In particular, data subject rights (Article 15-22 of GDPR) are principally challenging to these companies since they do not use or store directly identifiable personal data.  How do ad tech companies respond to a data subject access requests if they do not have the data subject’s name and address on their system to pull the data from their system? Instead, they store the individual’s cookie and mobile ID. How do they subsequently verify that the cookie ID belongs to an individual without the individual’s name and email address, for example? Most companies would need to take an additional step to get their data subject’s name and address to truly identify the individual.

IAB Europe’s GDPR Implementation Group commenced a working group with the collective minds of data protection officers and technologists from various companies helping to think through these issues. The discussions helped craft this guidance document with options as to how to verify a data subject’s request and respond to data rights requests.

Some issues we covered:

• The first step in this process is determining if you are a controller or processor. Data processors should not reply directly to access requests, unless directed by the controller in a contract or otherwise.
• The inability to verify that data belongs to the requestor begs the initial question: should digital marketing companies that only collect pseudonymous data respond to data subject right requests?
• Once a determination has been made to reply, it is strongly recommended that companies create an internal policy for responding to data subject rights, and also for all interactions with data subject access requests, particularly the reasons for denying any such a request.
• At least one person should be responsible for responding to the data subject requests whether the requests are made via the website, postal mail or email.

The five steps for digital marketing companies to take now:

1. Determine whether you are a controller or processor;
2. Ensure you have appropriate procedures and policies in place to respond to the data subject rights, including when do you have to respond to data subject rights (are you relying on consent versus legitimate interest to collect and/or process the data) and how will you respond;
3. Having a verification process in place to ensure the data subject has a right to the personal data that the data subject rights request is tied to.
4. Make sure your employees in marketing, legal and privacy are properly trained to respond to data subject requests; and
5. Update your data protection notices to reflect your process and response to data subject rights requests.

It is crucial to emphasise that every technology platform in the digital marketing sector is unique, providing various services to its clients. Consequently, each company will implement processes and procedures that are particular to that company, resulting in different responses to data subject rights obligations.

The working paper on Data Subject Requests can be read or downloaded below:

This is the fifth in a series of working papers published by IAB Europe’s GDPR Implementation Group. IAB Europe’s GDPR Implementation Group brings together leading experts from across the digital advertising industry to discuss the European Union’s new data protection law, share best practices, and agree on common interpretations and industry positioning on the most important issues for the digital advertising sector. The GDPR Implementation Working Group is a member-driven forum for discussion and thought leadership, its important contribution to the digital advertising industry’s GDPR compliance efforts is only possible thanks to the work and leadership of its many participating members.

The working paper can be read or downloaded HERE.

The purpose of this paper is to explain the definition of consent under the GDPR, and the practical implications of using consent as a legal basis for processing personal data in the online advertising ecosystem. The findings of this working paper have contributed to the  Digital Advertising Consent Mechanism. The working paper considers various aspects of consent, such as the required granularity, how users should be informed, and whether it can be used as a condition for access to websites and/or services.

This is the third in a series of working papers published by IAB Europe's GDPR Implementation Working Group. IAB Europe’s GDPR Implementation Working Group brings together leading experts from across the digital advertising industry to discuss the European Union’s new data protection law, share best practices, and agree on common interpretations and industry positioning on the most important issues for the digital advertising sector. The GDPR Implementation Working Group is a member-driven forum for discussion and thought leadership, its important contribution to the digital advertising industry’s GDPR compliance efforts is only possible thanks to the work and leadership of its many participating members.

The working paper can be read here or downloaded HERE.

The first webinar of our GDPR webinar series was presented by Michele Appello, Senior Director Business Solutions at Improve Digital, together with one member of her legal team, and focused on the IAB Europe's GDPR Compliance Primer.

Missed the webinar? Watch the video here.

Due to the nature of EU law, this Guidance should only be used as a first step to figuring out compliance. Each national legislature might implement laws differently, and local regulators may interpret the rules more or less stringently than others. Therefore IAB Europe always recommends consulting local IABs and self-regulatory organisations where appropriate.

Download the document below.

We believe that publishers should be allowed to ask for compensation for their work and choose the form of their business model, e.g. advertising funded, subscription based, or both. We also believe that publishers are entitled to take reasonable measures to ensure that their audiences understand the implicit deal that takes place when they view advertising funded content online. The deal being that users do not have to pay for access to content in exchange for seeing advertising. We are convinced that EU privacy rules should not be interpreted as meaning that publishers are required to ask for permission from users before ascertaining whether the latter are indeed holding up their end of the bargain in this value exchange.

Nevertheless, to attenuate the risk that a publisher could be liable for breaching even an exceedingly strict interpretation of the directive, our guidance describes how user consent for ad blocking detection can be obtained. The guidance is intended to support publishers as long as the legal situation remains unclear.

Executive Summary

• Ad blocker detection is not illegal, but might, under a strict interpretation of the ePrivacy Directive be regulated and require the informed consent of users.
• Depending on the technical implementation of ad blocker detection, such detection may be out of scope of the consent requirement of the ePrivacy Directive, or fall within an exemption to the consent requirement. But the legal situation is not very clear.
• Publishers who use ad blocker detection should update their privacy policy to include use of ad blocker detection scripts.
• Publishers who want to err on the side of caution and obtain consent for the use of ad blocker detection scripts to preempt and avoid any legal challenges could obtain consent by slightly modifying their existing compliance mechanisms for the use of cookies as the possible new consent requirement emanates from the same law.
• Publishers could use two practical solutions to request and obtain consent for the use of ad blocker detection: a consent banner or a consent wall. Publishers could also make use of a combination of the two to complement each other.