The General Data Protection Regulation (GDPR) is the European Union (EU) data protection law that began on May 25, 2018, replacing the previous Data Protection Directive. The GDPR is a comprehensive overhaul of the previous law.
This FAQ below is intended to help you address questions that you may have on this topic.
How does the GDPR change EU privacy law?
GDPR aims to streamline and modernize existing EU privacy law to reflect technology advances while giving individuals more control over their personal data. One significant update (particularly for the ad-tech industry), is a heightened standard for consent, which places more responsibility on organizations to demonstrate compliance, such as by maintaining auditable data processing records. Any organizations engaging third-party service providers (such as PubMatic) to collect and process data on their behalf also need appropriate contracts in place to comply with the stricter contracting requirements introduced by the GDPR.
Are non-EU companies subject to the GDPR?
Yes. Any company that processes personal data of individuals located in the European Economic Area (which includes the EU countries and Iceland, Liechtenstein and Norway) ("EEA"), including delivering them online ads or tracking their online activities, is within the scope of the GDPR, regardless of whether the company has a physical presence in the EEA or engages in direct business with any EEA companies.
Who is PubMatic?
PubMatic provides a publisher-focused sell-side digital advertising management platform ("Platform") that connects media sellers (publishers) with media buyers (advertisers) looking to buy publisher inventory. Publishers use the Platform to automate the buying and selling of advertising inventory across different sales channels. PubMatic also provides various programmatic tools for media buyers.
Does GDPR affect PubMatic even though our platform doesn't process data points like names, phone numbers, and email addresses?
The GDPR applies to the collection, use and disclosure of "personal data" from the EEA. Personal data, as defined in the GDPR, includes all data relating to an identified or identifiable individual, which includes personally identifiable information like names, phone numbers, etc. (which PubMatic does not currently process through the Platform), in addition to device-related identifiers like unique device IDs and IP addresses (which the GDPR describes as "pseudonymous" forms of personal data, and which PubMatic does collect from end-users who interact with publisher websites and other digital media properties that use PubMatic's technology).
What is PubMatic's role when it processes personal data?
PubMatic is typically a controller (not processor) of the personal data it collects and processes in connection with its services. Therefore,
PubMatic will be directly responsible for complying with the new obligations under the GDPR.
We believe that we are a controller of end user personal data for a number of reasons, and below are some of the main use cases:
- To determine the recipients of such data (and we may add new recipients at our discretion). We are also the party that has the responsibility to evaluate the organizational and technical security measures of such recipients.
- To pre-filter impressions for RTB auctions with third-party buyers for better monetization and fraud prevention.
- To deliver targeted ads via our Platform based on the user's behavior.
- To set cookies (and other similar tracking technologies) directly on end-user devices when PubMatic receives a request from a publisher's browser or application.
- To analyze and track data for ad delivery and reporting across websites, services, and apps over time, including optimization of location of ad placement, ad performance, reach and frequency metrics, logging the number and type of ads served per day on a device as well as to bill our customers.
The positioning of PubMatic as a controller is consistent with the view of the Article 29 Working Party in its 2010 Opinion on Behavioral Advertising, which can be found at:
Do we need consent to collect data needed to personalize ads?
No. GDPR itself does not require consent for the collection of data for advertising (see our comments below for more). However, another EU law - the e-Privacy Directive - requires user consent to access any information stored on an end user's device using tracking technologies (such as cookies, pixels, web beacons and browser caches).
This impacts PubMatic because, as a digital advertising platform, PubMatic needs to set cookies and similar tracking technologies on end-users' devices to gather information in order to deliver such end-users more relevant ads from PubMatic's network of advertisers. However, because advertising platforms (like PubMatic) have no direct relationship with the end-users of the digital properties displaying such ads, PubMatic is actively working with its network of publishers to ensure that PubMatic can collect and use data via its Platform.
Publishers should likewise revisit their cookie consent mechanisms to ensure they will meet the GDPR standard of consent. Note that although the e-Privacy Directive is currently under revision, the requirement for consent to use tracking technologies is likely to remain.
What consent management options are available to publishers with PubMatic?
Under the GDPR, publishers need consent from their users to collect and target their personal data. This will directly impact any advertising on the page.
Integrate with Third-Party Consent Management Providers (CMPs)
Publishers may opt to partner with CMPs who display consent forms where users can see all the third-party vendors with whom the publisher is working. To minimize potential revenue loss, we recommend publishers select an IAB EU spec-compliant solution that does not limit vendor choices.
Please Note: If a consent mechanism is not chosen by the publisher, PubMatic follows non-targeted advertising as the default behavior. This is the less preferred option for publishers given presumably lower fill and monetization rates.
What if I do not have a user's consent? Can I do any advertising to my European users without violating GDPR? Are there any risks I need to be aware of?
A publisher can still advertise to European users through contextual advertising. Contextual advertising is a type of targeted advertising where the ad content relates to the web page content. For example, when browsing hotels in Barcelona, an ad with discounted flights to Barcelona would appear.
Under contextual advertising, no personal info by EU standards is processed by us or our partners while serving contextual ads, as PubMatic masks this and removes any cookies. (Please be aware: Contextual advertising will still likely result in monetization low rates as it is not targeting user data. But it is still higher than applying no contextual advertising at all.)
What does GDPR say about profiling?
The GDPR definition of "profiling" includes the collection of data over time to deliver targeted ads to end-users located in the EEA based on their history and behavior. GDPR requires opt-in consent only for profiling that produces a "legal effect" (or similarly, "significantly affects" an individual), such as, for example, an automated credit reference denying an individual a loan. Whether or not someone is served a more relevant ad should not trigger this obligation. As recent regulatory guidance suggests, the available lawful grounds that apply to such profiling can extend to legitimate interests - an alternative to consent.
PubMatic is also keeping abreast on the regulatory and industry developments in this area, including the progress of the new (but still draft) e-Privacy Regulation (which once finalized, will replace the existing e-Privacy Directive).
Does PubMatic transfer data internationally?
Yes. PubMatic is a global company headquartered in the United States and may gather information about end-users in the EEA when they interact with publishers' websites and digital media properties that use PubMatic technology. Therefore, PubMatic will process personal data that originates from the EEA in its data centers in the EEA (Netherlands) and the United States.
The GDPR replicates the existing Data Protection Directive restrictions on transferring data outside the EEA. Transfers are permitted only if certain safeguards are in place, such as by self-certifying to the EU-US Privacy Shield. PubMatic has therefore self-certified to the Swiss-US and EU-US Privacy Shield to protect all EEA end-user data when it transfers such data to PubMatic in the U.S.
What is PubMatic doing to comply with the GDPR?
With support from EU external advisors, PubMatic has embarked on a compliance project to become GDPR-ready by the May 25, 2018 deadline. Some of the measures PubMatic is taking include:
- Coordination with Ad Tech Partners - Talking to publishers, advertisers and other ad tech companies to understand how they interpret the GDPR, the steps that they are taking in their compliance efforts and how we can coordinate our compliance efforts.
- Involvement with Industry Organizations - Active involvement with the IAB Europe, IAB UK, IAB Tech Lab and Network Advertising Initiative (NAI) to help address GDPR and other EU privacy items and initiatives.
- User Consent - Working with publishers to ensure GDPR-level consent is being obtained and recorded. PubMatic will integrate with publishers' preferred third-party consent management providers and plans to develop a mechanism to help support publishers where required with their in-house consent tools. We are also in the process of adopting the oRTB 2.x protocol changes in order to pass user opt-in flags in real-time with DSPs and other demand partners.
- Data Mapping - Undertaking a data mapping exercise for the purpose of creating the necessary data processing records.
- Masking of Geolocation Data - Removing the last octet from the IP address of all EEA end users to de-identify such information and mask latitude/longitude data for EEA end users to the first two decimals to make it de facto imprecise. PubMatic utilizes Digital Envoy to obtain additional imprecise location information generated from complete IP address data and that generated location information will continue to be passed in bid requests for EEA end-users as it has in the past.
- Data Minimization - Establishing mechanisms to collect only the data that is needed, and pseudonymising such data wherever possible (including masking geolocation data as discussed above).
- Data Retention - Implementing a data retention schedule across all our systems so that we routinely delete or anonymize data we do not need.
- Individual Rights - Formalizing processes around data subject rights to ensure that PubMatic is able to respond comprehensively and within the timeframes required by the GDPR.
- Transparency - Reviewing and updating its privacy notices and policies for GDPR compliance.
- Publisher and Advertiser Agreements - Updating arrangements with publishers and advertisers to address GDPR compliance.
- Vendor Agreements - Updating agreements with third party sub-processors to ensure that they comply with the GDPR and vetting new sub-processors.
- Security - Ensuring the continued use of adequate security measures to safeguard any data collected and processed on systems owned or managed by PubMatic.
PubMatic is committed to implementing its GDPR readiness program and understands the importance of a successful transition to GDPR for its customers.
Who has access to the personal data being processed and stored?
Only select PubMatic personnel have access to personal data that is stored within PubMatic's systems. PubMatic hosts all data within its own data centers, so no third party will have access to data that is processed and stored.
Does PubMatic share any of the personal data collected from a publisher's sites to third-party partners or systems?
Yes, we share pseudonymous forms of personal data contained in advertising inventory bid requests with third-party demand partners, typically demand-side platforms or exchanges, to run auctions and receive bid requests for a publisher's inventory. Such data sharing is limited pursuant to applicable agreements between PubMatic and demand partners, and within the EU, personal data is obscured as much as possible such that data will not be considered personal information (e.g., the last octet of an IP address is truncated).
Where can I get more information?
If you have any questions or require assistance, please email GDPR@PubMatic.com.