GDPR Compliance For Advertisements

The enforcement date of the European Union’s GDPR, or General Data Protection Regulation, is coming up in just a few short weeks on May 25, 2018.

Many of you may be wondering why the digital advertising industry has been scrambling in recent months, and you’re only hearing about this now.

The advertising industry initially believed it would be exempt from the “opt in” requirement of these new regulations due to the legitimate interest clause in GDPR. Ultimately, however, Google and other industry giants determined that in order to take user privacy and the GDPR seriously, we must go further.

Long story short: Making sure your digital ads are GDPR compliant will take some work.

Before we dive into details, an important caveat: I am not a lawyer. Nothing in this blog post or video should be considered legal advice. If you need legal advice, please consult with an attorney in your jurisdiction that specializes in this kind of law.

That said, regardless of whether you’re working with Mediavine, if you’re serving ads to any readers in the EU, you probably need to think about becoming GDPR compliant — or running the risk of GDPR fines of 4 percent of global revenue or $20,000,000 Euros, whichever is greater.

What does becoming GDPR compliant with advertising mean?

One of the big things about GDPR is disclosing to the user what data you’re collecting, while providing the users with the ability to opt out of this collection.

You may be thinking, “Okay, but I’m not collecting that data. Whoever is serving those ads is!”

Yes, but unfortunately, GDPR places certain responsibilities on both the controller and the processor alike. Translation? If you’re enabling a third party to process data, you must be in compliance too.

As a publisher running ads, you’re ultimately allowing third parties to collect and process data. As a result, you need to disclose this to users and give them a way to opt out.

Okay, so how do you do that?

Like most of the digital advertising world, Mediavine is getting behind the Interactive Advertising Bureau (IAB) Europe’s Consent Framework.

How this works: When a user visits a Mediavine website that has allowed us to give consent on their behalf, they will be greeted with pop-up.

That pop-up will state the types of data our third parties are collecting, such as measurement and personalization of ads, and which third parties are collecting it.

As per the IAB Europe Consent Framework, individual vendors, or third parties, will be allowed to register, declaring that they are collecting data. Users will be able to opt-in and out of individual vendors and data collection.

If a user opts out of personalized data collection, for example, that user must receive non-personalized ads — a.k.a. ads not selected for that user based on the anonymous data programmatic advertising typically collects to serve the most effective units.

Based on the vendors they opt in to or don’t, ad partners will return very different ads. If a user opts out, they’ll be shown contextual ads, or ads based on the page, not the user.

So what’s the big deal?

Most programmatic advertising is based on the user and not the content. You can expect a significant decline in CPM, or RPM, from users that don’t opt in to personalized data.

Can I just ignore GDPR?

We’ve heard of publishers simply turning off EU traffic to ensure they won’t run afoul of GDPR, or on the other end of the spectrum, just burying their heads in the sand and doing nothing.

Mediavine is not interested in either extreme. We take user privacy very seriously but want content creators to build sustainable businesses as well.

Especially in the event that this experiment ever extends beyond the EU — right now a very small percentage of most publishers’ traffic — we want to make sure, as always, that Mediavine and its publishers are prepared for an ever-changing landscape.