The EU will soon be implementing GDPR (General Data Privacy Regulation), effective May 25, 2018. To prepare for this, we are encouraging all publishers to take the necessary steps to become GDPR-compliant, since this will apply to all EU traffic. Additional details can be found below, and on our blog. We also recommend consulting this IAB website.
What is GDPR?
GDPR stands for General Data Protection Regulation, which was approved by EU Parliament in April of 2016. It goes into effect on May 25, 2018. The regulation is being launched in an effort to increase data privacy for European citizens, ensuring that they provide consent before their data is shared/tracked with publishers and any 3rd party vendors associated with those publishers. You can read more about the regulation on their official website here.
How do I become compliant with GDPR?
The following steps must be followed by all publishers with any EU traffic in order to be compliant with this new law:
- Know your role and the role of your business partners
- Understand use of personal data
- Put restrictions on commercial use of personal data
- Get consent from your users
- Share consent with your business partners
- Update your contracts with your business partners
The steps highlighted in bold are the most significant. There are two different roles as defined by this regulation, and determined by how a company interacts with data: processor and controller. Sharethrough is considered a controller in our relationships with publishers, since we typically drop cookies when monetizing with our programmatic demand.
Getting consent from users and communicating that consent to partners is crucial. Each publisher can implement a consent management solution of their own to ensure compliance, whether that be a solution they build themselves, or a 3rd party vendor. A list of registered Compliance Management Partners (CMPs) can be found here. For publishers planning to build this in house, please reference this GDPR Transparency and Consent Framework specification.
What happens if I don't comply with GDPR?
If a user does not consent, then a publisher cannot load tech from any 3rd party vendors that track any sort of data on the page--this includes pixels/trackers, analytics, etc.
The EU has put in place fines that a publisher must pay if they are found to not be complying with the GDPR regulations. Those fines can be up to €20M or 4% of global turnover, whichever is greater.
What if I’m not located in the EU?
This legislation applies to any publisher receiving EU traffic, not just publishers based in the EU. You should be fully compliant with this legislation for your EU traffic in the chance that you receive EU traffic.
How does this affect my monetization with Sharethrough?
By May 25, 2018, we ask that publishers only load Sharethrough tech for impressions on which the user has given consent that covers Sharethrough. In the coming months we will require all publisher partners to sign a contract addendum to this effect.
If a publisher has not acquired or communicated a user’s consent and they have a European IP address, Sharethrough will not be able to monetize that impression. As a result, publishers that do not comply with this regulation will likely see a decrease in revenue.