A Publisher’s Guide to GDPR Compliance
The General Data Protection Regulation (GDPR) has arrived. For online publishers, there is no margin for error anymore. Their use of third party services, namely Ad Tech and MarTech stacks, has grown exponentially due to the monetary and performance benefits they bring. However, they can prove to be a double-edged sword if implemented incorrectly.
Online publishers often handle their Tech Stacks like lego bricks. But this casual approach can prove to be risky since these third party scripts are not
a part of their website, with little to no visibility into
their code and control over their deployment. Therefore, they can massively impact the complex landscape of performance, online data usage, and compliance.
This eBook will cover the various aspects of user privacy, unlock five methods to audit your third party services, and make sure they’re not hampering your GDPR compliance.
Want to read the rest of the eBook?
Fill in the form below and read the next chapters!
What is General Data Protection Regulation (GDPR)?
The GDPR is being discussed in all industry circles today due to the vast magnitude of its impact and legal implications it carries with it, putting enormous pressure on decision makers. To put everything in order, here’s a quick recap of how these user privacy regulations came into existence.
Following intensifying reports of data breaches, the European Union (EU) Parliament started discussing how to improve privacy standards on the internet. Since most of the breaches were created by improper management or insecure PII (Personally Identifiable Information) data processing and storage, a need for a new set of regulations was felt.
The GDPR applies to all companies that collect or process Personally Identifiable Information (PII) data of European Union (EU) based citizens, regardless of the sector they belong to. This basically means that the majority of websites today have to comply with the requirements of the GDPR, making it the first global privacy protection law.
In a nutshell, the GDPR requires online publishers, ecommerce websites, and all web entities to perform the following actions while interacting with EU based citizens:
◦ Collect and process personal data as defined in the GDPR guidelines.
◦ Prove clear and affirmative consent to process PII data.
◦ Appoint a Data Protection Officer (DPO) to monitor activities.
◦ Give the client/user an option to be “forgotten” if they choose to.
As per the GDPR, online publishers will also be required to perform mandatory Privacy Impact Assessments (PIAs), also known as Data Protection Impact Assessments (DPIAs). This is a systematic process which has been created for publishers (data controllers) to assess privacy risks created by the collection and processing of sensitive PII data.
The legal consequences of not complying with the GDPR have also been clearly defined, leaving little to the imagination. Companies in violation of the GDPR may be fined between 2% to 4% of their annual global turnover or up €20 million, whichever is higher. Frequent GDPR violations can raise the level of legal penalties to the €40 million range.
GDPR and Online Publishers
The GDPR will have a tremendous impact on all online business models but digital publishers will probably be under the most scrutiny after May 25th. These businesses rely on advertising and subscriptions for their income, both of which involve the continuous and constant collection and processing of personal data. These companies will be required to audit and monitor their Ad Tech and MarTech stacks closely on a perpetual basis.
The GDPR will be affecting this sector significantly by:
- Widening the Definition of Personal Data — The GDPR classifies anonymous identifiers, such as cookies and device IDs, as PII data, which is the bread and butter of marketing technology and digital publishing.
- Clarifying the Role of Data Controllers and Processors — Under GDPR, third party vendors are “data processors”. Online publishing companies collecting PII data are now defined as “data controllers”. The GDPR views “data controllers” (i.e. online publishers) as sole culprits when it comes to privacy violations.
- Outlining Accountability for Mishandling PII Data — Any online publisher that collects or stores personal data will become liable for misuse. They will also be accountable for the use of third party services that are not compliant with the GDPR. A wide range of aspects need to be addressed to cover the EU data
protection framework. Besides the GDPR principles mentioned above, key issues such as user consent need to be taken into consideration. User consent revolves around three main aspects: ePrivacy Directive, IAB Europe’s Guidelines, and Consent Management Platforms (CMPs).
The ePrivacy Directive
IAB Europe’s Guidelines
The Interactive Advertising Bureau (IAB) Europe has also released a new framework aimed at standardizing the process of obtaining user consent to collect and use PII data. This has been done with the aim of aligning the advertising technology (Ad Tech) industry with the GDPR rules, while keeping online publishers on the same page.
Consent is at the core of this framework. Online publishers (data controllers) will get to select which Ad Tech vendors (data processors) they wish to continue collaborating with from a centralized list of authorized global vendors. These third party vendors will need to submit an application to appear on this list and pay a predefined admission fee.
Full compliance can’t be achieved just by working with IAB Europe compliant vendors. Once the online publishers have chosen their vendors, they still have the responsibility of obtaining documented consent from the consumer (data subject) on all vendors’ behalf, not to mention the real-time management of the permissions.
Consent Management Platforms (CMPs)
Consent Management Platforms, also known as CMPs, enable online publishers to manage the ePrivacy aspect of GDPR compliance. More and more businesses are adopting CMPs to manage the consent aspect of getting PII data from their clients and leads. In addition to setting and monitoring the statuses of user consent, they can also create lists of preferred vendors.
Despite not being a mandatory tool for GDPR, CMPs are being adopted by data controllers on a massive scale to optimize user consent management and avoid potential slip-ups.
Many leading CMP vendors today are pledging their alliance with the IAB Europe GDPR Transparency and Consent steering committee. However, Google is also a strong factor in the CMP landscape. Its dedicated platform is going to be highly limiting, allowing online publishers to whitelist a maximum of 12 third party vendors.
Differences aside, online publishers can’t go wrong with any CMP they choose, since all share the common vision of optimizing user consent management as per the GDPR.
Accountability for GDPR Compliance
As mentioned earlier, the accountability for GDPR compliance will go way beyond just first party software, developed and managed internally. Online publishers and digital media websites will also be held accountable for the use of noncompliant third party software in their Ad Tech and MarTech stacks. This has been clearly defined in the new rules.
The meaning of this new reality is simple. Businesses that fail to audit and monitor their third party software infrastructure will at a high risk of violating the new GDPR.
The Online Publisher: A PII Data Controller
Modern content and media domains are complex blends of software components, each providing some kind of business, performance or legal value. Making your Ad Tech stacks GDPR compliant requires a fundamental understanding of what goes on under the hood of your website, which may appear fully functional and optimized to the naked eye.
First Party vs Third Party Services
Ad Tech and MarTech stacks are no longer developed exclusively in-house. The rising prices of hiring dedicated dev teams and the dynamic requirements of managing an online publishing domain have led to an exponential rise in the use of imported software. Third party vendors are becoming increasingly necessary for modern online publisher to remain profitable.
As you can see in the illustration below, the modern tag ecosystem makes use of various third party services. These services can
be perfectly functional, but they are basically autonomous components that are working independently. More often than not, they also make use of fourth and fifth party services to gain added functionality.
Third Party Services and GDPR Compliance
Compliance is further complicated when the legal aspect is taken into consideration. Even if the online publisher performs the role of a data controller successfully by requesting and documenting user consent (while providing the right to be deleted), ensuring the GDPR compliance of third party services can be a tricky proposition.
Your PII data can potentially reach new data processors in the form of fourth and fifth party services. A proper GDPR audit should go beyond first party software on the website and include third party services in Ad Tech and MarTech stacks for a through inspection.
Real World Example of PII Data Collected by Third Party Services
PII data collection is an integral part of how the digital media machine works today. It happens in almost every action committed on browsers. As evident in the example on the following page, PII data is sent through calls and requests that go through a user’s browser after certain actions take place. The amount of these pings rise exponentially with every third party service that enters the equation.
Although there are several ways to determine which services are running on your site, not all of them will highlight the fourth and fifth party dependencies.
PII data being transferred through the network waterfall. Source: Web Performance Today
How Can Online Publishers Achieve GDPR Compliance?
Getting ready for GDPR can be a daunting task for some organizations, as we are seeing in the market today. Several media companies like Unroll.me and Verve have opted to shut down their operations rather than take the necessary measures to become GDPR complaint, which were probably too massive from a financial and operational standpoint.
However, GDPR shouldn’t be feared. It should be embraced. The first stage of GDPR compliance for digital publishers must be understanding and mapping the PII data collection process. The more you know about GDPR and its implications on your ecosystem, the better you can align your Ad Tech and MarTech stacks to the new reality.
Know the Footprint of Your Website
Do you know what third party software is currently running on your domain? The first step in bracing yourself for the GDPR guidelines is knowing what tags are actually running on your site. As simple as this may sound, many online publishers lack this fundamental information. Additionally, most web tracking tools today don’t specifically focus on third party services.
Not only are third, fourth, and fifth party services running on your site and impacting your performance, they are also impacting your GDPR compliance. Despite not directly authorizing these services to process or store this data without the user’s consent, online publishers (data controllers) are fully responsible for ensuring GDPR compliance. Knowing your third party infrastructure footprint is still not common practice, but it’s great if you are doing it. However, keeping track over time by drilling down into your network waterfall can become time-consuming, take up a lot of your resources, become technically complicated, and unscalable when you have a lot of tags running on your site.
Analyze Who is Collecting Your Customers’ PII Data
As mentioned earlier, your Ad Tech stack is constantly collecting, processing, and at times also storing PII Data. While you can directly control the aspects of consent and provide your users with the option of being “forgotten”, the PII data can easily leak if not methodically monitored on a constant basis.
To prevent such scenarios, a thorough GDPR audit should:
◦ Map third party solutions and their dependencies on fourth party services.
◦ Flag all services that are accessing PII data.
◦ Detect if sensitive information is being stored in an unencrypted form.
◦ Check if PII information is being imported after full consent of the user.
Are Your Tech Stacks GDPR Compliant?
For most publishers, GDPR compliance is about collecting personal information in a compliant manner and also sharing it with data processors (third party vendors).
Therefore, your GDPR compliance will mainly hinge on your ability to map and track third party services in your Ad Tech and MarTech stacks. As a data controller, you are responsible for any GDPR breach. This can be unauthorized PII data storage, lack of consent from the user, improper PII data collection, and other issues of this nature.
The two aforementioned ePrivacy Directive and Interactive Advertising Bureau (IAB) Europe frameworks also need to be taken into consideration at all times.
Make Sure All of Your Vendors are IAB Europe Compatible
Ensuring that your third party services come from the Interactive Advertising Bureau (IAB) authorized vendors list is not mandatory, but can help you filter out non-GDPR compliant elements from your ecosystem. All you need to do after that is make sure that you implement an IAB approved Consent Management Platform (CMP).
Adopting this methodology can initially mean a limited choice of third party services for your Ad Tech stack, but the IAB compliant vendor list should only increase with time.
Continuous Real-Time Monitoring to Ensure Compliance
A good GDPR audit doesn’t mean your Tech Stacks will stay compliant. Third party vendors often make code changes that may alter the way your customers’ PII data is processed or in extreme cases stored, which is a violation of the GDPR guidelines. New fourth and fifth party vendors, who can potentially be completely noncompliant, may also enter the picture.
The meaning of this ongoing risk is that online publications have to continuously monitor their ecosystem, especially Ad Tech and MarTech stacks, in real time.
The Online Industry Post GDPR: Privacy and Monetization
So what lies ahead for the online publishers after the GDPR guidelines take effect? How will the advertising industry react to the new rules and regulations?
One scenario involves an unprecedented rise in the popularity of Private Marketplaces (PMPs). In an attempt to avoid too many links in the compliance chain, publishers can opt to eliminate their reliance on ad exchanges (open auctions) completely and programmatically offer their ad inventory to specific buyers directly via PMPs.
The second scenario involves the realignment of the entire industry and proper monitoring of third party vendors with comprehensive monitoring tools. Noncompliant vendors will simply become extinct. This will most certainly narrow down the choice of third party solutions, but everything on offer will be GDPR-compliant with watertight security/privacy standards.
But there is also a grey area, where things are already happening.
Google updated its policy in early 2018, notifying publishers they will need to share data they receive from consumers if they intend to use the company’s software to sell ads. Google won’t disclose exactly how it will use that data and has already announced that should any GDPR violations occur, the liability will solely rest with the publishers.
So where will the stars align? Our universe has gone through periods of expansion and contraction over its billions of years of existence. It is safe to assume that Ad Tech, MarTech, and online publishing in general will go through a similar process, starting with a period of contraction and consolidation. The expansion phase will probably arrive once the industry completely aligns itself with the GDPR.