The IAB Europe Transparency & Consent Framework (TCF) gives the publishing and advertising industries a common structure to communicate consumer consent, for consent for the delivery of online advertising and content in compliance with the EU’s GDPR and ePrivacy Directive. On August 21, 2019, IAB Europe launched the second iteration of TCF.
Important milestone dates:
What do you need to do?Define your legal basis for each of the purposes and make sure that you are listed into the IAB TCF v2 vendor list with a proper ID
To learn more:
If you have questions or need more assistant, contact your Customer Success representative.
On May 25, 2018, a new landmark privacy law called the General Data Protection Regulation (“GDPR”) took effect in the European Union (“EU”). The GDPR expands the privacy rights granted to EU individuals, and it places many new obligations on companies that market to, track or handle EU personal data, no matter where a company is located.
- We believe that we are a controller of end-user personal data for a number of reasons, and below are some of the main use cases:
- To determine the recipients of such data (and we may add new recipients at our discretion). We are also the party that has the responsibility to evaluate the organizational and technical security measures of such recipients.
- To pre-filter impressions for RTB auctions with third-party buyers for better monetisation and monetization and fraud prevention.
- To deliver targeted ads via our Platform based on the user's behavior.
- To set cookies (and other similar tracking technologies) directly on end-user devices when PubMatic receives a request from a publisher's browser or application.
- To analyze and track data for ad delivery and reporting across websites, services, and apps over time, including optimisation optimization of location of ad placement, ad performance, reach and frequency metrics, logging the number and type of ads served per day on a device as well as to bill our customers.
The positioning of PubMatic as a controller is consistent with the view of the Article 29 Working Party in its 2010 Opinion on Behavioural Behavioral Advertising: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp171_en.pdf .
- Coordination with Ad Tech Partners - Talking to publishers, advertisers and other ad tech companies to understand how they interpret the GDPR, the steps that they are taking in their compliance efforts and how we can coordinate our compliance efforts.
- Involvement with Industry Organisations Organizations – Active involvement with the IAB Europe, IAB UK, IAB Tech Lab and Network Advertising Initiative (NAI) to help address GDPR and other EU privacy items and initiatives.
- User Consent - PubMatic is part of the IAB Global Vendor List and supports the IAB consent framework to ingest consent from publisher, their CMP, and related users into our ecosystem. We also support passing consent downstream to DSPs and 3rd parties using the IAB OpenRTB GDPR related extension attributes.
- Data Mapping - Undertaking a data mapping exercise for the purpose of creating the necessary data processing records.
- Masking of Geolocation Data - Removing the last octet from the IP address of all EEA end users to de-identify such information and mask latitude/longitude data for EEA end users to the first two decimals to make it de facto imprecise. PubMatic utilizes Digital Envoy to obtain additional imprecise location information generated from complete IP address data and that generated location information will continue to be passed in bid requests for EEA end-users as it has in the past.
- Data Minimisation Minimization - Establishing mechanisms to collect only the data that is needed, and pseudonymising pseudonymizing such data wherever possible (including masking geolocation data as discussed above).
- Data Retention - Implementing a data retention schedule across all our systems so that we routinely delete or anonymise anonymize data we do not need.
- Individual Rights - Formalizing processes around data subject rights to ensure that PubMatic is able to respond comprehensively and within the timeframes required by the GDPR.
- Transparency - Reviewing and updating its privacy notices and policies for GDPR compliance.
- Publisher and Advertiser Agreements - Updating arrangements with publishers and advertisers to address GDPR compliance.
- Vendor Agreements - Updating agreements with third party sub-processors to ensure that they comply with the GDPR and vetting new sub-processors.
- Security - Ensuring the continued use of adequate security measures to safeguard any data collected and processed on systems owned or managed by PubMatic.
- OpenWrap: Publishers who install Prebid 1.9 are prepared for GDPR, as Prebid 1.9 includes built-in Consent Management support.
- RTB Platform: GDPR compliance is applied to all requests coming from EU-region publishers by default. Publishers must pass consent from the user to PubMatic.
- Publisher Tags (Display, Video, etc.): All PubMatic client-side tags integrate with any IAB-compliant CMP and support the GDPR flag and Consent String parameters.
For additional information about GDPR compliance, please contact your account manager and and GDPR@PubMatic.com at any time.