as for the processing of sensitive personal data listed in Article 9(1) of the GDPR, including race or ethnicity. An example of explicit consent is a tick box or an “I AGREE” button, where explicit consent is only considered to have been gathered when the individual takes that specific action. Earlier drafts of the GDPR required explicit consent across the board, however, this was changed in the final draft. Now, there are two variations of consent – unambiguous and explicit.
Only unambiguous consent is necessary for the services which we provide.
Data Controllers and Data Processors
Article 4 of the GDPR defines a Data “Controller” as an entity that, solely or jointly with others, determines the purpose and means of processing personal data. A Data “Processor” is an entity which processes personal data purely on behalf of the Data Controller and only according to the Data Controller’s instructions, as described in Article 28.
These definitions determine what data a company can process and the responsibilities the company is assuming to ensure it is providing consumers with appropriate control of their personal data. While there are additional responsibilities that a Data Controller takes on, one key requirement is providing consumers with the ability to request to access and delete their personal data.
We are a Data Controller and we will continue to offer our clients cutting-edge, data-driven solutions that deliver meaningful results.
Our GDPR Commitment
We believe in the data protection principles of the GDPR and are committed to providing more transparency to individuals over how their data is being processed.
Data protection has always been a cornerstone of our business, and we have been working diligently to ensure our compliance with the GDPR. Our future-focussed approach sets our clients up for long-term, data-driven success.
We will provide our clients with free options for gathering unambiguous consent for ourselves, themselves, and any additional vendors. We will consider consent valid for 13 months unless the consumer changes their preferences. We will continue providing GDPR compliant technologies and, as a Data Controller, we accept full responsibility for our compliance with the GDPR.
We urge our clients and partners to review and understand their responsibilities under GDPR, as compliance is a collective responsibility. We will continue to lead industry efforts by providing GDPR best practices and working closely the IAB EU, IAB UK, and other industry leaders. If you have any questions or feedback, please reach out to us through your account team.
Conversant and CJ Affiliate:
1995 Data Protection Directive:
Information Commissioner’s Office (ICO UK Data Protection Authority):
- Overview of the General Data Protection Regulation (GDPR)
- Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now
- Guidance: what to expect and when
- Cookie Guidance: (Background)
Interactive Advertising Bureau (IAB)
- IAB Content Information
- IAB UK GDPR Checklist
- IAB Europe GIG: Working Paper on the Definition of Personal Data
- IAB GDPR Webinar Recording
Direct Marketing Association (DMA)