Targeting the target group, optimizing ongoing campaigns and, in the best case, making advertising media more dynamic — programmatic advertising can do all of this. The basis for all of this: data. And since the introduction of the GDPR/GDPR, no advertisers, publishers or AdTech providers have been able to ignore the topics of data protection and consent management. In our day-to-day work, however, we often notice that there is always a need to talk about data protection and consent management. No wonder, because the field is confusing and extremely complex with a wide variety of requirements and regulations as well as technical terms such as GDPR, GDPR, TCF 2.0, Privacy Shield or CMP. For this reason, Viktor Eichmann, CEO & Co-Founder of adlicious, answers some of the questions that have recently reached us in this Q&A.
question: GDPR, what is that actually?
answer: The GDPR is the General Data Protection Regulation, in English General Data Protection Regulation or GDPR, of the European Union. This regulation regulates how private companies must handle personal data. The regulation has been in force since 24.05.2016 and has been mandatory for all companies in the EU since 25.05.2018. Key points of the regulation: Companies must obtain users' consent to use data. In addition, the handling of data that is transferred to countries outside the EU, so-called third countries, is an important content issue.
question: What exactly is personal data?
answer: Personal data is any information that has a direct connection to a person and makes it possible to identify the person. This includes data such as name, address, telephone number, but also e-mail addresses, order numbers or IP addresses. All other data, such as age, gender, interests, etc. are always personal if they can be combined with the data mentioned above.
question: Where does the GDPR/GDPR apply?
answer: GDPR or GDPR must always be applied to online advertising if one of the following cases applies:
The GDPR/GDPR must therefore also be observed by companies that are not based in the EU if they want to advertise to EU citizens.
question: According to GDPR/GDPR, can data be transferred to countries outside the EU?
answer: In a global world, data transmission is often essential, which is why transmission to countries outside the EU is not prohibited per se. The basic requirement is always that data collection and transmission are GDPR-compliant. If this is the case, EU law then differentiates between “safe” third countries, i.e. countries with EU-level data protection such as Israel, Switzerland or Japan, and “unsafe” third countries. However, the transfer of data to unsafe third countries is in principle not ruled out - standard data protection clauses can be a solution here.
question: What options are there for obtaining consent?
answer: For consent to be GDPR-compliant and therefore valid, it must meet the following parameters:
The easiest way to solve this is with a consent banner.
question: How can you manage obtained consent?
answer: Consent management platforms are recommended to manage obtained consent. But be careful: Not every CMP is really compliant with data protection regulations, even if it is advertised. Some host in the USA and transfer data before users have their permission, others completely waive user consent to transfer data to third countries. So before you opt for a CMP, you have to check this point carefully. Blind trust in the CMP can be expensive in this case.
question: CMP hosting - in-house or external?
answer: In principle, consent management platforms can be operated both in-house and externally via specialized CMP providers. With both variants, it should be noted that the hosting is within the EU. This is the only way to ensure GDPR-compliant implementation.
question: How do you implement a consent management platform?
answer: There are two ways to implement a CMP into your system: Either direct integration into the source code or via tag management systems (TMS). When using TMS in particular, care must be taken to ensure that the consent banner is loaded directly when the page is accessed and that third-party cookies may only be set and data transferred after explicit consent from the user.
question: Are common “tricks” for obtaining user consent really legal?
answer: Although many of the “tricks” quickly bring the desired user consent, they violate applicable regulations. This applies to the following frequently seen consent “tricks”:
question: Why use a tag management system?
answer: For maximum security in terms of consent management, it is important to get an overview of which marketing tools are installed on your own website. For one thing, a website is often edited by different people, so you don't know 100 percent which technologies have accumulated over the years. On the other hand, some pixels use so-called “piggybacking”, i.e. result in other technologies, which are then also used on the site and use data. To easily manage marketing technology, a tag management system such as Google Tag Manager should be used. The tag management system is integrated into the website once via code. Pixels or marketing tools can then be added to the manager and integrated directly into the website without incorporating each pixel individually into the website's source code.
question: I've got a day now. And now?
answer: The tag manager tag must be integrated once on the website so that it can be used. Using the Tag Manager, pixels, marketing tools, etc. could then be given their own tag and integrated into the website without programming effort.
question: How does the consent obtained communicate with my advertising technologies?
answer: The “Transparency and Consent Framework” (TCF) initiated by the International Advertising Bureau has become established as a common method. It serves as an interface between publishers, AdTech providers, media agencies and advertisers and enables GDPR-compliant exchange and the use of user consent. User consents are transmitted in the form of Transparency & Consent Strings (TC Strings). An IAB-certified consent management platform is required to generate this. The TCF is used by all big players in the industry and is therefore not only an industry standard, but also absolutely necessary for programmatic advertising. On August 15, 2020, TCF 2.0 replaced the previous version 1.1. You can find all important changes in the new version here.
question: After all, Great Britain is leaving the EU. What are the effects of this?
answer: Great Britain left the EU on January 31, 2020 and is therefore considered a third country under data protection law. Since February 1, there has been a transition period during which data transfer is permitted as before. However, the granted transition period will end in 2020, meaning that all changes resulting from the classification of Great Britain as a third country must be implemented by then.
question: The Privacy Shield Agreement was annulled by the European Court of Justice. What does that mean?
answer: The so-called “Privacy Shield” is an agreement between the EU and the USA that regulates how and under what conditions companies may transfer personal data from EU countries to the USA. In mid-July, the European Court of Justice declared the agreement invalid due to the extensive supervisory powers of American authorities. This case law must now be taken into account by national authorities, and there should also be appropriate transition periods. However, there are already ways to react to the decision:1: Obtain user consent. Obtaining direct consent from users is likely to be the safest method. This can also be regulated via a consent management platform.2: Encryption or change of provider.To prevent US authorities from easily reading data3: Check whether standard contract clauses exist. Standard contractual clauses have not been generally prohibited by the ECJ. If partners in the USA have not only relied on the Privacy Shield Agreement, existing contract clauses may allow further data exchange. However, this solution can only be a temporary one.
question: What are the consequences of breaches of GDPR/GDPR?
answer: The maximum fine is 4 percent of the respective company's annual turnover or 20 million euros - whichever is higher. Although it can be assumed that the maximum penalties will only be distributed for really blatant violations, it can still get very expensive very quickly. Since the introduction of GDPR/GDPR, over 340 violations have already been punished and fines of over 490 million euros have been imposed.
question: Can I safely use Google tools like Optimize?
answer: In doing so, you are moving in a gray area. Through order processing agreements, the tools are theoretically compliant and implement all rules. However, websites optimized with Google Optimize are built using the tool and this is usually before a possible consent consent has been obtained.
question: Can external consultants help with this issue?
answer: In principle, experts from outside are a good idea when it comes to such a complex topic. But here too, you should pay close attention to which partner you bring into your house. Larger consulting companies in particular often have problems working in compliance with data protection regulations. Everyone must decide for themselves whether they are the right advisors.
question: Can medium-sized companies handle consent management and data protection themselves?
answer: In principle, every company, regardless of size, can address the issue itself and without external help. If you look at the list of companies that have been punished for violations, there are many very large companies. Size itself is therefore not a criterion. On the contrary: As the size of a company grows, there are often problems with responsibilities and lengthy decision-making processes. At the same time, however, it should also be noted that implementation requires appropriate expertise — because a whole lot has to be considered.
Do you have any more questions about consent & data protection in programmatic advertising campaigns? Our team is happy to help: https://www.adlicious.me/de/contact
