General Data Protection Regulation

Introduction

The General Data Protection Regulation (GDPR) is the legal framework governing the use of personal data across all markets in the EU and the UK. It is a set of data laws for the digital age designed to give consumers more control over their personal information.

Significantly, organizations that breach the law can be fined up to €20m or 4% of annual turnover, whichever is greater.

Due to the importance of complying with the regulation, we want to ensure you receive clear guidance and a consistent message from Rakuten Advertising. This article addresses the aspects of the GDPR that we believe are currently most relevant to the digital advertising industry. However, it is important to familiarize yourself with the full details, as there are many more implications.

Additionally, we provide useful links at the end of this article.

Key Rules

You must understand your obligations as a business regarding the GDPR and demonstrate effort and measures to comply with the following key rules; click the + for more information:

Personal Data

Consumer data is at the heart of the GDPR. The European Commission defines it as any information about an identifiable living individual. This can include cookie IDs, customer numbers, IP addresses, and device IDs. Many networks and platforms capture these identifiers as part of their standard tracking and retargeting efforts.

Advertisers using tracking must ensure they are legally compliant with the regulation.

Legal Basis for Processing Personal Data

Businesses require a legal basis to process personal data. Six legal bases are available. Consent and legitimate interest are the two most used in the digital advertising sector.

Legitimate interest is distinct from consent. According to the Information Commissioner’s Office (ICO):

It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact or where there is a compelling justification for the processing.

Should a business choose a legitimate interest, it must be confident in demonstrating this as an appropriate legal basis.

Where consent is considered necessary, the ICO states:

Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation.

A contract is also a legal basis that may be applicable in some cases. It refers to specific contract agreements between a business and its customers or data subjects that allow the business to collect and process personal data.

Learn more about legal bases.

ePrivacy Directive

The ePrivacy Directive, or cookie law, is largely associated with banners and pop-ups seen on websites that inform consumers about using cookies to track online activity. The Directive also applies to email, SMS, and call marketing consent, which applies to some businesses.

The ePrivacy Directive is a lex specialis, Latin for the law governing a specific subject matter similar to the GDPR. It must be applied where the rules are more specific than in the GDPR. The ePrivacy Directive obliges the controller to obtain consent for cookies and direct marketing.

The revision aims to enhance consumer transparency and enforce stricter cookie consent. According to the ICO, consent is essential for “cookies and similar technologies.” This means that the ePrivacy Directive remains in place regardless of which legal basis is used for processing personal data under GDPR rules. Consent must be unambiguous for using many cookies, as the GDPR considers consent sufficient if it is unambiguous. You should assess your consent practices and align them with ICO guidance.

Industry Consent Solution

Given the potentially significant impact on all forms of online advertising, the industry has collaborated to create general standards and approaches. The Interactive Advertising Bureau (IAB) Europe provides a technical standard for online consent, and industry stakeholders are building a consent tool to ensure GDPR and ePrivacy Directive compliance.

Various options and tools are available online. We advise that you assess solutions to ensure they can be implemented to comply with the regulations.

Next Steps

We recommend that you take the following actions:

  • Assess how the GDPR impacts your business and document the measures taken to comply with the rules.
  • Ensure consumer transparency and decide on the most appropriate legal basis for collecting and processing personal data from site visitors.
  • Include and assess your privacy policies and cookie notices to provide transparency and upgrade consent capture.
  • Seek your legal advice. This article should not be read as legal advice.
  • Refer to your affiliate networks and platforms for any guidance or requirements regarding GDPR compliance.

We can also support you through the GDPR process to ensure you comply. View our suggested options for GDPR compliance.

Additional Resources

Review these links for more information:

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.