This post was most recently updated on July 11th, 2019
The General Data Protection Regulation (GDPR) is designed to standardize the law protecting data privacy rights of individuals within the European Union.
It imposes strict guidelines on how data should be controlled and processed. It gives control to EU residents by requiring organizations to unambiguously solicit user permission to allow or disallow collection of personal data.
GDPR was approved and adopted by the EU Parliament in April 2016 and will be in force by May 25, 2018.
If you are an organization that offers goods, services or process and hold personal data of EU users, whether you are based in the EU or not, GDPR applies to you. This means, if you are a publisher and you are getting EU traffic, you are affected by this regulation.
Breaching GDPR could seriously hurt your bank account. An organization can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). It only takes at least one user report to put you under the radar.
In general, as a publisher, you are considered a “Data Controller”’ since you make decisions, set the do’s and don’ts, decide on what can and cannot be done with the personal data collected. You are responsible for the information of those who visit your site.
Step 1: Look at the contract, the document when doing business with agencies or advertisers.
If they receive data from you (e.g., DMP or DSP), and perceive themselves as “Data Processor” (i.e., agency or another body which processes personal data on behalf of the controller), you being the Data Controller, make sure that they follow your instructions.
They should do what they are supposed to do with the data you provide them. Should they decide to share that information further, you as a publisher must have explicit knowledge of who other parties are and why.
In short, the contract should contain GDPR provision. Otherwise, take it as a sign of a need for further conversation.
Step 2: Check where you are against the clock. Between now and the 25th of May, you cannot expect your partners to be compliant as the rules do not apply yet.
Give them some time to adapt. But by May 25th, if they still don’t comply or haven’t even started thinking about GDPR, it’s a clear indication that they are lagging behind.
This type of supplier is risky.
Step 3: Respect data subjects. An EU reader has rights to say no to the collection of their personal information. Allow them to opt-in and give consent for you to use their data.
You have to inform them that they can withdraw consent at anytime. Discuss with your developers a strategy ahead of time on how to ensure compliance.
Step 4: Have an adequate consent approach. This is something you need to obtain from EU readers. A bulletproof consent is something wherein you present a cookie consent banner drawing user’s attention that you are about to place or read cookies for xx purposes.
Design your cookies so that they are only activated once consent is obtained and not at the same time the consent banner pops up.
The consent banner should unambiguously explain how you process user data. Companies will no longer be able to utilize long illegible terms and conditions full of legalese. It must be given in an intelligible and easily accessible form.
Step 5: Maintain records of the consents collected.
Step 6: Document all steps to manage data collection, use storage and sharing of data.
Step 7: Do regular audits to ensure compliance.
Step 8: Understand what data you collect and who you allow collecting data.
Step 10: Check the percentage of EU traffic you are getting and anticipate revenue impact by May 25th. Users that did not opt-in will get less targeted programmatic ads since no cookie matching will happen.
Here at MonetizeMore, we treat GDPR and ePrivacy with utmost importance and make sure every publisher partner is ahead of the game.
To ensure our publisher partners are GDPR compliant, we rolled out a technology that requires minor customization, and it takes care of the rest: PubGuru DataGuard.
PubGuru DataGuard checks if a site visitor is located in the EU and then triggers the consent popup. Users who are not in the EU/EEA countries will not get any consent popup.
Ad codes will not load until the user is geolocated. It is much more aggressive than the existing disclosures.
Learn more about PubGuru DataGuard here: https://www.monetizemore.com/blog/frequently-asked-questions-gdpr-and-eprivacy-directive/
Or contact us for a free consultation to find out how MonetizeMore helps worldwide publishers increase ad revenues.
Here’s the course that 300+ pubs used to scale their ad revenue.