GDPR White Paper. Introduction

Transcription

1 GDPR White Paper Introduction The General Data Protection Regulation (GDPR), or in German EU-Datenschutz- Grundverordnung (DSGVO), is a topic of conversation in the digital advertising industry. The GDPR is a uniform and binding privacy law for all EU members. GDPR will become effective in May 2018 and it will prevail over national laws. This white paper discusses the impact of GDPR on the European digital advertising industry. It provides an overview of the services of the 1plusX data management platform which deal with and ensure GDPR compliance. Furthermore it describes the advantages and opportunities related to GDPR which come from the specific capabilities of the 1plusX DMP to create probabilistic data and so-called item models and topics.

2 About the 1plusX Data Management Platform The 1plusX data management platform collects and processes data on behalf of our clients as 1 a so called data processor. It collects events from user actions and - using machine learning algorithms (the 1plusX embeddings ) - it calculates user profiles. These profiles are used for a variety of applications. An important one is to create high quality audience segments for advertising. In this case, the segments are exported to one or multiple activate channels and used in campaigns ( Data Activation and Value Generation ). Other use cases include content recommendations and content commerce. 1plusX Data Management Platform 1 Auftragsverarbeiter, Sous-Traitant, Responsabile del Trattamento 2

3 Impact of the GDPR on the European digital advertising industry When the GDPR comes into force in May 2018, publishers, media agencies and advertisers will have to come to terms with a wide range of new requirements that need to be fulfilled. The elements that we see as potentially the most challenging are: 1. A dramatic increase in transparency into what user data a company collects and for what purpose. 2. Tougher restrictions and stronger limitations on the collection of personal data. Companies will need to either show a legitimate interest or get an explicit opt-in from each user. 3. The requirement to provide users access to their personal data that has been collected. 4. The requirement that gives users the right to request the deletion of all personal data collected about them. In the following section we will delve more into these challenges and describe how the 1plusX data management platform addresses and solves them. Challenge #1: Transparency into what user data a company collects and for what purpose Under the GDPR, companies need to be openly transparent and declare an extensive list of information. Some of the information required will include the following: the purpose of the data processing, how long the data will be stored, whether the data will remain in the EU or not, and who will be the recipients of the personal data (Art. 13 GDPR). Companies, who work with multiple data partners or with data pools, will have large challenges conforming with this regulation, as they will now need to document the purpose, timeline, location, and other details of every data source and be fully transparent. To simplify this process, such companies should look to set up a single control point where all of their data is managed, which will give them complete control over what happens to their collected data. How the 1plusX DMP solves this challenge The 1plusX data management platform as the primary data collector and data manager, the 1plusX DMP makes fully transparent what data it collects and how the data is used at any time. The 1plusX DMP operates with strict data separation. No data is shared between customers, including any data created on the platform, such as profiles and segments. No matter what 3

4 purpose the customer is using our system for, whether it is high-accuracy advertising targeting or digital content performance improvement, they have complete and exclusive control of (1) data flowing into the 1plusX DMP, (2) data which is generated by the DMP and (3) data which leaves the system. This control and transparency is ensured with the following services: The 1plusX audience builder shows the complete definition of any user segment. The 1plusX profile API ensures full user profile transparency. It shows all profile attributes and all segments which include the corresponding cookies. The raw data access for customers provides a complete view on all collected and processed data down to the level of single events. The data sources reporting gives insights into how often and for what purpose a data source has been used. This starkly contrasts with services such as cross-customer data markets or those offering audiences on a marketplace where it can be very difficult to extricate all the usages of the data and document them. It might be risky for a company to engage in a data marketplace since usage and distribution of data is hard to control. Challenge #2: Strong limitations on when personal data can be collected GDPR has the goal to protect user data and ensure the user s privacy. A core element is Art. 6 GDPR which prohibits the collection, processing and use of personal data unless it is mandated by a legal provision or by an explicit permission through the user. In contrast to the current regulation, GDPR specifies that online identifiers (e.g. cookies) are considered to be personal data. At any time, a user must have the possibility to opt-out and with this action the user will withdraw the initially given consent of a previous opt-in. GDPR includes the concept of legitimate interest which allows collecting and processing personal data even without explicit opt-in. There is no complete list of what is considered to be a legitimate interests. Some positive cases are obvious - for instance if a subject can reasonably expect that data is collected for a specific purpose (example: keeping the state of the shopping basket to enable a customer to add multiple items before checkout) - some are still being unclear and being discussed and commented by the community. The decision of what is a legitimate interest will need to be made by each company by carefully balancing the interests pursued by that customer with the interests and fundamental rights of the data subjects (Art. 6f. GDPR). 4

5 The recitals attached to the GDPR explicitly list that processing of personal data for direct marketing purposes may represent a legitimate interest (recital 47), hence it is critical that companies investigate this possibility carefully and ensure that they have a setup that allows them to take maximum advantage of this possibility. How the 1plusX DMP solves this challenge The 1plusX data management platform ensures GDPR compliance by providing a service (technically spoken - an API) which can be called to transmit opt-in and opt-out events of users on various levels (domain and cross-domain) to the 1plusX DMP. by maintaining the opt-in/opt-out states for all users and maintaining a protocol which records the proper handling of these user requests (Art. 7 GDPR). by ensuring that no cookie is set before a user opts-in. by ensuring that no further data is collected from the point in time when an opt-out has been received. Handling User Opt-Outs In the case of an opt-out the initial user cookie will be deleted and replaced with an opt-out cookie to maintain the opt-out state for this user. Since the scope of an opt-out is always bound to the purpose of the cookie, the 1plusX DMP ensures that the opt-out is propagated as far as needed. As an example, let us take a reseller who is responsible for an inventory across multiple sites and domains. If a cookie was set and it was used as a targeting cookie for digital advertising, a potential opt-out by a user on one site has to be treated as an opt-out across all domains. Opt-out cookies are guaranteed to never show up in any targeted user segments. It has to be mentioned that a documentation protocol has to be maintained for the cookie management, i.e. which cookie has been created at which point in time for which purpose. Depending on the customer situation this protocol can be maintained and managed by the customer or on inquiry by the 1plusX data management platform. Purpose of the Legitimate interest The 1plusX DMP allows customers to have fine grained control over exactly which data is collected (to limit the impact on the interests of data subjects) and fine grained control over the purposes for which this data will then be used. This ensures that whenever a legitimate interest can be identified, the DMP will allow the customer to make valuable use of the collected data. Our advanced machine learning algorithms also ensure that the maximum value is then extracted from this often sparse data. Nevertheless the following three cases need to be distinguished in terms of data collection: 1. User explicitly opts-in. 5

6 2. User does not explicitly opt-in, but there is a legitimate interest to collect and process data. 3. Neither of the above. Whereas the cases 1 and 2 allow to use the well known and established DMP mechanisms to work with data (1st party and 3rd party cookies, 1st party, 2nd party, 3rd party data, etc.), the case 3 will limit significantly the mode of operation. Later in this whitepaper we will discuss how the 1plusX DMP will deal with this limitations. Challenge #3: Providing transparency on collected data to users Art. 17 GDPR includes the right for the user to have access to personal data which has been collected. This right of the user should be exercised easily and at reasonable intervals. In order to support this requirement, customers will need a central registry of all data collected about each user - this is a service that is best provided by a data management platform. How the 1plusX DMP solves this challenge The 1plusX data management platform provides a service (API) to fetch the data collected about a user, i.e. the computed profile and additional data such as the history of website usage. Access to the data will be protected to ensure that only entitled users can do this. Challenge #4: Allowing users to easily request deletion of all personal data Companies need to ensure that all systems which store personal data also support deletion of the information stored on single users. How the 1plusX DMP solves this challenge The 1plusX data management platform provides a service (API) to receive data deletion requests. Upon retrieval of such an event, all data related to this user, raw events, profiles, etc., will be removed within reasonable time. The audience segments will be updated, so that the user will not be part of any segment. Overview: 1plusX DMP Key Features for GDPR 6

7 Unique Possibilities with the 1plusX Item Model We discuss here the challenging case where neither have users opted in nor is there a legitimate interest to collect and process data. The 1plusX Data Management Platform has the unique capability to create so-called item profiles. Items are digital objects containing structured and unstructured data. Typically, the 1plusX DMP creates items for various item types, depending on the customer s use cases. Some common item types are articles, web pages or products. Additionally the 1plusX interaction model keeps track of the interactions between users and items. As an example, for a publisher the interaction model keeps track of which user consumed which article. 7

8 The 1plusX interaction model enables all kinds of use cases from advanced analytics (to continue with the article example: which articles are popular, which articles are consumed by which users?), recommender systems (which articles should be recommended to a user?) to predictive audiences (which users are likely to interact with an article?). Furthermore, items can take over and store aggregated information about their audience. Items become herewith a permanent store for aggregated user information by inferring profile information from the users. Even if all user profiles will be deleted because of user opt-outs, the items can still keep user profile data in aggregated form. Practically, this means that the 1plusX DMP allows building collections of items using attributes such as age and gender directly on the items. An item collection is essentially a set of items matching a specific user target definition, for instance a definition using age and gender attributes. The 1plusX DMP also provides a feature to build so-called item collections by keywords, so called topics. 8

9 All non trackable users can thus be reached contextually by showing targeted ads on a web page which is included in the item collection or in a topic. Hence, the 1plusX DMP maximizes the reach for any given campaign. Trackable users are reached by creating and activating audiences directly on user profiles. All other users are reached indirectly by targeted ads on pages in item collections. Summary The GDPR puts the user s privacy into the center. Certainly there will be an impact on the European digital advertising industries. The 1plusX data management platforms deals with these new challenges related to data generation, collection and processing effectively. Its mode of operation with strict data accounting and separation provides maximum flexibility, control of data usage and optimal reach to our customers. Lastly, the 1plusX item model can reach untrackable users via contextualized targeting. 9