The General Data Protection Regulation (GDPR) went into effect in 2018. Due to the importance of complying with the regulation, we want to ensure you receive clear guidance and a consistent message from Rakuten Advertising.
What is the GDPR?
The European Union (EU) GDPR is the new legal framework governing the use of personal data across all EU markets. It is a new set of data laws fit for the digital age.
It replaces current national data protection laws and the existing EU data protection framework. The GDPR is designed to give consumers more control of their personal information and applies identically across the EU, including the UK. Significantly, the GDPR introduces increased sanctions. Organizations can be fined up to €20m or 4% of annual turnover, whichever is greater if they breach the law.
The New Rules
We have selected the areas of the GDPR we believe are most relevant to the digital advertising industry at the present time. However, it is important to familiarize yourself with the full details, as there are many more implications that need to be understood. In addition, we have provided useful links at the end of this communication; click + for more information.
Advertisers using tracking will therefore have an obligation to ensure they are legally compliant with the new regulation.
Businesses will require a legal basis to process personal data. Six legal bases are available. The two most commonly used in the digital advertising sector are consent and legitimate interest.
Legitimate interest is distinct from consent. According to the Information Commissioner’s Office (ICO), “It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.” Should a business choose a legitimate interest, it must be confident in demonstrating this as an appropriate legal basis.
Where consent is considered necessary the ICO states, “Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation.”
“Contract” is also a legal basis that may be applicable in some cases. It refers to instances where specific contract agreements exist between a business and its customers or data subjects that allow the business to collect and process personal data.
There is more information about legal bases here.
The ePrivacy Directive, or cookie law, is largely associated with banners and pop-ups seen when viewing websites that inform consumers about the use of cookies to track online activity. The Directive also applies to email, SMS, and call marketing consent, which are applicable to some businesses.
The ePrivacy Directive is a lex specialis, which is Latin for the law governing a specific subject matter similar to the GDPR. This means that the ePrivacy Directive has to be applied where the rules are more specific than in the GDPR. The ePrivacy Directive obliges the controller to obtain consent for cookies and direct marketing. The ePrivacy Directive is currently under review and will be replaced by a regulation within the next year or so.
The focus of the revision is to improve transparency to consumers and introduce stricter consent for cookies and similar tracking technologies. Under the existing ePrivacy Directive, the ICO has made clear consent is necessary for “cookies and similar technologies.” Thus, regardless of which legal basis is used for processing personal data under GDPR rules, the ePrivacy Directive remains in place meaning that unambiguous consent is required for the use of many cookies because the GDPR only considers consent sufficient if it is unambiguous. This means that marketers should be reviewing their consent mechanisms along with ICO guidance and making changes accordingly.
Given the potentially significant impact on all forms of online advertising, the industry has collaborated to create general standards and approaches. In November 2017, the Interactive Advertising Bureau (IAB) Europe announced a technical standard for online consent, and industry stakeholders are building a consent tool to ensure GDPR and ePrivacy Directive compliance.
There are a variety of options and tools available online and we advise that solutions should be assessed to ensure they can be implemented to comply with the regulations.
- Publishers should assess how GDPR impacts their business and document the measures taken to comply with the rules.
- Publishers should ensure transparency to consumers and decide on the most appropriate legal basis for collecting and processing personal data from site visitors.
- Publishers should assess and upgrade privacy policies and cookie notices to provide transparency and upgrade consent capture.
- Publishers should seek their own legal advice. This article should not be read as legal advice.
- Publishers should refer to their individual affiliate networks and platforms for any specific guidance or requirements regarding GDPR compliance.
The GDPR signifies changes that all businesses will have to make, and the industry's impact at this stage is uncertain. However, these impacts can be mitigated with demonstrable understanding, effort, and measures to comply with the rules.
It is important that you understand your obligations as a business for the GDPR and make any necessary amendments to be compliant. Rakuten Advertising is available to help support our partners through the GDPR process to ensure that they are in compliance. Review the links below for more information and consider following our advice above.
Comments
Please sign in to leave a comment.