The European Union’s General Data Protection Regulation (GDPR) enforcement went into effect May 25, 2018. As a leading global advertising platform, AdColony remains committed to protecting user privacy and complying with the legal requirements of all regions we operate.

In order to continue delivering the best experience for data subjects as advertising consumers, we process personal data under the “purposes of legitimate interests” in GDPR Article 6(1)(f), which also helps us optimize our advertising partners’ investment, combat fraud, and compensate our publishing partners.

To make this transition transparent and easy to understand for our publishers, attribution partners, and advertisers we’ve prepared this brief guide on how AdColony will handle its responsibilities under GDPR.

What is GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a European Union regulation law on data protection and privacy for all individuals that reside within the European Union. The GDPR also applies to how data is handled and controlled (more on that later) outside the EU when applicable.

Fundamentally, the GDPR is a new set of rules designed to give EU citizens more control over their personal data. The legislation allows users gain access to and correct information that companies hold on them, including surveys, ad tracking, data collection, cookies, location data, and almost every other piece of a user’s “digital footprint”. It gives users the right to transfer their data to another organization. It requires companies to define how they keep data secure.

We’ve always taken user privacy seriously. GDPR gives us the opportunity to formalize our commitment to privacy within a robust legal framework. We’re even going above and beyond the requirements of the European Union and plan on offering the protections afforded by the GDPR internationally.

Will AdColony be compliant with the GDPR?
Yes. AdColony is committed to meeting all the GDPR requirements globally for all our users by the deadline of May 25th, and we are taking the steps necessary to ensure that AdColony and all our partners are compliant too. We are members of the Privacy Shield framework, which ensures a high level of protection for data sent to and from the EU.

How does GDPR affect AdColony?
Like most ad platforms, AdColony collects user data for the purposes of delivering targeted and relevant advertisements to mobile app users. In addition, we receive data passed to us through SDKs, SSPs, exchanges, attribution partners, and 3rd party data partners. Our efforts to become compliant with GDPR have introduced opportunities to clarify our relationships with data partners, streamline our data processing controls, and help data subjects understand and directly manage uses of their personal data.

What is AdColony doing to meet the GDPR requirements?

    • Controller Classification: As a Controller under GDPR classifications, we work with our advertiser and publisher partners to determine how data is processed based on agreed upon terms.
    • Data Protection: We have engaged ePrivacy Consult GmbH to help us with compliance and appointed one of their agents as our Data Protection Officer. ePrivacy is tasked with ensuring that AdColony is aware of and complies with its data protection responsibilities.
    • Legitimate Interest: AdColony will not request nor require consent from a user in order to display advertisements. We believe that our legitimate interest is appropriate given the value we bring to sustaining a healthy ecosystem amongst users, advertisers, and publishers after having conducted a legitimate interest assessment. Based on data collected, we will show ads to users that deliver the best user experience. By doing so, we allow users to enjoy their favorite apps free of charge while driving revenue for publishers and improving the effectiveness of advertiser campaigns. Moreover, we are fully supportive of the digital ad industry consent mechanisms and will continue to test consent mechanisms as potential alternative legal basis for processing. And where a valid consent is passed to AdColony, we will pass that consent on upstream.
    • Global Implementation: While GDPR rules apply only to data collected from European Union residents, we have decided to comply with GDPR at a global level–for every user in every country.
    • Personal Data: We will collect and process only non-sensitive data signals. Personal data will be pseudonymized and encrypted to maintain the privacy of the user. The data will be processed for standard advertising use cases: campaign operations; performance attribution and optimization; brand targeting; brand measurement; and on the AdColony Exchange.
    • Programmatic Signals: AdColony will adhere to the IAB’s GDPR Recommendations regarding supporting GDPR-relevant RTB signals.
    • Sub-Processors: AdColony will maintain a list of all sub-processors on a password-protected website page.
    • Data Mapping: Our Personal Data Exchange (PDX) forces any calls of device ID and other personal data to be stripped of identifiable information before mapping to a new, anonymous device token.
    • Data Subject Rights: On the AdColony.com website, we will provide instructions for the user to: access their data collected by AdColony.; opt-out of future data collection by AdColony.; erase personal data collected by AdColony.; elect that personal data will not be stored by AdColony.; elect that personal data will not be processed by AdColony.
    • Data Retention: Collected data will be retained for a maximum of 13 months.

Will GDPR require a new AdColony SDK update?

AdColony SDK 3.x supports GDPR and will not require an AdColony SDK update; however, if a publishing partner is collecting consent, they will need to update their integration to pass data subject requests for information or requests to remove their consent we have claimed based on our legitimate interest (i.e. forget, do not store, do not process). Publishers on the old 2.x SDK will need to update to 3.x SDK to pass consent parameters.

More information on the latest AdColony SDK can be found here.

Documentation regarding GDPR requirements for AdColony publishers using our iOS SDK can be found here, and documentation for Android can be found here.

If I work with AdColony, what should I expect regarding GDPR?
GDPR-related steps will vary depending on how you work with AdColony. All partners should review our privacy policy and become familiar with our GDPR interpretations. Additionally, please expect the following based on how you work with us.

  • Publishers will be asked to sign AdColony’s sell-side Data Processing Agreement (DPA).
    DSPs will be asked to sign AdColony’s buy-side DPA.
  • Advertisers will be asked to update their IO language to accommodate the AdColony buy-side DPA, including the GDPR-compliant 3rd-Party Partners to whom AdColony is authorized to send personal data.
  • Attribution and measurement partners should expect to sign an AdColony DPA.
  • Data Management Platforms should expect to sign the AdColony DPA.

What is AdColony’s data retention policy?
AdColony stores and processes data for up to 13 months, unless there is a special need accommodated by GDPR (legal claim, fraud, etc). Otherwise, personal data is destroyed after the 13-month period.

How do data subjects in the EU find out if AdColony has any data about them?
Clear instructions will be posted on the adcolony.com by the May 25, 2018 deadline. Data subjects will direct their requests to AdColony via official process and written affidavit.

How do EU data subjects request their data to be deleted by AdColony?
Similar to data information requests, data subjects will be given directions via adcolony.com regarding their rights and methods for exercising those rights.

Those rights include the ability to make the following requests, which will be honored within 30 days from original request:

  • Forget: The ability to erase personal data from AdColony data storage so that my privacy rights are maintained.
  • Do Not Store: A way to indicate my personal data will not be stored by AdColony so that my privacy rights are maintained.
  • Do Not Process: A way to indicate my personal data will not be processed by AdColony (although it may be stored) so that my privacy rights are maintained.

 

RIGHTS OF DATA SUBJECTS UNDER GDPR

AdColony Advertising Services

Data is processed in order to show you relevant advertising content and to perform tasks necessary to the operation of the advertising business.

Deletion / "Right to be Forgotten"

This form is for requesting the removal of data relating to our advertising services. If you wish to request deletion of your personal information, you can do so at any time by filling out the information in this form and submitting it. (If you wish to request removal of personal information from another area of the business, please email privacy@adcolony.com with a detailed description of the actions you'd like to take.)

AdColony Forget Data Request

With this form, you may request that we forget personal data we have collected in association with your email address and/or your device (identified by your advertising ID).
For more information see our Privacy Policy page (https://www.adcolony.com/privacy-policy/)
* Email Address
Your Information
* First Name
* Last Name
*Under which privacy regulation are you exercising these rights?
GDPR (EU Resident)None of the Above
Relationship
* Are you submitting this request on behalf of yourself?
YesNo
* If no, please indicate your relationship with AdColony
PublisherAdvertiserDSPSSPThird PartyOther
Device ID
Your Device ID is a 36-40 character string that can be found on your device. Please see this link for more information about identifying your Device ID. Device IDs that are incorrectly entered may void your request.
https://www.adcolony.com/privacy-policy/finding-advertising-id/
* Device Advertising ID (Apple IFA or Google AID)
Signature and Consent
By typing your full name below, you are providing us with your digital signature, which is as legally binding as your physical signature. Please note that your signature must exactly match the first and last names that you entered at the top of this web form in order for your submission to be successful.
* Accurate, Authorized
* Consent for this Request
* Signed on this date
* Signature

RIGHTS OF DATA SUBJECTS UNDER GDPR

Data Subject Access Request

AdColony is committed to transparency, and we want EU data subjects to have access to personal data that we may have about them and/or the devices that they may use to access the Internet.

Our privacy policy describes the types of personal data that we process. We only ask for the information we need to help us process a subject access request and will only keep information pertaining to your request for up to one year. If you are a client of AdColony with a login and password to the AdColony platform, we ask that you first direct your request to the person or persons at your organization that administers the relationship with AdColony.

Your EU Data Subject Access Rights

If you make a subject access request as set out in this policy, you are entitled to see the personal data that we have about you including any digital identifiers such as cookie IDs and mobile advertising IDs that AdColony may store. We will also do our best to provide you with other information that we may have stored and associated with your personal data and digital identifiers—for example, transaction logs reflecting where one of our customers used or attempted to use our services in a way that impacts a website or application that you accessed.

We will provide you with the ability to see the personal data that we have by providing you with a copy of that data. You have the right to port that data to a different entity than AdColony, although we can’t guarantee that others will be in position to ingest this data. We will also provide you with the ability to correct errors in the data, but reserve the right to simply delete data which you’ve indicated may contain errors or inaccuracies. We will restrict or cease processing of this data upon request and offer you the ability to object to our processing of this data if you fill out the Do Not Process/Do Not Store Request form on this page. And we will delete the data upon request as long as we are not prohibited from doing so by applicable law and/or the information is not required for us for billing, fraud prevention or security purposes.

Where we are merely the agents and/or processors of data, we may be prohibited from processing this data except as directed in writing by those clients. If that’s the case, we will submit your request to the applicable client and await their written instructions. Also, if we are unable to locate any of the information you have requested, we will let you know.

Making an EU Data Subject Access Request

Step 1: Locating Your Information

Here’s what you need to do in order to share your digital identifiers.

As described in our privacy policy, our systems or website may drop text files called “cookies” that are placed on your computer or device. For more general information about cookies, please visit http://www.allaboutcookies.org/. Some of the cookies we place may provide a unique ID which helps our systems recognize your browser or device over time.  In order to find these cookies, please use your Internet browser to look for cookies named “AdColony.com,” which is the domain used by AdColony.

Please keep in mind that different cookies are placed on each browser that you use to access the Internet. As a result, if you use multiple browsers (for example, Google Chrome and Mozilla Firefox), you will need to locate our cookies for each browser. Your browser’s help section should provide an overview of how to locate your cookies. An internet search of how you may find cookies in your browser may also be helpful. If you need more assistance locating these cookies for your browser, please feel free to email us for assistance at privacy@AdColony.com.

Mobile Devices

Additionally, certain mobile devices (for example, mobile phones or tablets using the iOS or Android operating systems) generate a persistent “Advertising Identifier” per device, which, among other things, can be used by third parties for purposes of providing you with targeted advertising. On iOS devices, your Advertising Identifier may be referred to as an “IDFA,” “IFA,” or an “ID for Advertising.” On Android devices, your Advertising Identifier may be referred to as an “Advertising ID.” To find Advertising ID on a mobile device:

  • iOS: Users have to download an app (e.g. The Identifiers) and copy the “Advertising Identifier”
  • Android: Users choose Google Settings > Ads and copy the “advertising ID”

Step 2: Authentication of the Information Provided

In order to make sure that we are only providing personal data to the correct person, we also will need to take reasonable steps to authenticate your request. We request that you provide screenshots of any cookies and mobile Advertising Identifiers for which you are submitting a request. We also reserve the right to send you an email to any addresses you provide in order to authenticate that portion of your request. We also request that you fill out and sign the form & affidavit below. By filling out and signing the affidavit, you’re promising AdColony that you’re the person listed on the affidavit, and providing proof to demonstrate that you are indeed connected to the personal data and digital identifiers you located in Step 1.

Step 3: Filling out the online form or mailing in same information

Once you have located your Digital Identifiers and can provide us with verification of those Digital Identifiers, you should fill out the form below.

EU data subjects can also make a subject access request by mail, by sending a written request with all of the above-listed information to the following address:

AdColony, Inc.
Attn: Privacy Officer (GDPR Request)
11400 W Olympic Blvd
Ste 1200
Los Angeles, CA 90064
USA

Online Data Subject Access Request Form:

AdColony Data Access

With this form, you may object to AdColony processing or storing your personal data in association with your email address and/or your device (identified by your advertising ID).
For more information see our Privacy Policy page (https://www.adcolony.com/privacy-policy/)
* Email Address
Your Information
* First Name
* Last Name
*Under which privacy regulation are you exercising these rights?
GDPR (EU Resident)None of the Above
Relationship
* Are you submitting this request on behalf of yourself?
YesNo
* If no, please indicate your relationship with AdColony
PublisherAdvertiserDSPSSPThird PartyOther
Device ID
Your Device ID is a 36-40 character string that can be found on your device. Please see this link for more information about identifying your Device ID. Device IDs that are incorrectly entered may void your request.
https://www.adcolony.com/privacy-policy/finding-advertising-id/
* Device Advertising ID (Apple IFA or Google AID)
Signature and Consent
By typing your full name below, you are providing us with your digital signature, which is as legally binding as your physical signature. Please note that your signature must exactly match the first and last names that you entered at the top of this web form in order for your submission to be successful.
* Accurate, Authorized
* Consent for this Request
* Signed on this date
* Signature

RIGHTS OF DATA SUBJECTS UNDER GDPR

AdColony Advertising Services

Data is processed in order to show you relevant advertising content and to perform tasks necessary to the operation of the advertising business.

If you are Data Subject under the European General Data Protection Regulation and you do not wish AdColony to process or store your data, i.e. you wish to withdraw consent, then you can opt out at any time. Opting out will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent. You can exercise your rights to opt out of our services and stop processing and/or storage of your personal information in the following ways:

Opt-Out via Device Settings

If your iOS or Android mobile device provides an “Opt out of interest-based advertising” or “Limit Ad Tracking” setting, you can enable the setting and AdColony will not use information collected from that device to infer your interests, or to serve ads to that device that are targeted based on your inferred interests.

To enable “Limit Ad Tracking” on an iOS device:

  • iOS 6:
    • Choose Settings > General > About > Advertising > Enable “Limit Ad Tracking” setting
  • iOS 7 or higher:
    • Choose Settings > Privacy > Advertising > Enable “Limit Ad Tracking” setting

To learn more about the iOS setting, click here.

To enable “Opt out of interest-based ads” setting on an Android device

Android devices with OS 2.2 and up, and Google Play Services version 4.0 and up:
Open Google Settings App > Ads > Enable “Opt out of interest-based advertising”

Restoring Consent

If you’ve enabled ‘Limit Ad Tracking’ on your iOS device or the ‘Opt out of interest-based advertising’ setting on your Android device, you can restore interest-based ads by turning the settings off.

When you opt out, you may still see the same number of ads from AdColony on your mobile device; however, these ads may be less relevant because they won’t be based on your interests. AdColony may continue to serve you ads based on other non-personal information, such as ads related to the content of the application you are using. By submitting this form, you allow AdColony to collect and store Device ID and IP Address as displayed further down on the form.

Opt-Out via Advertising ID

To find Advertising ID on a mobile device:

iOS users have to download an app (e.g. The Identifiers) and copy the “Advertising Identifier”

Android users choose Google Settings > Ads and copy the “advertising ID”

AdColony Do Not Process or Store Data Request

With this form, you may object to AdColony processing or storing your personal data in association with your email address and/or your device (identified by your advertising ID).
For more information see our Privacy Policy page (https://www.adcolony.com/privacy-policy/)
* Email Address
Your Information
* First Name
* Last Name
*Under which privacy regulation are you exercising these rights?
GDPR (EU Resident)None of the Above
Device ID
Your Device ID is a 36-40 character string that can be found on your device. Please see this link for more information about identifying your Device ID. Device IDs that are incorrectly entered may void your request.
https://www.adcolony.com/privacy-policy/finding-advertising-id/
* Device Advertising ID (Apple IFA or Google AID)
Consent
By submitting this request, I certify that I am a resident, citizen or visitor of the country I have indicated above, and I am acting on my own behalf. If not acting on my own behalf, I have legal authority to act on behalf of the resident, citizen or visitor whose Advertising ID I am entering here. I understand that this device will no longer receive personalized advertising.
* Accurate, Authorized
* Consent for this Request
* Agreed on this date
* Signature