On May 25, 2018, a new landmark privacy law called the General Data Protection Regulation (“GDPR”) will take effect in the European Union (“EU”). The GDPR expands the privacy rights granted to EU individuals, and it places many new obligations on companies that market to, track or handle EU personal data, no matter where a company is located.
GDPR builds upon foundational EU privacy compliance laws for which PubMatic has been involved for years. PubMatic is fully engaged with the GDPR roll-out and is dedicated to ensuring our customers are prepared for the May 25, 2018 start data.
The information and resources below are available to assist your GDPR on-boarding efforts with PubMatic.
PubMatic's Role In Processing Data
PubMatic is typically a controller (not a processor) of the personal data it collects and processes in connection with its services. Therefore, PubMatic will be directly responsible for complying with the new obligations under the GDPR.
- We believe that we are a controller of end user personal data for a number of reasons, and below are some of the main use cases:
- To determine the recipients of such data (and we may add new recipients at our discretion). We are also the party that has the responsibility to evaluate the organizational and technical security measures of such recipients.
- To pre-filter impressions for RTB auctions with third-party buyers for better monetisation and fraud prevention.
- To deliver targeted ads via our Platform based on the user's behavior.
- To set cookies (and other similar tracking technologies) directly on end user devices when PubMatic receives a request from a publisher's browser or application.
- To analyse and track data for ad delivery and reporting across websites, online services, and apps over time, including optimisation of location of ad placement, ad performance, reach and frequency metrics, logging the number and type of ads served per day on a device as well as to bill our customers.
The positioning of PubMatic as a controller is consistent with the view of the Article 29 Working Party in its 2010 Opinion on Behavioural Advertising: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp171_en.pdf.
PubMatic Compliance Efforts
With support from EU external advisors, PubMatic has embarked on a compliance project to become GDPR-ready by the May 25, 2018 deadline. Some of the measures PubMatic is taking include:
- Coordination with Ad Tech Partners - Talking to publishers, advertisers and other ad tech companies to understand how they interpret the GDPR, the steps that they are taking in their compliance efforts and how we can coordinate our compliance efforts.
- Involvement with Industry Organisations – Active involvement with the IAB Europe, IAB UK, IAB Tech Lab and Network Advertising Initiative (NAI) to help address GDPR and other EU privacy items and initiatives.
- User Consent - PubMatic is part of the IAB Global Vendor List and supports the IAB consent framework to ingest consent from publisher, their CMP and related users into our ecosystem. We also support passing consent downstream to DSPs and 3rd parties using the IAB OpenRTB GDPR related extension attributes.
- Data Mapping - Undertaking a data mapping exercise for the purpose of creating the necessary data processing records.
- Masking of Geolocation Data - Removing the last octet from the IP address of all EEA end users to de-identify such information and mask latitude/longitude data for EEA end users to the first two decimals to make it de facto imprecise. PubMatic utilizes Digital Envoy to obtain additional imprecise location information generated from complete IP address data and that generated location information will continue to be passed in bid requests for EEA end users as it has in the past.
- Data Minimisation - Establishing mechanisms to collect only the data that is needed, and pseudonymising such data wherever possible (including masking geolocation data as discussed above).
- Data Retention - Implementing a data retention schedule across all our systems so that we routinely delete or anonymise data we do not need.
- Individual Rights - Formalizing processes around data subject rights to ensure that PubMatic is able to respond comprehensively and within the timeframes required by the GDPR.
- Transparency - Reviewing and updating its privacy notices and policies for GDPR compliance.
- Publisher and Advertiser Agreements - Updating arrangements with publishers and advertisers to address GDPR compliance.
- Vendor Agreements - Updating agreements with third party sub-processors to ensure that they comply with the GDPR and vetting new sub-processors.
- Security - Ensuring the continued use of adequate security measures to safeguard any data collected and processed on systems owned or managed by PubMatic.
PubMatic is committed to implementing its GDPR readiness program and understands the importance of a successful transition to GDPR for its customers.
Consent Management Under PubMatic
Consent Management Options
Under the GDPR, publishers need consent from their users to collect and target their personal data. This will directly impact any advertising on the page. There are two options for publishers working with PubMatic:
OPTION 1: Integrate w/ 3rd Party Consent Management Providers (CMPs)
Publishers may opt to partner with CMPs who display consent forms where users can see all the third-party vendors with whom the publisher is working. To minimize potential revenue loss, we recommend publishers select an IAB EU spec-compliant solution that does not limit vendor choices.
OPTION 2: Implement PubMatic JS Helper Script In Page Code
PubMatic Consent Signal Approach
IAB Consent Signal Present: When PubMatic receives a bid request that includes an IAB spec compliant consent signal, we will enforce the user’s choice.
- If PubMatic has user consent, we will attempt to serve a targeted ad.
- If PubMatic does not have user consent, we will seek to serve a contextual ad and remove any personally identifiable information from the bid request before passing it on to our partners.
IAB Consent Signal Not Present: In cases when PubMatic receives a bid request and an IAB spec compliant consent signal is not present, PubMatic will attempt to serve a targeted ad based on our understanding that user consent has been obtained, unless instructed otherwise by the user or publisher.
Publishers who do not pass an IAB consent signal and want PubMatic to serve only contextual ads must notify PubMatic at GDPR@PubMatic.com.
How It Works
Step 1: User provides consent:
Step 2: PubMatic client reads user choice.
Step 3: PubMatic processes consent.
Step 4: Partners process consent.
The detailed ecosystem flow provides additional detail whether consent is or is not received:
External FAQs for Buyers and Publishers linked below are intended to help you address questions that you may have on GDPR compliance:
- IAB’s oRTB GDPR Extensions Document: Advisory document focuses on how active versions of OpenRTB will signal GDPR applicability and relay the consent string.
- CMP Framework Document: Technical specifications for IAB Europe Transparency and Consent Framework intended to help compliance with GDPR.
In preparation for GDPR, PubMatic is implementing required certain product updates to ensure compliance.
PubMatic supports the IAB Europe-designed OpenRTB framework that allows our exchange to pass user consent downstream to DSPs/buyers.
For v2.x versions and V3.0 oRTB, more technical details can be found in the Open RTB Advisory.
In addition, PubMatic is offering to:
- Support contextual, non-targeted ads for DSPs
- Pre-filter traffic based on consent signal at campaign level for DSPs
You can find comprehensive PubMatic product documentation for GDPR compliance here with summaries provided below:
- OpenWrap: Publishers who install Prebid 1.9 are prepared for GDPR, as Prebid 1.9 includes built-in Consent Management support.
- RTB Platform: GDPR compliance is applied to all requests coming from EU-region publishers by default. Publishers must pass consent from the user to PubMatic.
- Publisher Tags (Display, Video, etc.): All PubMatic client-side tags integrate with any IAB-compliant CMP and support the GDPR flag and Consent String parameters.
For additional information about GDPR compliance, please contact your account manager and GDPR@PubMatic.com at any time.