GDPR:
The Implications for the Mobile Marketing Industry
GDPR and the implications for the Mobile Advertising industry
1. What You Need to Know About GDPR
Data protection has entered an era of unprecedented change. In December 2015, after more than three years of tough negotiations and multiple draft versions, three major EU institutions - the European Parliament, the Council of the European Union and the European Commission - agreed on the text of the General Data Protection Regulation (GDPR).
The regulation becomes effective on May 25, 2018 and replaces the Data Protection Directive which has been the basis of European data protection for more than two decades.
Here are the main reasons for GDPR:
1. Revolutionary change in how we use and share information
The Data Protection Directive was adopted in 1995, when internet was not widely available and people hardly had mobile phones. Since the Directive no longer fits the purpose, GDPR is designed to ensure the safety of personal data in our modern, technological world.
2. Increasing number of high -profile data breaches
After tech companies such as Uber and Yahoo suffered large scale data breaches affecting more than 3 billion user accounts, consumers and regulators have become increasingly concerned about the management of personal data.
3. Clear need for more significant sanctions
The famous cases where powerful tech giants broke the law (e.g., Facebook used a generic opt-in to merge Whatsapp data) highlighted the insignificance of existing fines for violating privacy regulations, further supporting the need of a new legislation.
By introducing stricter data protection compliance requirements, GDPR is a game changer for businesses in multiple industry sectors. It comes as no surprise that the new regulation has a critical impact on the mobile marketing industry too. Mobile marketers, publishers and the technology companies behind them - all businesses operating in the industry - need to ensure compliance with GDPR when it comes into effect in May later this year.
Failure to comply comes with a price - fines can reach up to 20 million EUR or 4% of annual gross revenue, whichever amount is greater.
The clock is ticking and with just a few weeks left, companies should have completed a data protection impact assessment by now and be well on their way to repair any gaps. If your business is operating in the mobile marketing space, this guide is designed to help you act now - regardless of whether you are just beginning your preparations or already ticking the final boxes in your groundwork checklist.
GDPR
2. What GDPR Means
for the Mobile Marketing Industry
While GDPR poses some challenges for the mobile community, it also brings positive changes by harmonizing the law across the 28 EU Member States and making the complex data protection landscape easier to navigate. Most importantly, it clarifies the data protection law by eliminating “gray areas” that were prevalent pre-GDPR.
The following list outlines the most significant changes under GDPR:
Definition of Personal Data
The definition is much broader under GDPR and includes types of data that were not previously classified as personal data. GDPR clearly defines that all device identifiers, including AAID (Android Advertising ID), IDFA (Apple ID for Advertising) as well as Cookie IDs and location data are considered as personal data.
Implication for mobile marketing
Any information relating to an identified or identifiable natural person becomes personal data and should be treated as such (including hashed values).
New Rights
GDPR introduces new rights for consumers. The right to erasure enables individuals to ask data controllers to erase all personal data without undue delay. The right to data portability allows individuals to request that their data is “ported” from one company to another. The right to access enables users to access their personal data to verify the lawfulness of processing.
Implication for mobile marketing
Businesses must have processes for customers to make opt-out requests at any time and ensure they are acted upon. Consent databases must track when consent was given and if it has been withdrawn. Systems must be enabled to perform opt-outs and accomplish deletions quickly and completely.
Privacy by Design
Data needs to be controlled and processed with clearly defined security measures. Privacy should be built into new products and features from the very beginning, including appropriate technical and organizational measures in order to meet all GDPR requirements.
Implication for mobile marketing
Companies have a legal obligation to minimize the amount of data; it must be retained for no longer than necessary. Pseudonymization should be applied to reduce the risks of data processing.
Consent Management
Processing personal data requires a solid legal ground under GDPR, e.g., explicit consent of a user or, in some cases, the legitimate interest of data processing. Asking for consent means putting consumers in control and giving them a real choice. User opt-in should be written in plain language and provide details such as purposes of processing, the types of data that will be processed and the responsible data controllers that will be processing the data.
Implication for mobile marketing
If consent is chosen as the legal basis for data processing, businesses need proof that a customer has given explicit consent for data collection. Opt-ins must be written in plain language with no legalese, must be documented and available throughout the chain of data controllers and processors.
To better document and manage users’ consent, specialized Consent Management solutions are available. These solutions take the load off the data controllers by fulfilling the requirements of seamless opt-ins and opt-outs as well as providing detailed documentation of specific cases for individual users.
IAB Europe has initiated an industry-wide Consent Management Solution. More information at http://advertisingconsent.eu/.
3. Understanding Your Role in the Data Processing Chain
Being able to correctly identify your - and your partners’ - role in the data processing chain has a
Under GDPR, both data controllers and data processors are accountable for securely managing personal data and reporting data breaches. Data controllers, however, have more options to work with data and, accordingly, have more responsibilities regarding the documentation of internal processes, privacy impact assessment, opt-outs and 3rd party audits.
With so many players and intermediaries in the complex and ever-changing mobile marketing space, it can sometimes be challenging to assign businesses to the right roles.
To make things simpler, here’s the breakdown of the data processing chain:
Data Subject: The individual who is the subject of personal data.
Example from the mobile marketing industry: App user.
Data Controller: The company that determines the purposes and the manner in which personal data is processed. The controller can provide data to other controllers as well as to processors.
Example from the mobile marketing industry: App publisher, advertiser, SSP, DMP, DSP.
Data Processor: The company that processes data on behalf of a data controller. The processor can only provide data to sub-processors, never back to controllers.
Example from the mobile marketing industry: Analytics company that acts strictly on behalf of a data controller.
Both data controllers and data processors throughout the chain need to understand the source of the data being used and make sure that their suppliers have proper consent mechanisms in place and keep the record of consent.
Data
1st Party Data
Definition
Data is collected by the data owner itself (e.g., through their own app or SDK).
Implication for the mobile marketing industry
Owners of 1st party data (e.g., app publishers) benefit from their direct relationship to the consumer and can obtain explicit consent.
3rd Party Data
Data is provided by 3rd party companies and aggregators.
For 3rd party companies that collect and and document proper consent.
1st and 3rd Party Data
4. Is Your Organization Ready for GDPR?
As GDPR brings the biggest change in European data protection in decades, there are many frameworks out there that provide detailed steps to follow in order to fully prepare for it. Hopefully, your organization has already taken strong actions towards compliance with the new regulation. However, if you are only starting to prepare at this stage, the best plan is to get professional support as soon as possible.
Regardless of which phase of preparation your organization is currently at, it’s a good idea to perform a preventive evaluation of your status.
The most important questions you need to ask yourself include:
Data Protection Officer
Data Protection Officer (DPO)
Do you process large scale customer data and need a dedicated person to monitor your GDPR compliance program?
GDPR requires the appointment of a DPO for organizations that process large amounts of sensitive personal data. The main DPO tasks include consultation, monitoring of compliance, training of staff, internal audits.
Mandatory Breach Notification
In case of a data breach, would you be able to notify the data protection authorities within 72 hours?
A breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Breaches must be reported to authorities within 72 hours.
Mandatory Breach Notification
Privacy by Design
Privacy by Design
Do you build data protection requirements into the development of your business processes and new products?
Privacy should be built into new systems, products and features from the very beginning. By default, privacy settings should be set at a high level.
New Rights
Are you prepared to comply with the new consumers’ rights to access, erase and transfer their personal data?
GDPR enables individuals to access their data to verify the lawfulness of processing, to obtain, reuse or delete their personal data, and to have distribution of their data discontinued.
GDPR New Rights
GDPR Expanded Scope
Expanded Scope
Do you understand your role as a data processor or a data controller? Do you process the data of EU citizens?
GDPR applies to all data controllers and processors established in the EU, as well as all organizations outside of the EU that have EU citizens as clients. The legislation impacts any business that may come into contact with a European citizen, including companies based in the US.
Accountability
Are you prepared to prove your organization’s compliance with the requirements of GDPR?
Upon request from the data protection authorities, businesses must provide documentation on their data processing policies, procedures and operations.
GDPR Accountability
5. Checklist for Mobile Publishers
One of the major objectives of GDPR is to empower individuals to better control their data. Thanks to their direct access to consumers, mobile publishers are particularly accountable for providing that control. Among their other responsibilities, publishers must clearly inform people about exactly what data is collected and what will happen to that data from the moment it is submitted.
GDPR brings strict regulations and publishers should take action to critically evaluate both their own and their partners’ data processing practices – and act on it.
If you are on the supply side of the mobile marketing ecosystem and are monetizing your data, here’s a checklist of GDPR-related tasks you should complete to demonstrate full compliance:
Determine Your Role
Review & Renegotiate Contracts
Update Privacy Policy & Terms of Service
Agree on the Legal Basis for Data Processing
Manage Consent
Prevent Data Leakage
Notify Breaches
Despite there being a lot of groundwork involved, GDPR is a positive development for mobile publishers that are in a good position to obtain consent. The regulation forces publishers to take back control of what happens on their mobile apps and mobile websites and at the same time increases respect for their audience. In turn, these developments lead to an increase in trust between users and publishers, further enhancing the quality of the data being collected.
Checklist for Mobile Publishers
Determine Your Role
As discussed above, there are 2 different types of data-facing entities: the controllers that determine how and why personal data should be processed and the processors that undertake the actual processing on behalf of controllers. Mobile publishers are typically controllers.
Review & Renegotiate Contracts
Mobile publishers should update most of their 3rd party vendor agreements because GDPR brings new requirements and considerations that need to be codified, including:
Definitions (e.g., the new, broader definition of personal data)
Notifications (vendors must notify controllers without undue delay in case of a breach)
Collaboration (vendors must enable controllers to honor the rights of data subjects)
Security (vendors must guarantee that the processing is secure and compliant)
Record-keeping (processors must keep records of any data processing done on the
controller’s behalf)
Update Privacy Policy & Terms of Service
Mobile publishers should make sure that these documents are up-to-date and cover all their legal requirements. Also, GDPR requires publishers to explain the privacy policy in plain language, and to make it easily accessible and visible before collecting personal data (including cookies or mobile advertising IDs).
Agree on the Legal Basis for Data Processing
Mobile publishers must have a proper legal basis such as consent or legitimate interest to collect, use and transfer personal data. Consent must be made in an understandable and easily accessible form. Publishers must be clear about what data they collect, what they plan to do with it and explicitly list all 3rd parties who will use the data.
Manage Consent
Mobile publishers must keep a record of consent and give the individual the ability to revoke consent at any time, and to access, correct, or completely erase all data that publishers have about them. Users must be able to withdraw consent just as easily as they’re able to give it.
Prevent Data Leakage
Consent is meaningless without enforcement of data protection: unless mobile publishers prevent all data leakage, a visitor who gives consent cannot know where their data may end up. Publishers should know their technology and potential weak links – and prevent data leakage.
Notify Breaches
In the event that a database is breached, mobile publishers must notify the authorities within 72 hours of becoming aware of the leak.
6. Checklist for Mobile Advertisers
New rights for consumers, new time limitations on many requests, new scope of responsibilities – there is no doubt that GDPR brings challenges for mobile advertisers, both those in already highly regulated industries and those that are not.
Advertisers should take action to critically evaluate their own and partners’ data processing practices – and act on it. If you are on the demand side of the mobile marketing ecosystem, here’s a checklist of GDPR related tasks you should complete to demonstrate full compliance:
Determine Your Role
Review & Update Contracts
Know Your Vendors
Obtain Consent
Manage Consent
Understand Legitimate Interests
Update Privacy Policy
While preparations for GDPR might be challenging, this new legislation shouldn’t be seen as a set- back for marketers. In fact, it’s a good opportunity to create targeted mobile marketing campaigns reaching the people that are engaged with your brand.
Thanks to explicit consent, GDPR will lead to an increase in data quality. Savvy marketers should use this as an opportunity to dig deeper into the needs of their prospects and customers, by replacing the traditional “one-size-fits-all” approach to mobile marketing.
GDPR Checklist
Checklist for Mobile Advertisers
Determine Your Role
A controller is someone who determines the means and purposes of processing personal data, such as what data to collect and what audiences to target. A processor, in turn, processes data on behalf of the controller. While some crossovers are possible, in most cases this means that advertisers are controllers.
Review & Update Contracts
Marketers should review and update inter-company agreements and data processor contracts. The updated versions of contracts should be amended to include new clauses related to GDPR and to ensure all relevant services are fully compliant.
Know Your Vendors
Vendors play a crucial role in determining whether marketers remain compliant or risk breaching the rules. With that in mind, marketers should clarify with each vendor:
What personal data do they process? How? Why? How do they minimize the use of it?
Are they a processor or a controller?
On what legal basis are they processing data?
How are they prepared to handle consent?
How are they managing the data subject rights?
How do they handle security and international transfers?
Obtain Consent
To get consent, advertisers will need to provide individuals with a clear picture of why they are collecting the data, how it will be used and who will use it. Easy to understand, plain language about the lawful basis for processing data should be used. The right to easily revoke consent should be offered.
Manage Consent
It’s important to ensure that systems can record consent and subsequent objections tied to specific purposes stated at the time of consent collection.
Understand Legitimate Interests
GDPR allows for direct marketing as a legitimate interest activity if certain conditions and a “balance of interests” test (which weights marketers’ own interests against the rights of the data subject) are met. If legitimate interest is chosen as the legal basis for data processing instead of consent, marketers should record how they meet the protection of individual’s rights and reasonable expectations.
Update Privacy Policy
GDPR requires more detailed privacy notices, including how long personal data is retained, details of any sharing of personal data with 3rd parties, an explanation of any profiling activities undertaken, how individuals can exercise their rights, where to send complaints and if non-EU countries will process personal data.
7. Targetoo Is Your Trusted Partner in the Mobile Marketing Space
GDPR is not designed to stop marketers from communicating with their customers, nor does it prevent publishers from continuing their data monetization businesses. The goal is to give more control to the users, which can be transformed into a competitive advantage when working with carefully selected, credible partners.
At Targetoo, we created a neutral and transparent marketplace to enable companies to make better marketing decisions. Founded and headquartered in Germany, Targetoo was exposed to very strong privacy regulations since the early days of establishment, and had to comply with them. We therefore have already ticked the boxes for most GDPR requirements:
Targetoo...
...has the concept of „Privacy by Design” incorporated into its development since day one ...has defined ”Technical and Organizational Measures“ as part of the standard data processing agreements
...developed an integration method with partners (Pre-bid Enrichment) that allows for direct data deletion on the DSP and SSP side (no raw data is sent to partners)
...contractually requires all data partners to obtain and provide proof of consent for all users
…has an external Data Privacy Officer appointed since 2018
…offers users and opt-out on its website to allow for data deletion and discontinued distribution
...is actively involved in the IAB initiative for Consent Management Solution to allow for industry-wide standards and a transparent vendor list
Targetoo takes the role of a Data Controller .
In addition to offering a self-service Audience Management Platform that allows data owners to monetize their data and data buyers to target the right audiences in their campaigns, Targetoo also collects and processes data for audience segments derived from location behavior as well as for the Targetoo Data Alliance.
As a data controller, Targetoo complies with all GDPR requirements and serves as a trusted partner for audience targeting as well as for data monetization.
8. Conclusion
While the approaching deadline to comply with GDPR keeps the mobile marketing industry busy, it’s important to take a step back and recognize the value that the new regulation brings. The General Data Protection Regulation aims to return the control over personal data to European citizens and to simplify the regulatory environment in which international business is conducted.
To stay compliant, companies should already be well progressed in repairing any gaps identified during their internal data privacy assessments and contract reviews. Repairing these gaps, however, should be seen as more than just a compliance responsibility. Using data ethically establishes trust between companies and consumers - further strengthening our data-driven economy. Smart businesses both on the supply and the demand side of the mobile marketing ecosystem should turn the compliance activities into an opportunity to stay ahead of the competition and to strengthen their customer relationships.
GDPR - Targetoo conclusion
Disclaimer: The information and recommendations contained in this white paper are of a general nature and do not represent legal advice. Please consult your own legal professionals if you seek advice on specific interpretations and requirements of GDPR.
