How DigiTrust Helps Meet GDPR Consent Requirements Guidance 1.0 (July 2017)

Transcription

1 DRAFT Discussion Document How DigiTrust Helps Meet GDPR Consent Requirements Guidance 1.0 (July 2017) European data protection legislation requires organizations to have a lawful basis for processing personal data. Obtaining an individual s consent to the use of their data has always been a lawful basis for processing. However, the General Data Protection Regulation ( GDPR ) changes the definition of consent, creating challenges for organizations relying on this basis for processing. Specifically, the GDPR makes it clear that consent must be given by a statement or a clear affirmative action. In addition, the GDPR requires organizations to allow individuals to revoke consent. Because virtually all unique user data gathered in connection with digital advertising will now be considered personal data under the GDPR, including data collected from cookies, all the companies involved in the ad delivery ecosystem should be evaluating their compliance approach. The penalties for non-compliance are potentially significant administrative fines provided for in the GDPR (and in the proposed eprivacy Regulation) may be up to 4% of total worldwide annual turnover of the preceding financial year or 20 Million euros (whichever is higher). The purpose of this document is to explain how the DigiTrust solution could help brands and thirdparty advertising platforms work towards compliance with the GDPR s consent requirements. 1 A GDPR Scenario for Multi-Party Data Collection on an Ad-Supported Website The digital marketing ecosystem includes activities such as personalization of ads and content, retargeting, behavioral targeting, and the use of cookies for analytics, measurement, campaign optimization, frequency capping, etc. These activities are often conducted by third parties, which do not directly interact with consumers. To examine how such activities could potentially be conducted in a manner consistent with the GDPR s consent requirements, consider the scenario involving a typical consumer who is interested in reading camera reviews, and who visits an ad-supported website called CameraReviews.co.uk. The consumer s visit to this site includes many different HTTP requests, each of which includes personal data: Multiple requests to the CameraReviews web server to retrieve content and images, so the consumer can read content and sees pictures of each camera. 1 Although there remains continuing uncertainty over how GDPR will actually be interpreted following its effective date next May, this overview is provided to help publishers and ad tech providers explore practical compliance options. DigiTrust will be updating the overview as feedback is received from interested participants. This overview is not intended as legal advice, and companies should consult their own counsel. 1

2 A request to the third party DMP that CameraReviews uses to segment and store proprietary audience data in this case, the fact that the consumer appears interested in a particular camera. A request to the third-party ad server that CameraReviews uses to serve advertising to the consumer. A request to the SSP that CameraReviews uses to serve advertising to the consumer when the site doesn t display direct-sold ads. Multiple requests to DSPs to invite them to bid on the right to show the consumer an ad. A request to the third-party ad server used by the advertiser. Multiple requests to third-parties for the purpose of synchronizing cookie-based IDs. A request to the third-party website analytics service that CameraReviews uses to count users and page views. Multiple requests to various other third parties for purposes of fraud detection, viewability measurement, etc. While the consumer has visited CameraReviews simply to look up some content, many third parties are involved in the delivery of the page, which requires access to the consumer s personal information. The consumer must provide consent to CameraReviews data practices and if no consent is provided, the consumer s personal data can t be collected or processed. If the consumer gives consent but then later withdraws it, CameraReviews needs to delete the data and no longer collect or process any further personal data. Additionally, because only CameraReviews has the direct interaction with the consumer, it will therefore mediate both its own consent to the collection and various uses of personal data consistent with the GDPR and consent for third parties that also collect information on the site. Now let s assume one pageview by the consumer resulted in 35 companies (other than CameraReviews) gathering information about the consumer. All 35 companies will assign the consumer a different user ID which is stored within a cookie in the consumer s browser, so they can recognize the consumer again either on the next CameraReviews page, or on another website. In addition, all 35 companies may store personal data associated with the consumer s user ID in their data platforms, to process the data in different ways. The foregoing scenario highlights the following challenges of GDPR compliance for brands like CameraReviews that rely on third parties. Challenge 1 How can CameraReviews obtain meaningful consent, not just on its own behalf, but also on behalf of other companies, disclose what data each company collects, and what the data will be used for? Challenge 2 How can any of the third parties reliably ascertain that they have consent from the consumer before collecting or processing personal data, or placing a cookie on the consumer s browser? Challenge 3 How can the consumer exercise control over their personal data when it is fragmented across so many companies and data platforms, and associated with so many user IDs? 2

3 Challenge 4 - Assuming the consumer gave sufficient consent to either CameraReviews or the third parties it works with, how can the consumer revoke consent under the GDPR? How DigiTrust Helps Solve the Challenge DigiTrust provides the industry with a standardized ID (the DigiTrust ID ) to which the consumer s processing Permissions may be attached (the Permissions ). By design, the Permissions associated with the DigiTrust ID can be shared with other parties in the supply chain to pass through a reliable chain of consent to participants. The DigiTrust ID can also record consent for distinct types of processing operations, such as: Ad delivery, frequency capping and reporting Retargeting targeting an ad based on one event Behavioral profiling targeting an ad based on a combination of events over time Cross-device or intra-device targeting -based targeting Attribution and campaign optimization For our CameraReviews visitor, consent issues exist (1) for CameraReviews data collection as the site operator, and, separately, (2) for the 35 third-party providers also seeking to collect information. For CameraReviews management of Permissions that relate to its own data, it could join DigiTrust (at no cost) and incorporate DigiTrust technology into its consumer notice and consent window, and store the consumer s Permissions as they relate to CameraReview s own collection and processing of data, including its use of the DigiTrust technology. As the consumer accesses the review for a particular camera, CameraReviews can check its DigiTrust cookie to ensure the consumer has previously consented, before loading the page. If consent has not been given, CameraReviews can first load a window (prior to any content or third-party requests) that provides the consumer with information on the personal data collected and each of the potential distinct processing operations. CameraReviews could also use DigiTrust to secure and record consent on behalf of the 35 third party providers also collecting data on the CameraReviews site. Following disclosure of the specific types of processing engagement by these providers, the site visitor can also provide Permissions that apply to those provider. DigiTrust enables the storage of this consent for all of the 35 providers that utilize its identity solution. Possible language for such a consent approach for the CameraReviews visitor is provided as an Appendix to this overview. If the consumer withdraws consent, CameraReviews can suspend all third-party tags (ad server, analytics, etc.), or continue to run only those tags from companies that are also members of DigiTrust for which the visitor has already have consented to the types of data processing by each company. 3

4 The DigiTrust solution helps meet the challenges posed by the consent requirements in the GDPR in the following ways: Challenge 1 While CameraReviews doesn t show a consent window for each of the 35 companies, the DigiTrust solution allows such companies to request and record consent for the specific types of personal data processing operations they engage in. Challenge 2 Because they use the DigiTrust ID, each member of DigiTrust that interacts with the CameraReviews page can ascertain at run-time what the consumer s Permissions are and then honor those Permissions. Challenge 3 Previously collected and processed personal data, whether fragmented over 10 or 1000 data platforms, will be associated with one standardized user ID (i.e., the DigiTrust ID). Challenge 4 If the consumer initially consented to personal data collection and then revokes consent, the new Permissions will be applied just once to the DigiTrust ID. The DigiTrust ID is already being used by leading brands and third-party platforms because it improves revenues and improves the consumer experience. Top brands are already working together on a timeline for announcing when they will no longer support third-party requests pertaining to ID syncs. This means that an industry-wide adoption on the DigiTrust ID is already in motion and building. Using the DigiTrust s solutions capabilities to help support GDPR compliance would be a welcome next step. 4

5 Appendix: Possible Consent Approach for Publisher Site Deploying DigiTrust When you visit the Camerareview site, we engage in the following types of processing of your data: Type 1 (site operation) Type 2 (metrics) Type 3 (advertising-related processing) By clicking I accept, you signify your consent to the above listed types of processing of your data by CameraReview, and its use of cookies [explanatory link] and the DigiTrustId ID [explanatory link]. CameraReview also works with the following Advertising Companies [explanatory link listing all 35 companies], who engage in some or all of the following types of processing of your data: Type 1 (site operation, e.g.) [explanatory links might be provided for each type] Type 2 (metrics, e.g.) Type 3 (advertising-related processing, e.g.) By clicking I accept, you also signify your consent to the above listed types processing of your data by the Advertising Companies, and their use of cookies [explanatory link] and the DigiTrustId ID [explanatory link]. I ACCEPT I DO NOT ACCEPT 5