The European Union’s General Data Protection Regulation (GDPR) enforcement went into effect May 25, 2018. As a leading global advertising platform, AdColony remains committed to protecting user privacy and complying with the legal requirements of all regions we operate.
In order to continue delivering the best experience for data subjects as advertising consumers, we process personal data under the “purposes of legitimate interests” in GDPR Article 6(1)(f), which also helps us optimize our advertising partners’ investment, combat fraud, and compensate our publishing partners.
To make this transition transparent and easy to understand for our publishers, attribution partners, and advertisers we’ve prepared this brief guide on how AdColony will handle its responsibilities under GDPR.
What is GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a European Union regulation law on data protection and privacy for all individuals that reside within the European Union. The GDPR also applies to how data is handled and controlled (more on that later) outside the EU when applicable.
Fundamentally, the GDPR is a new set of rules designed to give EU citizens more control over their personal data. The legislation allows users gain access to and correct information that companies hold on them, including surveys, ad tracking, data collection, cookies, location data, and almost every other piece of a user’s “digital footprint”. It gives users the right to transfer their data to another organization. It requires companies to define how they keep data secure.
We’ve always taken user privacy seriously. GDPR gives us the opportunity to formalize our commitment to privacy within a robust legal framework. We’re even going above and beyond the requirements of the European Union and plan on offering the protections afforded by the GDPR internationally.
Will AdColony be compliant with the GDPR?
Yes. AdColony is committed to meeting all the GDPR requirements globally for all our users by the deadline of May 25th, and we are taking the steps necessary to ensure that AdColony and all our partners are compliant too. We are members of the Privacy Shield framework, which ensures a high level of protection for data sent to and from the EU.
How does GDPR affect AdColony?
Like most ad platforms, AdColony collects user data for the purposes of delivering targeted and relevant advertisements to mobile app users. In addition, we receive data passed to us through SDKs, SSPs, exchanges, attribution partners, and 3rd party data partners. Our efforts to become compliant with GDPR have introduced opportunities to clarify our relationships with data partners, streamline our data processing controls, and help data subjects understand and directly manage uses of their personal data.
What is AdColony doing to meet the GDPR requirements?
- Controller Classification: As a Controller under GDPR classifications, we work with our advertiser and publisher partners to determine how data is processed based on agreed upon terms.
- Data Protection: We have engaged ePrivacy Consult GmbH to help us with compliance and appointed one of their agents as our Data Protection Officer. ePrivacy is tasked with ensuring that AdColony is aware of and complies with its data protection responsibilities.
- Legitimate Interest: AdColony will not request nor require consent from a user in order to display advertisements. We believe that our legitimate interest is appropriate given the value we bring to sustaining a healthy ecosystem amongst users, advertisers, and publishers after having conducted a legitimate interest assessment. Based on data collected, we will show ads to users that deliver the best user experience. By doing so, we allow users to enjoy their favorite apps free of charge while driving revenue for publishers and improving the effectiveness of advertiser campaigns. Moreover, we are fully supportive of the digital ad industry consent mechanisms and will continue to test consent mechanisms as potential alternative legal basis for processing. And where a valid consent is passed to AdColony, we will pass that consent on upstream.
- Global Implementation: While GDPR rules apply only to data collected from European Union residents, we have decided to comply with GDPR at a global level–for every user in every country.
- Personal Data: We will collect and process only non-sensitive data signals. Personal data will be pseudonymized and encrypted to maintain the privacy of the user. The data will be processed for standard advertising use cases: campaign operations; performance attribution and optimization; brand targeting; brand measurement; and on the AdColony Exchange.
- Programmatic Signals: AdColony will adhere to the IAB’s GDPR Recommendations regarding supporting GDPR-relevant RTB signals.
- Sub-Processors: AdColony will maintain a list of all sub-processors on a password-protected website page.
- Data Mapping: Our Personal Data Exchange (PDX) forces any calls of device ID and other personal data to be stripped of identifiable information before mapping to a new, anonymous device token.
- Data Subject Rights: On the AdColony.com website, we will provide instructions for the user to: access their data collected by AdColony.; opt-out of future data collection by AdColony.; erase personal data collected by AdColony.; elect that personal data will not be stored by AdColony.; elect that personal data will not be processed by AdColony.
- Data Retention: Collected data will be retained for a maximum of 13 months.
Will GDPR require a new AdColony SDK update?
AdColony SDK 3.x supports GDPR and will not require an AdColony SDK update; however, if a publishing partner is collecting consent, they will need to update their integration to pass data subject requests for information or requests to remove their consent we have claimed based on our legitimate interest (i.e. forget, do not store, do not process). Publishers on the old 2.x SDK will need to update to 3.x SDK to pass consent parameters.
More information on the latest AdColony SDK can be found here.
If I work with AdColony, what should I expect regarding GDPR?
- Publishers will be asked to sign AdColony’s sell-side Data Processing Agreement (DPA).
DSPs will be asked to sign AdColony’s buy-side DPA.
- Advertisers will be asked to update their IO language to accommodate the AdColony buy-side DPA, including the GDPR-compliant 3rd-Party Partners to whom AdColony is authorized to send personal data.
- Attribution and measurement partners should expect to sign an AdColony DPA.
- Data Management Platforms should expect to sign the AdColony DPA.
What is AdColony’s data retention policy?
AdColony stores and processes data for up to 13 months, unless there is a special need accommodated by GDPR (legal claim, fraud, etc). Otherwise, personal data is destroyed after the 13-month period.
How do data subjects in the EU find out if AdColony has any data about them?
Clear instructions will be posted on the adcolony.com by the May 25, 2018 deadline. Data subjects will direct their requests to AdColony via official process and written affidavit.
How do EU data subjects request their data to be deleted by AdColony?
Similar to data information requests, data subjects will be given directions via adcolony.com regarding their rights and methods for exercising those rights.
Those rights include the ability to make the following requests, which will be honored within 30 days from original request:
- Forget: The ability to erase personal data from AdColony data storage so that my privacy rights are maintained.
- Do Not Store: A way to indicate my personal data will not be stored by AdColony so that my privacy rights are maintained.
- Do Not Process: A way to indicate my personal data will not be processed by AdColony (although it may be stored) so that my privacy rights are maintained.