GDPR

Data and Privacy: GDPR 18 months on

matthieu-a-262686-unsplash.jpg

At A Million Ads we are constantly evolving and improving what we do. As part of that, we take our privacy and compliance obligations very seriously. As a tech company in the advertising space we have a responsibility to ensure that our technology and business processes are developed and constantly reviewed with privacy in mind.

Our industry is under the microscope of privacy regulators and it’s a complex industry, with lots of different participants, and lots of personal data involved. GDPR coming into force was just the start, but clearly industry practice is going to change at a fast pace in the near future. Here’s our take on the latest developments and plans for the future.

What’s the latest?

The ICO (the body governing data protection within the UK) recently published a report on the adtech industry and made some clear statements about consent of the data subject and processing of personal data. The ICO recognised the benefit of the industry as a whole to both technological innovation and the economy, and wants to work with adtech businesses on an ongoing basis in order to raise the bar in privacy compliance.

IAB has since published an updated version of its Transparency and Consent Framework to standardise how businesses within the adtech space operate. There has yet to be any comment on this version from the ICO, but Google has committed to signing up, which could instigate a rush to join the TCF in the new year.

What does this mean for the industry?

The path forward is not set in stone and we anticipate further material and guidance coming from the ICO, including potential comment on the TCF 2.0. There should be further clarity should Google follow through on its commitment to join the TCF 2.0 and the immediate effect this has on the industry.

What is relatively certain is that an industry-wide move towards implementing mechanisms for gaining clear, affirmative consent from users before their personal data enters the adtech stack appears likely. For a long time, businesses sitting within the adtech stack have predominantly been relying on “legitimate interest” to process personal data, and now the ICO has suggested a move towards active consent could be more appropriate.

Isn’t that practically impossible?

It is impractical for the many businesses within the adtech stack to obtain direct consent from the consumer receiving advertising. However, the ICO has acknowledged this, and emphasised that the shift needs to be industry-wide, rather than dependent upon on any one entity acting within it.

Nonetheless, regulators and data subjects require more transparency over how their data is being used. The ICO has been critical of businesses relying on legitimate interests as a “get out clause”, without carrying out the appropriate balancing test where data subjects’ rights and freedoms are considered.

What is A Million Ads doing?

At A Million Ads we are keeping tabs on all developments within the industry, and are regularly reviewing our own practices with our legal team.

We engage with participants at all levels of the advertising stack to ensure that we are at the forefront of privacy compliance, and provide complete transparency to our data subjects.

We have reviewed and improved our privacy policy to provide greater and clearer information to data subjects and we have also documented our legitimate interest assessment and considered how to avoid or mitigate any risks to the rights and freedoms of data subjects. Our updated privacy policy is available here.

We will continue to monitor regulatory developments as they arise and work with our partners and legal team to ensure we stay ahead of the curve. We think this is an exciting time for the industry, and we can only benefit from engaging and evolving with it.

Photo by Matthieu A on Unsplash

A Million Ads And GDPR

matthieu-a-262686-unsplash.jpg

GDPR is the new data privacy regulation now in force across Europe. You will have felt the effects of this from the torrent of emails asking you to re-subscribe to mailing lists or give your consent to being contacted.

GDPR is great for us - you and me - the average internet user, who innocently traverses the web minding our own business. It provides a set of requirements for the sites we visit and the services we use to treat us and data about us with respect and enforces a common-sense set of rights. This legislation will weed out the "bad actors", the people and companies who have been acting nefariously, and for everyone else, provide a level playing field.

At A Million Ads, we need to share user data between our partners in order to personalise our adverts for you. Data sharing is at the heart of what we do so we built GDPR-compliant practices into our product and processes from the start. This blog post is part of us being open and transparent about what we do and how we do it.

Everything is clearly set out in our privacy policy, but here are a few highlights.

First, GDPR does not stop anyone sharing data, its just states that sharing has to be done lawfully, transparently and with a specific purpose.

We work with big, well-recognised players in the music / audio / radio sphere who are complying with the legislation to collect, store, process and share personal data, and pass it to us so that we can provide our ad personalisation service. Our publisher partners have a very clear value exchange with their users, who appreciate sharing data to get the value of the service.

In GDPR-speak, we are data-controller in tandem with our partners and our legal basis for collecting and storing personal data is legitimate interest.

Over the last couple of months we have been working with an expert GDPR lawyer to double-check that we are up to spec: from our updated privacy policy, through to staff training and working with our suppliers and customers to ensure their compliance.

Finally, we have a Data Protection Officer and any queries can be sent to privacy@amillionads.com.

Photo by Matthieu A on Unsplash