GDPR: What Mobile Marketers Need to Know
Implications for the Mobile Marketing Industry
GDPR and the implications for the Mobile Advertising industry
1. What You Need to Know About GDPR
After years of negotiation, EU institutions agreed on the General Data Protection Regulation (GDPR). It took effect on May 25, 2018, replacing the 1995 Data Protection Directive.
Here are the main reasons for GDPR:
1. Why GDPR
The 1995 Directive predates today’s internet and smartphones. GDPR modernizes EU privacy law to safeguard personal data in a contemporary, data-driven environment.
2. Data Breaches
Large-scale breaches increased public and regulatory scrutiny of how personal data is handled.
3. Stronger Sanctions
GDPR introduces stricter compliance obligations and materially higher penalties to drive better data protection standards.
GDPR is a game changer across industries, including mobile marketing. All ecosystem participants-marketers, publishers, and technology vendors-must ensure compliance.
Non-compliance penalties: up to €20M or 4% of global annual revenue, whichever is higher.
GDPR
2. What GDPR Means for the Mobile Marketing Industry
The following list outlines the most significant changes under GDPR:
Definition of Personal Data
Device identifiers (e.g., AAID, IDFA), cookie IDs, and location data are personal data.
Implication: Treat any information relating to an identifiable person—including hashed values—as personal data.
Implication for mobile marketing
Any information relating to an identified or identifiable natural person becomes personal data and should be treated as such (including hashed values).
Expanded Data Subject Rights
Access to personal data
Erasure (“right to be forgotten”)
Portability to another provider
Implication: Provide easy opt-out/erasure processes, track consent (and withdrawals), and execute deletions promptly and completely.
Implication for mobile marketing
Businesses must have processes for customers to make opt-out requests at any time and ensure they are acted upon. Consent databases must track when consent was given and if it has been withdrawn. Systems must be enabled to perform opt-outs and accomplish deletions quickly and completely.
Privacy by Design
Embed privacy into products and processes from the start; minimize data and retention by default; apply appropriate technical and organizational measures (TOMs).
Implication: Collect only what’s necessary, retain only as long as needed, and use techniques like pseudonymization where appropriate.
Implication for mobile marketing
Companies have a legal obligation to minimize the amount of data; it must be retained for no longer than necessary. Pseudonymization should be applied to reduce the risks of data processing.
Consent Management
Processing requires a lawful basis (e.g., explicit consent or legitimate interests). If using consent:
Use clear, plain language
Specify purposes, data types, and the responsible controllers
Record consent and make it available across the chain
Implication: Maintain verifiable proof of consent and propagate consent signals through controllers/processors.
Reference: IAB Europe Consent Management Solution — advertisingconsent.eu
Implication for mobile marketing
If consent is chosen as the legal basis for data processing, businesses need proof that a customer has given explicit consent for data collection. Opt-ins must be written in plain language with no legalese, must be documented and available throughout the chain of data controllers and processors.
To better document and manage users’ consent, specialized Consent Management solutions are available. These solutions take the load off the data controllers by fulfilling the requirements of seamless opt-ins and opt-outs as well as providing detailed documentation of specific cases for individual users.
IAB Europe has initiated an industry-wide Consent Management Solution. More information at http://advertisingconsent.eu/.
3. Understanding Your Role in the Data Processing Chain
Correctly identifying your role—and your partners’—is essential. Under GDPR, both controllers and processors are accountable for safeguarding personal data and reporting breaches. Controllers have broader obligations (e.g., DPIAs, records, opt-outs, and third-party oversight).
To make things simpler, here’s the breakdown of the data processing chain:
Data Subject: The individual whose personal data is processed (e.g., app user).
Data Controller: Determines purposes and means of processing (e.g., app publisher, advertiser, SSP, DMP, DSP).
Data Processor: Processes data on behalf of a controller (may engage sub-processors but does not repurpose data).
All parties must understand data provenance and ensure upstream suppliers have lawful basis and verifiable consent records, with appropriate contractual safeguards.
Data
1st Party Data
Definition
Data is collected by the data owner itself (e.g., through their own app or SDK).
Implication for the mobile marketing industry
Owners of 1st party data (e.g., app publishers) benefit from their direct relationship to the consumer and can obtain explicit consent.
3rd Party Data
Data is provided by 3rd party companies and aggregators.
For 3rd party companies that collect and and document proper consent.
1st and 3rd Party Data
4. Are you GDPR Compliant?
GDPR introduced the largest overhaul of EU privacy law in decades. If gaps remain, obtain expert support and conduct a preventative assessment now.
The most important questions you need to ask yourself include:
Data Protection Officer
Data Protection Officer (DPO)
Do you process large-scale sensitive data requiring a DPO? Are responsibilities (advice, monitoring, training, audits) defined?
Breach Notification (72h)
Can you detect, assess, and notify authorities within 72 hours of a qualifying breach?
Mandatory Breach Notification
Privacy by Design
Privacy by Design/Default:
Are privacy requirements built into product and process development by default?
Data Subject Rights
Can you fulfill access, deletion, and portability requests within statutory timelines?
GDPR New Rights
GDPR Expanded Scope
Territorial Scope & Roles
Do you act as controller or processor? Do you process EU residents’ data (inside or outside the EU)?
Accountability
Can you evidence compliance (policies, RoPA, DPIAs, TOMs, training, vendor diligence) on request?
GDPR Accountability
5. Checklist for Mobile Publishers
Determine your role (controller/processor)
Review & renegotiate contracts and DPAs
Update Privacy Policy & Terms
Establish lawful basis and purpose limitation
Implement consent management (collect, store, propagate, honor)
Prevent data leakage (tag governance, SDK/vendor controls)
Monitor vendors; maintain RoPA and TOMs
Detect & notify breaches within 72 hours
Checklist for Mobile Publishers
Determine Your Role
As discussed above, there are 2 different types of data-facing entities: the controllers that determine how and why personal data should be processed and the processors that undertake the actual processing on behalf of controllers. Mobile publishers are typically controllers.
Review & Renegotiate Contracts
Mobile publishers should update most of their 3rd party vendor agreements because GDPR brings new requirements and considerations that need to be codified, including:
Definitions (e.g., the new, broader definition of personal data)
Notifications (vendors must notify controllers without undue delay in case of a breach)
Collaboration (vendors must enable controllers to honor the rights of data subjects)
Security (vendors must guarantee that the processing is secure and compliant)
Record-keeping (processors must keep records of any data processing done on the
controller’s behalf)
Update Privacy Policy & Terms of Service
Mobile publishers should make sure that these documents are up-to-date and cover all their legal requirements. Also, GDPR requires publishers to explain the privacy policy in plain language, and to make it easily accessible and visible before collecting personal data (including cookies or mobile advertising IDs).
Agree on the Legal Basis for Data Processing
Mobile publishers must have a proper legal basis such as consent or legitimate interest to collect, use and transfer personal data. Consent must be made in an understandable and easily accessible form. Publishers must be clear about what data they collect, what they plan to do with it and explicitly list all 3rd parties who will use the data.
Manage Consent
Mobile publishers must keep a record of consent and give the individual the ability to revoke consent at any time, and to access, correct, or completely erase all data that publishers have about them. Users must be able to withdraw consent just as easily as they’re able to give it.
Prevent Data Leakage
Consent is meaningless without enforcement of data protection: unless mobile publishers prevent all data leakage, a visitor who gives consent cannot know where their data may end up. Publishers should know their technology and potential weak links – and prevent data leakage.
Notify Breaches
In the event that a database is breached, mobile publishers must notify the authorities within 72 hours of becoming aware of the leak.
6. Checklist for Mobile Advertisers
Determine role and map data flows
Update contracts/DPAs; vet vendors and sub-processors
Choose lawful basis (consent vs. legitimate interests) per use case
Obtain, store, and propagate consent where required
Honor withdrawals; enable access/erasure/portability
Document LIAs (if relying on legitimate interests)
Update Privacy Policy and notices
GDPR Checklist
Checklist for Mobile Advertisers
Determine Your Role
A controller is someone who determines the means and purposes of processing personal data, such as what data to collect and what audiences to target. A processor, in turn, processes data on behalf of the controller. While some crossovers are possible, in most cases this means that advertisers are controllers.
Review & Update Contracts
Marketers should review and update inter-company agreements and data processor contracts. The updated versions of contracts should be amended to include new clauses related to GDPR and to ensure all relevant services are fully compliant.
Know Your Vendors
Vendors play a crucial role in determining whether marketers remain compliant or risk breaching the rules. With that in mind, marketers should clarify with each vendor:
What personal data do they process? How? Why? How do they minimize the use of it?
Are they a processor or a controller?
On what legal basis are they processing data?
How are they prepared to handle consent?
How are they managing the data subject rights?
How do they handle security and international transfers?
Obtain Consent
To get consent, advertisers will need to provide individuals with a clear picture of why they are collecting the data, how it will be used and who will use it. Easy to understand, plain language about the lawful basis for processing data should be used. The right to easily revoke consent should be offered.
Manage Consent
It’s important to ensure that systems can record consent and subsequent objections tied to specific purposes stated at the time of consent collection.
Understand Legitimate Interests
GDPR allows for direct marketing as a legitimate interest activity if certain conditions and a “balance of interests” test (which weights marketers’ own interests against the rights of the data subject) are met. If legitimate interest is chosen as the legal basis for data processing instead of consent, marketers should record how they meet the protection of individual’s rights and reasonable expectations.
Update Privacy Policy
GDPR requires more detailed privacy notices, including how long personal data is retained, details of any sharing of personal data with 3rd parties, an explanation of any profiling activities undertaken, how individuals can exercise their rights, where to send complaints and if non-EU countries will process personal data.
7. Targetoo as a GDPR-Aligned Partner
GDPR does not prevent responsible marketing or data monetization; it strengthens user control and trust. Targetoo operates a neutral, transparent marketplace and has implemented privacy-first practices, including:
Privacy by Design embedded in development
Technical & Organizational Measures (TOMs) defined in DPAs
Pre-bid enrichment approach enabling direct data deletion on DSP/SSP sides (no raw data shared with partners)
Contractual requirements for partners to obtain and prove consent
External Data Protection Officer appointed since 2018
Website-level opt-out to enable data deletion and discontinued distribution
Participation in IAB Europe consent initiatives
Targetoo takes the role of a Data Controller .
Targetoo acts as a Data Controller for audience segmentation derived from location behavior and for the Targetoo Data Alliance, and complies with GDPR controller obligations.
8. Conclusion
GDPR returns control over personal data to individuals and simplifies cross-border compliance. Beyond meeting legal obligations, ethical data practices build trust and improve data quality. Turning compliance into capability helps both supply- and demand-side businesses stay ahead.
GDPR - Targetoo conclusion
Disclaimer: The information on this page is general in nature and not legal advice. For specific interpretations or requirements, consult qualified legal counsel.