The General Data Protection Regulation (GDPR) (EU) 2016/679 is a European Union regulation law on data protection and privacy for all individuals that reside within the European Union. The GDPR also applies to how data is handled and controlled (more on that later) outside the EU when applicable.

Fundamentally, the GDPR is a set of rules designed to give EU citizens more control over their personal data. The legislation allows users gain access to and correct information that companies hold on them, including surveys, ad tracking, data collection, cookies, location data, and almost every other piece of a user’s “digital footprint”. It gives users the right to transfer their data to another organization. It requires companies to define how they keep data secure.

We’ve always taken user privacy seriously. GDPR continues to give us the opportunity to formalize our commitment to privacy within a robust legal framework. We go above and beyond the requirements of the European Union to offer the protections afforded by the GDPR internationally.

Yes. AdColony continues to meet all the GDPR requirements globally for all our users, and we continue to take the steps necessary to ensure that AdColony and all our partners are compliant too.

Like most ad platforms, AdColony collects user data for the purposes of delivering targeted and relevant advertisements to mobile app users. In addition, we receive data passed to us through SDKs, SSPs, exchanges, attribution partners, and 3rd party data partners. Our compliance with GDPR continues to provide opportunities to clarify our relationships with data partners, streamline our data processing controls, and help data subjects understand and directly manage uses of their personal data.

• • Controller Classification: As a Controller under GDPR classifications, we work with our advertiser and publisher partners to determine how data is processed based on agreed upon terms.
  • Data Protection: We have engaged ePrivacy Consult GmbH to help us with compliance and appointed one of their agents as our Data Protection Officer. ePrivacy is tasked with ensuring that AdColony is aware of and complies with its data protection responsibilities.
  • Legitimate Interest: AdColony will not request nor require consent from a user in order to display advertisements. We believe that our legitimate interest is appropriate given the value we bring to sustaining a healthy ecosystem amongst users, advertisers, and publishers after having conducted a legitimate interest assessment. Based on data collected, we will show ads to users that deliver the best user experience. By doing so, we allow users to enjoy their favorite apps free of charge while driving revenue for publishers and improving the effectiveness of advertiser campaigns. Moreover, we are fully supportive of the digital ad industry consent mechanisms and will continue to test consent mechanisms as potential alternative legal basis for processing. And where a valid consent is passed to AdColony, we will pass that consent on upstream.
  • Global Implementation: While GDPR rules apply only to data collected from European Union residents, we have decided to comply with GDPR at a global level–for every user in every country.
  • Personal Data: We will collect and process only non-sensitive data signals. Personal data will be pseudonymized and encrypted to maintain the privacy of the user. The data will be processed for standard advertising use cases: campaign operations; performance attribution and optimization; brand targeting; brand measurement; and on the AdColony Exchange.
  • Programmatic Signals: AdColony will adhere to the IAB’s GDPR Recommendations regarding supporting GDPR-relevant RTB signals. AdColony also support the IAB Transparency and Consent Framework (TCF) v2.0.
  • Sub-Processors: AdColony will maintain a list of all sub-processors on a password-protected website page.
  • Data Mapping: Our Personal Data Exchange (PDX) forces any calls of device ID and other personal data to be stripped of identifiable information before mapping to a new, anonymous device token.
  • Data Subject Rights: On the AdColony.com website, we will provide instructions for the user to: access their data collected by AdColony.; opt-out of future data collection by AdColony.; erase personal data collected by AdColony.; elect that personal data will not be stored by AdColony.; elect that personal data will not be processed by

AdColony SDK 3.x and forward supports GDPR and will not require an AdColony SDK update; however, if a publishing partner is collecting consent, they will need to update their integration to pass data subject requests for information or requests to remove their consent we have claimed based on our legitimate interest (i.e. forget, do not store, do not process). Publishers on the old 2.x SDK will need to update to a newer version of the SDK to pass consent parameters.

Documentation regarding GDPR requirements for AdColony publishers using our iOS SDK can be found here, and documentation for Android can be found here.

If I work with AdColony, what should I expect regarding GDPR?
GDPR-related steps will vary depending on how you work with AdColony. All partners should review our privacy policy and become familiar with our GDPR interpretations. Additionally, please expect the following based on how you work with us.

• Publishers will be asked to sign AdColony’s sell-side Data Processing Agreement (DPA).
  DSPs will be asked to sign AdColony’s buy-side DPA.
• Advertisers will be asked to update their IO language to accommodate the AdColony buy-side DPA, including the GDPR-compliant 3rd-Party Partners to whom AdColony is authorized to send personal data.
• Attribution and measurement partners should expect to sign an AdColony DPA.
• Data Management Platforms should expect to sign the AdColony DPA.

AdColony stores and processes data for up to 13 months, unless there is a special need accommodated by GDPR (legal claim, fraud, etc). Otherwise, personal data is destroyed after the 13-month period.

Clear instructions to exercise Data Subject Access Requests can be found at the bottom of this page.

Similar to data information requests, data subjects are be given directions at the bottom of this page, or on our privacy policy.

Those rights include the ability to make the following requests, which will be honored within 30 days from original request:

• Forget: The ability to erase personal data from AdColony data storage so that my privacy rights are maintained.
• Do Not Store: A way to indicate my personal data will not be stored by AdColony so that my privacy rights are maintained.
• Do Not Process: A way to indicate my personal data will not be processed by AdColony (although it may be stored) so that my privacy rights are maintained.

The California Consumer Privacy Act (CCPA) went into effect in January of 2020 and began being fully enforced by the California AG’s office on July 1, 2020. AdColony is compliant with CCPA (including the AG’s Regulations). The CCPA impacts companies that collect and/or sell personal information and is designed to give Californians more control over their data.

The following are among the major new data protections CCPA introduces:

• Right to access information – California Consumers will be able to know the “what, who, and why” surrounding their personal information.
• Right to deletion – California Consumers will be able to request that a company delete the personal information it has collected about them.
• Right to opt out – California Consumers will be able to direct a company to not sell their personal information to third parties (although the definition of “sell” in the bill is broader than simply monetary exchange).

The CCPA applies to for-profit businesses operating in California that collect personal information of California consumers for which any of the following are true:

1. Annual gross revenues over $25M.
2. Annually buys, receives, sells, or shares personal information of over 50,000 California consumers, households, or devices.
3. Derives at least 50% of annual revenue from selling California consumers’ personal information.

Yes. AdColony is compliant with all the CCPA requirements for California residents and all requests coming from the United States. We continue to take the steps necessary to ensure that AdColony and all our partners remain compliant.

Like most ad platforms, AdColony collects user data for the purposes of delivering targeted and relevant advertisements to mobile app users. In addition, we receive data passed to us through SDKs, SSPs, exchanges, attribution partners, and 3rd party data partners. Due to the effort already done with GDPR, we have been able to re-use a lot of the work we did previously for GDPR for our CCPA compliance.

Third-Party Classification: As a third party as defined by the CCPA, we work with our advertiser and publisher partners to determine how data is processed based on agreed-upon terms.

Personal Information: Like all adtech companies, AdColony processes pseudonymous personal information and is subject to the CCPA’s rules around such information. This data will be processed for standard advertising use cases: campaign operations; performance attribution and optimization; brand targeting; brand measurement; and on the AdColony Exchange.

Programmatic Signals: AdColony supports the IAB’s CCPA Recommendations regarding CCPA-relevant RTB signals. AdColony can also ingest and interpret consent strings from the IAB CCPA US Privacy Framework.

Data Mapping: Our Personal Data Exchange (PDX) forces any calls of device ID and other personal information to be stripped of identifiable information before mapping to a new, pseudonymous device token.

Data Subject Rights: On the AdColony Privacy Policy, there are instructions for the user to: access their data collected by AdColony.; opt-out of future data collection by AdColony.; erase personal data collected by AdColony.; elect that personal data will not be stored by AdColony.; elect that personal data will not be processed by AdColony.

Data Retention: Collected data will be retained for a maximum of 13 months.

AdColony classifies as a 3rd party under CCPA, but we strive to provide all possible tools to ingest and respect CCPA privacy signals regardless of legal classification. If your business has adopted or is planning to adopt the IAB CCPA Privacy string, AdColony’s SDK 4.2 can ingest and respect the IAB US Privacy String. Additionally, AdColony’s SDK 4.2 provides support for publishers to designate on an individual level whether CCPA is applicable for a specific user, and whether a user has opted in or opted out to the sale of their data as defined by CCPA.

Usage of providing any of the above features to pass opt-outs via our SDK will require updates SDK 4.2, as earlier versions do not support them. We’ve designed this version of our SDK to minimize the requirement of future publisher updates to support additional privacy features for future legislation and industry privacy frameworks.

CCPA steps will vary depending on how you work with AdColony. All partners should review our privacy policy and become familiar with our CCPA interpretations. Additionally, please expect the following based on how you work with us.

• Publishers and Supply Side Partners will be asked to pass any instances of where a user has opted out of a sale to AdColony to our SDK or through the bid-stream.
• SSPs will need to send opted-out CCPA signals per the IAB CCPA Specifications, or to AdColony’s own Specifications in order to support opted-out users under CCPA.
• Attribution and measurement partners should connect with AdColony on how to best transmit and receive opt-out signals from users.
• Data Management Platforms should connect with AdColony on how to best transmit and receive opt-out signals from users.

AdColony stores and processes data for up to 13 months, unless there is a special need accommodated by GDPR or CCPA (legal claim, fraud, etc). Otherwise, personal data is destroyed after the 13-month period.

Instructions are posted on the privacy policy or can be found below. Data subjects will direct their requests to AdColony via official process and will need to be able to affirm their request.

Clear instructions are posted on AdColony Privacy Policy. Data subjects will direct their requests to AdColony via official process and will need to be able to affirm their request.

Those rights include the ability to make the following requests, which will be honored within 30 days from original request:

Forget: The ability to erase personal data from AdColony data storage so that my privacy rights are maintained.

Do Not Store/Do Not Sell: A way to indicate my personal data will not be stored or sold by AdColony so that my privacy rights are maintained.

Do Not Process: A way to indicate my personal data will not be processed by AdColony (although it may be stored) so that my privacy rights are maintained.