1. What is the GDPR?
By now you are most probably already sick and tired of hearing about the GDPR. This is a new EU regulation dealing with the processing of Personal Data. In case that you haven’t already caught wind of the gist of it, please find more information at our One Pager.
2. Does the GDPR affect mediasmart activities?
3. Has mediasmart prepared for the GDPR?
Yes, Mediasmart has undergone a company wide process to update all processes and mechanisms to ensure a Privacy by design approach to the usage of bsmart . As a result of these actions, we have altered a few features that give our clients access to personal information, to ensure it is provided ONLY when users have provided consent for its processing and ONLY when such information can be transmitted through safe channels. This may affect features like Audience Creation, Session Level Data and Macros. See question #4 for more details.
4. How has mediasmart prepared for GDPR?
- We have reviewed all our our security processes to ensure a privacy by design approach within bsmart.
- We have updated the processing of personal information related to users who have not provided their consent for the processing of their data in order to prevent our customers from storing personal information from such users (see One Pager for more information)
- We have adapted our integration with ad exchanges to support the new ways of communicating users’ consent, in accordance with the Open RTB GDPR Advisory.
- We have been accredited as a Global Vendor as part of the IAB Tansparency and Consent Framework (our Vendor ID is 193).
- We have implemented a mechanism for users to get information about interest based advertising and to have the option to opt-out.
5. What is a DNT (do not track) flag?
mediasmart receives information about whether a user has indicated he or she does not want to be tracked in each of the bid requests, (a “bid request” represents an opportunity to serve an ad). Mediasmart can receive information about users consent via the “Do not track flag” or the Regs and User Objects specifically created in the OpenRTB protocol for GDPR. The actual mechanism depends in the version of Open RTB used with each of our supply partners and what each supply partner supports although we often internally refer to the “lack of consent” as a bid request with a DNT flag..
6. How may the performance of my campaigns be affected by GDPR?
Campaigns that use personal information as part of their targeting criteria may have lower reach after GDPR goes into effect because publishers may not have gotten consent yet for a considerable percentage of the users. Given that we need the collection of explicit consent, we expect the obtainment of consent in apps to take a while*, and it is likely that the reach of those of your campaigns that use personal information as part of their targeting to be materially reduced right after May 25th, 2018.
If you are tracking conversions with a tracking system that relies on personal information to do the attribution, you may also see the amount of conversions you are able to measure reduced.
* Publishers will use a CMP (consent management provider) to manage consent within their apps, and most providers have only started making their “consent management SDKs” a few weeks before May 25th. Once the CMP code is installed in the application, the new version will need to be made available in the app store, but users will need to actively download this new version before they can even be given the option to provide consent.
7. If I am running campaigns targeted to audiences, how will they interact with users for whom we do not receive consent? Is there anything I need to set up in the campaign configuration or anything I should have into account for reporting?
Campaigns targeted to audiences can only target bid requests from users who have provided consent to the corresponding publisher to be served interest based advertising. Given that we need the collection of explicit consent, we expect the obtainment of consent in apps to take a while, and it is likely that the reach of those of your campaigns that are targeted to audiences to be materially reduced right after May 25th, 2018.
In order to increase reach you can find alternative targeting strategies based on context: specific applications or categories of publishers, days of the week or times of the day, geographical areas… Use what you have learned from your previous campaigns and target those variables that have proven most successful. You can also use those smaller audiences who have provided consent to target lookalikes.
8. If I am running Proximity Campaigns, will they be affected by GDPR? Is there anything I need to set up in the campaign configuration or anything I should have into account for reporting?
Unless a user has provided consent to the publisher where (s)he is about to see an ad, we will automatically anonymize the accurate user location (lat:long) if we receive it, by considering only the first two decimal digits. In many cases, the ad exchanges themselves will not send accurate location in the bid request unless they have user consent. This will certainly affect reach and the information you are able to retrieve from your campaign and its performance:
- You will have less inventory available for campaigns targeting user location with high accuracy. We expect the obtainment of consent in apps to take a while, and it is likely that the reach of this type of campaigns to be materially reduced right after May 25th, 2018.
- The location information, user identifier and IP address will be anonymized in your session level data files and in any macros your ads use. You will not be able to retrieve the accurate location where an ad was served to a user who has not provided consent.
- If your campaign is enriching audiences through the “retargeting” functionality, any users who have not provided consent shall not be added to audiences. You will not be able to build user profiles based on the location where users have seen ads unless they have provided consent.
- Users who have not provided consent will not be tracked as visits by footfall measurement tools.
You can target your campaigns, or a strategy within your campaign to exclude users who have not provided consent if you wish, using the check enabled for this purpose, but please be aware that the reach of your campaign will suffer, especially right after May 25th. Our recommendation is that you test such setting within a strategy, and monitor volumes.
9. Can the new requirements for user consent affect my ability to track and attribute campaigns?
Any tracking system that uses personal information (user identifiers, cookies and IP address or location) to link a user action to a previously served impression or a click will require explicit consent from users. As a consequence, and depending on the methodology used by your tracking system, you may see lower conversion rates once GDPR goes into effect, as users who have not provided consent may not be counted as “conversions”.
10. If I only want to target inventory of users for which I will retrieve personal information in my session level data, or inventory with which I want to build audiences, what should I do?
You can only build audiences or store personal data for users who have provided consent for you to do so (such consent to be processed by mediasmart in the bid request).
We're able to take into account buyer's Vendor ID (please get in touch with your AM or firstname.lastname@example.org):
Consent will be logged into Session Data
Consent has to be for both Mediasmart and the Vendor. If Mediasmart doens't have the consent, the bid request is processed as it has no consent and not as the Vendor has the consent.
Precisely, there are 4 possible cases:
- 1.MS has consent but not the buyer -> MS will process the bid request for the buyer, but the buyer will have to ensure they respect the absence of their consent
- 2. Both MS has and the buyer have the consent -> The ideal case.
- 3. None of MS nor the buyer have the consent -> Any bid requests that do not come with consent will a) not be used to build audiences and b) will have personal information anonymized in the session level data files. If you want to avoid inventory that does not come with consent, you can select the option to do so in the Targeting->User section.
- 4. Buyer has the consent and not MS -> same as in 3
11. Will mediasmart implement the IAB Transparency and Consent Framework?
12. Does mediasmart transfer personal information outside of the European Economic Area?
Yes, mediasmart supports this and uses this framework with any of the ad exchanges that supports it as well. Mediasmart is registered as a global vendor with the IAB Transparent and Consent Framework (vendor ID 193).
medismart’s platform operates in a distributed computing platform environment involving third party infrastructure outside the European Union and the European Economic Area and thus, using our platform necessarily involves the transfer of Personal Data to such foreign locations and technical infrastructure. Our cloud server provider today is Amazon Web Services, and we have three data centers, in Europe, USA and APAC. Amazon complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Economic Area (EEA) to the United States. In addition to this mediasmart has also executed Standard Contractual Clauses with Amazon.
13. Does mediasmart engage in sub-processing?
You may share personal information with third parties through the bsmart platform by choice to: a) target audiences, for example, AdSquare; or b) to track and attribute, for example, Tune, Kochava, AppFlyer, etc… Information is only exchanged when you choose such partners in your campaign configuration and there is no other way for the partners to achieve their purpose. Any personal information is always transferred via secure channels.