European Union’s General Data Protection Regulation (GDPR) comes into effect on 25th May 2018. It replaces the 1995 Data Protection Directive and harmonizes pre-existing disparate data privacy laws across EU member states including the UK.
At YOptima, our view is that consistency and certainty around data privacy and data protection is a win-win for all stakeholders – businesses, consumers and tech and solution providers.We have always believed that responsible and transparent collection and use of personal data,combined with mechanisms that give end users control over their personal data, are of utmost importance and an issue that every company and organization in the online advertising ecosystem must take seriously.
GDPR protects the privacy of EU citizens and applies to all companies collecting or processing personal data on individuals in the European Union, even if not established in the European Union. GDPR applies to any information concerning an identified or identifiable natural person,and this includes technical identifiers such as Cookie IDs and Mobile Advertising IDs.As a digital marketing solutions provider that doesn’t have direct relationship with consumers,we operate as a Data Processor, processing data on behalf of our Clients (the data controllers of the data) based on their instructions, and it is the responsibility of the data controller to establish an appropriate legal basis for the processing of the data. YOptima is already in compliance with key elements of GDPR and is well-positioned to implement any additional requirements.
The GDPR provides six bases for data collection and data processing in Europe:
1.The vital interest of the individual
2.The public interest
4.Compliance with legal obligations
5.Unambiguous consent of the individual
6.Legitimate interest of the data controller
For businesses in the marketing or digital marketing industry or who collect data (Data Controller) for the purposes of marketing, the two bases that could be applicable are: (1)unambiguous consent of the individual and (2) legitimate interest of the data controller.Explicit consent means the user must opt-in. As per GDPR, this applies to sensitive personal data such as race, religion, sexual orientation, political affiliation, and health status.
Importantly, online identifiers (e.g. cookies) have been categorized as non-sensitive personal data, therefore an explicit opt-in is not required. Our view at YOptima is that unambiguous consent is the most applicable basis for our clients and partners (Data Controllers) who collect personal data including technical identifiers. When working with YOptima, our clients and partners need only access to pseudonymous data namely Cookie IDs and Mobile Advertising IDs, that does not allow direct identification of users.
Under GDPR, a controller determines why and how data is processed, while processors do the actual processing on the controller’s behalf. Advertisers and Publishers are typically considered controllers, whereas third-party entities like ad-tech/mar-tech providers are typically considered processors. While our clients and partners, as Data Controllers, are responsible for providing comprehensive information to their users, we understand and deliver on our shared responsibility to comply with GDPR as a Data Processor.
As a programmatic solution provider, YOptima receives and uses certain types of data that altogether we call as “Platform Data”, Platform Data includes data generated through the Platform as well as data clients receive from other sources and then use via our Platform. We only process personal data on instructions from the controller, and inform the controller if the said instructions infringe on the GDPR. As a data processor, we do not opportunistically use or mine personal data for purposes not outlined by the data controller.
The Platform Data may include information about browsers and devices of users, such as:
Our clients also have ability to send additional data appended to a segment pixel through query strings if they want to do so. Typically, data sent through query string is client-specific unique identifiers for devices and browsers, order id and order value etc.
Consumers may opt out of certain types of data being processed, e.g., by blocking cookies or downloading an opt out cookie on their browser, disabling ad tracking or location services on their device, etc.
Note we do not allow data that by itself identifies an individual “in the real world,” such as name, address, phone number, email address, or government identifier, and we contractually prohibit our clients from sending to us or using such data in connection with their use of our solution. YOptima does not under any circumstances allow data that directly identifies an individual in this way to be collected through.
YOptima assigns a unique identifier (e.g., uuid1234) to every device or browser that passes through the Platform. While YOptima cannot identify which individual (or individuals) are using the device or browser in the real world, this unique identifier, combined with the other information we process on behalf of our clients (e.g., cookie IDs, mobile device IDs, IP addresses with full 4 octets, latitude and longitude coordinates with greater than 3 decimal places of precision), is now defined as “personal data”.
This type of personal data that we collect, matched against unique identifiers, is referred to in the GDPR as “pseudonymized data”. The GDPR explicitly recognizes “pseudonymization” as good practice in protecting the interests of individuals.
Lastly, while we collect/receive segment data from our clients and third parties for our clients to use on our Platform, we do not create segments or decide/assign segments to users of our own accord. While we use impression level data that may be tied back to a pseudonymous identifier to optimize the purchase and sale of advertising inventory, we do not optimize at a specific user level (in other words, we do not optimize to a cookie ID, advertising ID, or IP address).