GDPR and digital advertising: Strategies and best practices for implementing GDPR compliance

Transcription

1 IP, Tech & Data GDPR and digital advertising: Strategies and best practices for implementing GDPR compliance Presented by: Gerard M. Stegmaier, Partner, Washington, D.C. October 17, 2018

2 What is GDPR, and how does it apply to digital advertising? GDPR requires digital advertisers to take measures for collecting, processing, and using personal data for marketing purposes. Key concepts: Data Subject: An identified or identifiable natural person Data Controller: Person or entity that makes decisions about processing personal data Data Processor: Person or entity that processes personal data on behalf of the Data Controller Personal Data: Any information that relates to a Data Subject, including online identifiers and IP addresses 2

3 The long arm of GDPR: extra-territorial application GDPR applies to Data Controllers and Data Processors regardless of whether the processing takes place in the European Union or not. The extra-territorial application of GDPR is triggered when: Goods or services are offered to EU citizens; or The behavior of EU citizens is monitored or tracked through the use of technology. Organizations that do not have an establishment in the EU and that consider themselves to operate outside the scope of EU data protection law are now subject to data protection regulation pursuant to GDPR. 3

4 Territorial application of GDPR GDPR will apply if Art. 3 (1) Art. 3(2) Art. 3(2) Data controller or data processor is established in the EU Irrelevant on which territory personal data is actually processed Data Controller / Data Processor Data controller or data processor is not established in the EU Data subject is in the EU; and Goods or services are offered to data subjects the EU Data Subject Data controller or data processor is not established in the EU Data subject is in the EU; and Data subject s behavior in the EU is being monitored. Data Processor 4

5 What authorities want to see as a minimum Determination of territorial scope Register of processing activities Data processor review and international data transfers Data breach preparedness Justification of data processing Transparency and data subject rights Data protection officer / local representative (Red indicates priority) 5

6 Grappling with website and other electronic data collection If advertiser creates and uses a user id for its own purposes, then advertiser is presumed to be a controller of that user id. And, if advertiser combines data associated with the user id across clients and platforms (websites, apps), then company is likely controller of such data. Inform users through privacy policies and cookie policies/cookie consent notifications. Include third-party links. Obtain affirmative consent. Organize and secure collected data. 6

7 Negotiating with clients, vendors, and suppliers Data Processing agreements with clients Manage data flow and relationships, from how data is sourced and collected to how it is utilized If applicable, balance roles and liabilities as Data Processor (for clients) and Data Controller (for vendors and suppliers) Data Processing agreements with IT providers Give clear instructions about treatment of data Address data transfer requirements Consider data security 7

8 Effects on AdTech landscape (So far) Facebook: Changes to Custom Audiences tool Joint Controller Agreement (after ECJ judgment) Google: Limitations to using DoubleClick ID logs in data transfer service (marketers now unable to do cross-platform reporting and measurement) Upcoming Adoption of IAB Transparency and Consent Framework (Consent Management Platform) Concerns about burden-shifting to publishers and website providers 8

9 EU eprivacy regulation (draft) content The eprivacy regulation will provide rules for Processing and storage capabilities of terminal equipment and the collection of information from end-users terminal equipment (i.e. cookies and similar tracking technologies) Website audience measurement OTT services/communications across devices and browsers Electronic direct marketing Territorial scope: similar to GDPR -> will apply to US marketers who interact with EU individuals 9

10 eprivacy regulation: current status of draft EU Commission has released first draft on January 10, 2017 eprivacy regulation was supposed to enter into force in tandem with GDPR by May 25, 2018 Not much has happened in the past 1.5 years IAPP on July 31, 2018: Considering that there must still be a trilogue process and there will likely be a grace period, eprivacy Regulation will likely not enter into force before late 2019/early

11 eprivacy Regulation: consequences for website tracking Cookies and similar technologies will likely require opt-in consent under the eprivacy Regulation What is required until then? Opt-in or opt-out? - German DPAs: Opt-in consent required for profiling and analytics cookies - Other supervisory authorities have not commented yet - Many organizations use flexible consent management tools 11

12 Questions? Gerard M. Stegmaier Partner Washington, D.C Technology Law Dispatch Blog s Breach RespondeRS BreachRespondeRS.com 13

13 ABU DHABI ATHENS AUSTIN BEIJING CENTURY CITY CHICAGO DUBAI FRANKFURT HONG KONG HOUSTON KAZAKHSTAN LONDON LOS ANGELES MIAMI MUNICH NEW YORK PARIS PHILADELPHIA PITTSBURGH PRINCETON RICHMOND SAN FRANCISCO SHANGHAI SILICON VALLEY SINGAPORE TYSONS WASHINGTON, D.C. WILMINGTON is a dynamic international law firm, dedicated to helping clients move their businesses forward. Our belief is that by delivering smarter and more creative legal services, we will not only enrich our clients experiences with us, but also support them in achieving their business goals. Our long-standing relationships, international outlook, and collaborative structure make us the go-to partner for the speedy resolution of complex disputes, transactions, and regulatory matters. For further information, please visit reedsmith.com. This document is not intended to provide legal advice to be used in a specific fact situation; the contents are for informational purposes only. refers to LLP and related entities. LLP 2018 reedsmith.com 13 [Insert > Header and Footer to change footer text] 10/18/2018