GDPR Explained: What We Learned After a Year of Data Protection

GDPR Explained: What We Learned After a Year of Data Protection
One of the hottest topics in the industry these days is how to handle and manage users’ private information in the Adtech ecosystem, especially in the context of the EU. At Primis, we have taken diligent strides to make sure that we are completely compliant with all of the GDPR’s stipulations. But, how has the set of international regulations affected the market as a whole?

The Evolution of GDPR Compliance

The General Data Protection Regulation (GDPR) is a regulation for European law on data protection and privacy for all EU citizens. As it is a very progressive litigation, compliance is a work in progress, evolving as our ecosystem matures. This means that there are many more developments to come.

So, what do we know up to this point, just over a year after the GDPR came into force? Data is power, and even more so when it comes to the data of high paying users around the web. Every brand is searching for the right user, the one that will pay the most attention to the ad and show interest.

However, how do we get this chance to present the right ad to the right user? How can we reach exactly those desirable users? Through data and consent.

To simplify the idea behind GDPR, in today's data-driven world, a user must give explicit consent to use his personal data and, if he doesn’t, vendors cannot obtain his data. As a result, without given consent advertisers cannot reach the right users, so many are reducing their ad spend in those scenarios.

Transparency and Consent Framework (TCF)

The aim of the GDPR is to protect the privacy of all EU citizens and prevent data breaches. One of the key products of the data privacy regulation is the Transparency and Consent Framework (TCF).

The Transparency and Consent Framework is a publishing standard by IAB Europe meant to reconcile the Adtech ecosystem with GDPR regulations. TCF is the largest collaborative effort with organisations and professionals in the digital advertising and publishing industries to provide solutions to key GDPR and ePrivacy Directive compliance challenges. 

From a user's point of view, the experience is very similar to the current standard for web browsing in Europe, where there are already general cookie notifications and opt-in requests. But, instead of just giving a cookie-tracking alert, the new process includes which vendors a publisher works with, what data is collected and how it’s used. All of this information is disclosed through the CMP.

Understanding the CMP

Consent Management Platforms (or CMPs) are tools that let publishers control consent and pass this consent to Adtech vendors.

Under GDPR, third party vendors need to have an explicit user opt-in to apply any data for advertising. Consent of the user must be clear and provided in an understandable and easily accessible form, with the purpose of data processing attached to that consent.

Download the complete guide to video monetization

Regarding our practices at Primis, once we are working with a publisher, we recommend that they implement a CMP that is GDPR compliant. Not all the CMP's are authorized and it's better to pick any CMP vendor from the IAB list.

After a CMP is implemented, and a user has given or not given his consent to use his personal data, Primis has fully support to identify the consent, and to pass it to our advertising partners through the supply chain.  

This process is mandatory to ensure that all of our publishers are GDPR compliant and working under all the necessary guidelines. Meanwhile, they are protecting their visitors from others being able to use their personal data without consent, while simultaneously keeping their business safe from potential lawsuits in the future. And, most importantly, advertisers won't reduce their ad spending due to a lack of data privacy protection. 

Looking to the Future of GDPR

After a year of GDPR, TCF and CMP, the user privacy momentum is not showing any signs of slowing down. In California, there is an impending GDPR look-alike called The California Consumer Privacy Act (CCPA), and everyone is wondering if the rest of the US will follow suit. In the non-goverment sector, Apple and Google are limiting cookie tracking of online user behaviour in order to protect user data. In an ever changing digital landscape, all digital players must keep changing and adapting themselves to the new realities.