EU General Data Protection Regulation (GDPR): What Does it all Mean?

Airpush May 7 Article

The General Data Protection Regulation (GDPR) will become effective as of May 25th, 2018. The new legislation aims to protect personal data for all citizens of the European Union by regulating how organizations obtain, use and store personal data of EU residents, among other protections. In covering 28 countries and more than half a billion people, the GDPR has far-reaching affects for both citizens and the organizations that handle their personal information.

What does this mean exactly?

The core principals focus on giving consumers complete control over their own data, and how it’s collected, handled and used.

  1. Consumers own their data, not organizations. Through the GDPR, EU citizens have full control over their data, and final say in how it will be used — at all times. As a result, consumer consent is required for all personally identifiable information (PII) collection, sharing and usage. The regulation has also introduced the concept of “data rights,” where individuals have the right to see, edit, and delete all data a 3rd party has collected on them.
  2. Companies are required to protect the data they collect. The GDPR regulation introduces strict guidelines on how companies handle PII. Among other things, all organizations collecting PII must limit what they collect overall, add better security protocols, employ Data Protection Officers, and have data breach protocols that outline consumer notification plans.

Who does this affect?

All 510M citizens of the EU are protected by the GDPR. As such, all companies with an EU presence or who process personal data of EU citizens are also regulated by the GDPR. More specifically, the GDPR applies to any entity that; 1.) offers goods or services to EU residents, 2.) monitors the behavior of individuals in the EU, or 3.) are “in the context of” EU business operations.

This includes any advertiser, ad tech provider and other organizations that operate within the same capacity, including publishers, exchanges and DMPs. While advertising is clearly a focus of the GDPR, it also aims to limit any organization that uses data without the user’s consent to make personalized decisions.

This has far reaching implications for a wide variety of companies. For example, imagine being charged a higher insurance premium because an insurer has used your IP address to note your zip code, and thus the household income in your area. To the GDPR, “behind the scenes” profiling could foster discrimination and infringe on people’s legal rights.

The GDPR is against 3 primary actions:

  1. Building profiles on consumers using personal data without the person knowing, or having consent to do so
  2. Using said data in automated decision making
  3. The unsafe storage and distribution of PII

What’s included in “Personally Identifiable Information (PII)”?

A wide variety of data is considered PII, and extends beyond basic information such as name, SSN, IP address, geo-coordinates, cookie IDs and mobile identifiers. It also includes “pseudonymised” data if it can be linked to an individual. This means even hashed email addresses are considered PII if you can use it to target the user.

Specifically, “personal data” refers to data on a person who can be identified — directly or indirectly — by referencing an identifier such as name, an ID number, location, or an online identifier, among other things. The broad scope of this definition also includes device IDs and advertising IDs.

What are the “Data Rights” included in GDPR?

Under the GDPR, all companies need to enable EU citizens the ability to exercise the following rights:

  • Right to informed consent: Users must be clearly informed of what data is collected, why it’s needed, and how it will be used
  • Right to be forgotten: Users can request the data be deleted
  • Right to object: Users can prohibit certain data uses (i.e., opt-out)
  • Right to rectification: Users can request that any data be changed
  • Right to portability: Users can request that the personal data be transferred
  • Right to access: Users can access all collected data

How can PII still be used?

It’s important to note that the GDPR doesn’t stipulate that using PII is illegal, it just requires companies to get explicit permission to do so. Gaining such consent is regulated, however, and includes specific guidelines on what you tell the user and how you ask for it.

Users must be told how you’re using their data, and why — and should include the following:

Required Description
What Explain what type of data will be collected/shared. It must be specific to distinct purposes and not vague
With whom Detail the specific vendors/companies with whom you’re sharing data
Why Why you’re collecting and/or sharing the users’ data
Retention period How long the users’ data will be saved for
Specificity All of the above have to be explicit and clear; stating “for marketing purposes” or “future research” doesn’t suffice
Changes You’re required to gain new consent if you add a new vendor or want to collect different information

In addition, there are strict rules on how you can legally ask for consent from users, which should include the following:

Required Description
Opt-in Silence, pre-ticked boxes, or inactivity aren’t enough. It has to be an opt-in checkbox/button the user clicks
Can’t hide the description The explanation of what and how data will be used can’t be hidden in an expanded box, a link, or a lengthy privacy policy. It has to be clear to the user why the opt-in button is there
Can’t penalize users You can’t deny services/content to someone who refuses to give consent
Can’t force a “yes” You can’t require a data-sharing “yes” to finish a registration process; it has to be optional without a penalty
Have to honor If you’d still process the data regardless, asking for consent is misleading

Airpush and the GDPR

As a mobile advertising solutions provider, Airpush takes the GDPR very seriously and we’ve been hard at work making our network fully compliant with all regulations. In the coming weeks, we’ll be publishing more resources for both advertisers and publishers to help them fully understand the implications of GDPR and the usage of Airpush. We strive to ensure Airpush remains a transparent and compliant network with a focus on user privacy and experience.

For further reading on GDPR, read the full legislation text, or view a detailed overview here.

Related Topics

Current product
Data monetization without the use of ads
Monetize pirated installation of your apps